I recently opted-out of some testing for my 7th grader. I sent a letter to all of his teachers, his principal, his guidance counselor, and the Curriculum Coordinator of the BOE who I have had
previous contact with. She was the only one to respond. And as I was starting to type out my own response to her, I thought it might be a good idea to share my response to educate all my readers about this topic. So here it is:
Thanks for taking the time to respond to my email; no one else did.
I'd like to take a some time to address your comments from this email and last where you state that "I also need to remind you that all of our assessment results data, teacher tests included, are stored on our servers" and "neither districts, teachers, schools, nor the state department of education is allowed to share any student or parent addresses or contact information."
First the issue of information being stored on Cheshire's servers.
As you are likely aware, Connecticut
has a P-20 Council that was
empowered by Governor Malloy in 2012
and one of their
three goals is "Improving data systems to better track
student progress.".
If you go to
the P-20 Council
APPROACH page and click on Memorandum of Agreement - CT Board of Education (pdf) it will
bring you to a document that includes this information:
DAS-BEST [State Department of Administrative
Services' Bureau of Enterprise Systems Technology] shall serve as the custodian
of data from the education records that will be processed by software residing
on its servers and will have responsibilities as set forth herein for the
installation of the application, hardware, establishing network linkages, and
connecting data sources...
So Connecticut already has a state server to collect data from the districts. And according to the
Data Collection Update issued by the CT Commisioner of Education it is just a matter of time before data is uploaded to the state automatically:
An additional initiative for streamlining collections and reducing administrative burden is the automation of the upload process for state mandated data collections. We will continue to develop the aforementioned SIF [School Interoperability Framework] to replace the manual data upload and validation processes performed currently by LEA data administrators. SIF was piloted successfully by six districts and used by 15 districts for the January PSIS Collection. A SIF rollout is planned for all districts over the next few years.
The actual Connecticut laws that dictate that school districts need to share data with the state regardless of where it is stored, are:
Sec. 10-10a.
(b) The Department of Education shall develop and implement a state-wide public school information system. The system shall be designed for the purpose of establishing a standardized electronic data collection and reporting protocol that will facilitate compliance with... federal reporting requirements…
(c) On or before July 1, 2013, the department shall expand the state-wide public school information system as follows:
(1) (A) In addition to performance on state-wide mastery examinations pursuant to subsection (b) of this section, data relating to students shall include, but not be limited to, (i) the primary language spoken at the home of a student, (ii) student transcripts, (iii) student attendance and student mobility…
(2) Collect data relating to student enrollment in and graduation from institutions of higher education for any student who had been assigned a unique student identifier pursuant to subsection (b) of this section, provided such data is available.
(f) All school districts shall participate in the system, and report all necessary information required by this section, provided the department provides for technical assistance and training of school staff in the use of the system.
Of particular concern is the caveat in section (c)(1)(A) where it explains that the data they collect is
not limited to, thereby keeping us in the dark as to what can actually be collected.
Additionally, the law that protects privacy for Connecticut citizens:
Sec. 42-471. Safeguarding of personal information.
does not pertain to the Connecticut State Department of Education and the personal information they collect, since it states that
(f) The provisions of this section shall not apply to any agency or political subdivision of the state.
So back to the P-20 Council. On page five of the Connecticut P-20 Council 2009 briefing entitled
Commission for the Advancement of 21st Century Skills and Careers they explain about "Building Data Systems":
Nationally,
the Data Quality Campaign (DQC) supports state efforts to use
high-quality education data to improve student achievement. DQC tracks
states’ progress in achieving 10 essential elements needed to build an
effective longitudinal data system.
Those 10
essential elements can be found on page 20 of Data Quality Campaign's just-released report entitled
Data For Action 2013. Page 21
shows where Connecticut currently is in working toward that goal. And
the cause for concern is that Connecticut has not accomplished certain
important elements, specifically element #5, which in part requires
that the state is transparent about who is authorized to access specific data and for what purposes, and element #10, which in part requires that
the state education agency makes data privacy and security policies public.
So to summarize:
- despite the fact that all of Cheshire's data "are stored on our servers", by state law much of the information on those servers is already provided to the state, and at some point "over the next few years" the state will have direct access to it via its SIF (School Interoperability Framework)
- The state law does not limit what data can be collected about our students
- The state law does not legally bind the CSDE to protect that data
- The state has not made clear who is authorized to see that data
- The state has not made its data privacy and security policies public
Now on to your statement that "neither districts, teachers, schools, nor the state department of
education is allowed to share any student or parent addresses or contact
information."
The relevant FERPA statutes state:
Subpart A—General
§99.3 What definitions apply to these regulations?
Personally Identifiable Information. The term includes, but is not limited to—
(a) The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name...
Subpart D—May an Educational Agency or Institution Disclose Personally Identifiable Information From Education Records?
§99.31 Under what conditions is prior consent not required to disclose information?
(a) An educational agency or institution may disclose personally identifiable information from an education record of a student without the consent required by §99.30 if the disclosure meets one or more of the following conditions:
(6)(i) The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:
(A) Develop, validate, or administer predictive tests;
(B) Administer student aid programs; or
(C) Improve instruction.
It doesn't take a lawyer to explain that this means that personally identifiable information can be shared with for-profit corporations, including curriculum companies, testing companies, and even Google, since they "improve instruction" with the Google Docs that we use extensively here in Cheshire.
The law further states that:
§99.31(a)(6)(ii) Nothing in the Act or this part prevents a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section from entering into agreements with organizations conducting studies under paragraph (a)(6)(i) of this section and redisclosing personally identifiable information from education records on behalf of educational agencies and institutions that disclosed the information to the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section in accordance with the requirements of §99.33(b).
Which means that once the LEA (Local Education Agency) shares the information with the state, the state can then go ahead and share it with someone else on behalf of the LEA no matter what the LEA thinks about that.
Are there "protections" for what those parties are allowed to do with that information? Of course. But compliance with these laws rely on self-regulation, and once the information is shared, it can't be retrieved:
Subpart E—What Are the Enforcement Procedures?
§99.67 How does the Secretary enforce decisions?
(e) If the Office finds that a third party, outside the educational agency or institution, improperly rediscloses personally identifiable information from education records in violation of §99.33 or fails to provide the notification required under §99.33(b)(2), then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the violation access to personally identifiable information from education records for at least five years.
So let's once again summarize:
- According to federal law, the state can redisclose information that Cheshire shares with it, without Cheshire's permission.
- According to federal law, the state can share personally identifiable information with for-profit corporations. Then if the private corporations share it with anyone else, and they get caught, the state can't give them access to more personally identifiable information for five years. This doesn't take back the information though, or protect my kids from whoever those for-profit corporations shared it with; the information is irretrievably out there.
- The state does not provide further protections for my children in its own statutes since:
- The state law does not limit what data can be collected about our students
- The state law does not legally bind the CSDE to protect that data
- The state has not made clear who is authorized to see that data
- The state has not made its data privacy and security policies public
So unfortunately, your assurance that "neither districts, teachers, schools, nor the state department of
education is allowed to share any student or parent addresses or contact
information," is, if my understanding of all this is correct, mistaken. As long as you are doing so with someone claiming to "improve instruction" you can all share that information with whoever you want; this includes Triumph, OLSAT, Naviance, Powerschool, and Inform.
Andrew Abate, Cheshire's Technology Coordinator, lists on his LinkedIn account that he "Keep[s] abreast of educational reform with respect to technology, pedagogy, and policy", so you may want to verify with him all of the information that I've presented to you here.
And if you find that he quantitatively refutes any of this information, I would appreciate your letting me know, since I would be thrilled to be corrected on any of this.