Today she sent me a copy of the Office of Legislative Research Report that she had requested, and that frankly arrived sooner than I had expected. You can find that report here.
To summarize, in discussing the "significant changes" the OLR state:
Under certain conditions, the new regulations allow broader access to PII. [Personally Identifiable Information]
The prior regulations used the term authorized representative but did not define it.
The new regulations no longer require the authorized representative be under the direct control of the education agency releasing the information
Some groups, including the National School Boards Association (NSBA), have raised questions about the changes, saying DOE had gone too far in loosening the restrictions on PII under FERPA. In a May 23, 2011 letter to DOE Secretary Arne Duncan... an NSBA senior attorney wrote that DOE’s definition of “authorized authority” is overly broad and the definition should be limited to employees of the educational agency that possesses the information or a contractor specifically under the agency’s direct control.
The DOE narrative also suggests that one government agency, such as a state Labor Department, cannot be under the director control of another agency at the same level of government, such as the state Department of Education, therefore the “direct control” principle does not make sense in that context.
The prior regulations prevented a state education department from releasing PII it received from local education agencies to a research organization unless it had specific legal authorization to do so (this is sometimes referred to as “redisclosure” as the local agency had already disclosed the information to the state agency). Under the new regulations, state education agencies can enter into agreements with research organizations for... study purposes without specific authority.
In its 2011 letter to DOE, NSBA also objected to this change and suggested it exceeds the statutory authority of FERPA. NSBA urged that a state education department should be required to seek permission from the local education agency that supplies the PII before the state agrees to provide that information to a research organization.
What I was happy to see in this Report was the OLR including the entire letter from the National School Boards Association to Arne Duncan as an attachment, thereby testifying to the points it makes and questions it asks as noteworthy and relevant.
Things I find most interesting include:
As a practical matter, it is not clear how the effective use of data in statewide longitudinal data systems (SLDS) as envisioned by the COMPETES Actor ARRA necessitates designation of others beyond an employee or a contractor as authorized representatives. Under what circumstances would others besides these two types of representatives conduct an audit or evaluation of a Federal or state education program that would necessitate non-consensual disclosure of PII?
Will "reasonable methods" and a written agreement likely ensure that "authorized representatives" unfamiliar with the privacy concerns inherent in educational programs comply with FERPA?
...if for some reason, such an authorized representative, state or local educational authority, or agency headed by an official... makes an improper re-disclosure, DOE proposes that the educational agency or institution from which the personally identifiable information (PII) originated would be prohibited from permitting the entity responsible for the improper re-disclosure access to data for at least five years. NSBA suggests that instead of requiring the educational agency or institution to deny access to data for five years, the entity responsible for the re-disclosure should be prohibited from requesting PII from the educational agency or institution for at least five years. It is unfair to put the onus on the originating educational agency or institution to deny access to the entity that made an improper disclosure. After all, the educational agency or institution did not make the improper disclosure and was reasonably relying on "reasonable methods" and a written agreement to prevent improper re-disclosure. Likewise, the educational agency or institution may not even be aware that an improper re-disclosure has been made. In a similar vein, NSBA encourages DOE to modify current §99.33(e) to state that if a third party improperly re-discloses PIT from education records that third party may not request PII from the originating education agency or institution for at least five years.
With today being the last day of the legislative session here in Connecticut, nothing is going to be done to protect our kids' privacy on a state level this school year. But some people are still optimistic about getting FERPA reversed on the federal level; with our own U.S. Senator Richard Blumenthal, and Ed Markey of Massachussetts introducing the Personal Data Protection and Breach Accountability Act, there is hope that Blumenthal can be made to see the FERPA problem. But regardless of whether or not that happens, legislation needs to be passed here in Connecticut to protect our kids' privacy. It will be an uphill battle considering that attempts have already been made to degrade it at the college level, but nevertheless, the battle will continue after the elections in the fall.
No comments:
Post a Comment
Comments are very welcome, but are moderated. Please keep in mind that this blog is specifically for dissemination of information that is free from political affiliation bias and uneducated fear mongering. Comments containing either will not be approved.
Additionally, although you may know me from Facebook, and I am not shy about who I am, because I do share personal experiences here I ask that you respect the privacy of my children by refraining from using my real name. Comments that use my real name will unfortunately not be published.