They have your child’s data and they aren’t afraid to use it.

The first in series about the lack of adequate protections related to student data and privacy

Over recent weeks the focus of this blog has been on parental right and the importance of opting out of the unfair, inappropriate and discriminatory Common Core Smarter Balanced Assessment Consortium (SBAC) test, but that issue is only one piece of the puzzle when it comes to the unprecedented activities of the Corporate Education Reform Industry and their supporters like Governor Dannel Malloy.

While the vast majority of parents are blind to the issue, one of the most serious problems associated with the transformation of the nation’s education system is the creation of massive databases that track a broad array of data about children and how a variety of public and private entities mine that data for various uses including marketing to children and parents.

Just as troubling is the fact that few school administrators seem to understand the extent of these recent developments.

State and local school officials continue to tell parents that their child’s data is safe as a result of the federal government’s Family Educational Rights and Privacy Act (FERPA) which was originally designed to protect students and ensure that parents knew what data was being collected on their children and how that data was being used.

But even a basic review of the communications being sent out by Connecticut’s Department of Education and local superintendents reveal that these officials either don’t know about the massive changes that have been made to the FERPA law or are intentionally misleading and lying to parents.

The Family Educational Rights and Privacy Act (FERPA) was designed to control the use of “educational records” and any agency or institution that violates the FERPA law and its regulations can be denied funding. As the law is written, school officials cannot share student data with outside entities without parental consent.

However massive changes to the FERPA privacy law in 2008 and 2011 undermined the most important elements of the nation’s student privacy law.  The United States Department of Education now defines “school officials” to include “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”

This means the nation’s federal student privacy law allows schools to provide the data it collects on students to private companies, without parental consent, if the contract is related, in some way, to educational activities.

In addition, revisions to the FERPA privacy regulations, “removed limitations prohibiting educational institutions and agencies from disclosing student personally identifiable information, without first obtaining student or parental consent,” a change that now gives private companies access to data that specifically identifies each student.

The changes in the nation’s student privacy laws were pushed by the Corporate Education Reform Industry and companies that are financially benefiting from getting access to student data.

As Politco.com observed at the time, the private sector was overjoyed.

“This is going to be a huge win for us,” said Jeffrey Olen, a product manager at CompassLearning, which sells education software.

Politico went on to report,

CompassLearning will join two dozen technology companies at this week’s SXSWedu conference in demonstrating how they might mine the database to create custom products – educational games for students, lesson plans for teachers, progress reports for principals.

And we’re not talking about just a few companies using a few limited databases.

Pearson Education, ETS (Educational Testing Service),  Houghton Mifflin Harcourt, McGraw-Hill and dozens of other companies have spent tens of millions of dollars lobbying to weaken privacy laws or stop the federal and state governments from reducing their access to student data.

Just this week, The National Education Policy Center at the University of Colorado released a major report entitled, ON THE BLOCK: STUDENT DATA AND PRIVACY IN THE DIGITAL AGE.  The report references a 2013 study conducted by the Center on Law and Information Policy at Fordham Law School which looked into how California school districts were handling student data.  The report found that;

“[In California] 95% of school districts now rely on cloud-services providers for a wide variety of services, such as data mining for student performance, support for classroom activities, student guidance, and data hosting.

However, fewer than 25% of the agreements specify the permitted purposes for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to unilaterally change the terms. Many also allow vendors to retain student data into perpetuity.”

After reviewing federal and state laws, the new NEPC report makes it extremely clear that while more than 20 states have passed their own student privacy laws to fill in gaps in the federal laws, Connecticut is one of the states that has completely failed to develop appropriate student privacy laws designed to protect the state’s children.

In Connecticut, for example, there is no requirement that contracts with vendors:

Restrict the use of data collection for advertising and marketing purposes

Require that parents are notified and have an unlimited right to review data that is being handed over to third parties

Require that third parties have and maintain appropriate data security procedures.

Require that data must be destroyed following intended use.

Require parents be notified about breaches or that third parties be held accountable for breaches. (In fact, when it comes to protecting student data, Connecticut actually has a statute that provides for immunity of liability for data breach and NO notice to parents that a breach has occurred.) 

This year a group of Republican legislators in the Connecticut General Assembly introduced H.B. No. 7017, an Act Concerning Student Data Privacy, but following a public hearing, the Education Committee passed an extremely weak version of what might be called an attempt at beginning to address the student privacy problem.

As the proposed legislation now stands, Connecticut parents would continue to have virtually no meaningful protections when it comes to the use of data collected about their children.

Check back for much more on the key issues surrounding student data and privacy, the Corporate Education Reform Industry’s efforts and the failure of public officials to address this growing problem.

  • Sleepless in Bridgeport

    George Orwell for CT Governor…..just send your donations care of Bill Gates, Pearson, the whole CT State Board of Ed

  • paulbogush

    Also check out changes in HIPA. If a child receives medical attention in a school, that info is no longer protected and will be put into the longitudinal data base.

  • sweetwater

    This issue is connected but distinct from the other ed reform initiatives. Why? Well the standards we can fix or if the ESEA goes through petition to alter. SBAC- just opt out. Teacher evaluations- that too may change depending on what happens with ESEA. However the data collection is totally out of control.

    From the beginning the advocacy for a comprehensive Student Data Privacy law in our state included three measures: updating and dealing with the now FERPA loopholes, online/third party vendors access and use, and the P20 state longitudinal data system. ALL 3 were needed an ALL 3 are what over 20 other states have dealt with in their own ways.

    Only the online/third party vendor piece came out of committee. Where did the other 2 pieces go? Clearly no support by the committee, or enough support to be included.

    SO what exactly was needed to bring CT up to par, to reach some sense of balance, and to protect the children of our state?

    1)Institute an Ethical/Technical Independent Oversight Committee over the activities of all Governing Entities of P20-WIN (Council, Executive Board, Governing Council,Data Steward Committee) and provide for their access, investigations, and AG approval for adding agencies and data elements.

    2)Review of P20-WIN documents, practices and policies that addresses and corrects the holes within those documents.

    3)Privacy law that:
    Specifies what is ok to collect
    Specifies what is not ok to collect
    Notifications of data elements, participating agencies, breach, software/programs/websites used at school with privacy policies, and timely updates as P20-WIN grows at
    the school level

    3)Disclosure of who has had access every year

    4)Parental/Student access to own child/student data only and measures to rectify erroneous information

    5)Breach Response Law that is applicable to State Agencies and Impose liability to rectify damages and prosecute misuse ( we do not have a breach response law) What is now in the proposed bill would give a 48 time limit for third parties to issue a “statement” of a breach. Well, then what?

    6)Ban Biometric Data at a minimum, along with other personal information on students and parents/families (other states have along list of information that is not to be collected at school at all, or only with consent and if so then it is not to be entered into the SLDS) (New York, Florida and many others have banned and regulated biometric data)

    7)Upon passing, retroactively amend all contracts, agreements, understanding, and policies to reflect the new legislation. We cannot wait for them to terminate or come due for renewal to update for they will operate under previous circumstances without the privacy protection, such as SBAC/CT MOU, P20-WIN
    governing practices, data system management contracts, school level software programs, which all collect PII and share it or provide access to it.

    8)Regulate the third party access/ed tech company ability to build student profiles, track students location, sell or use data for marketing/advertising purposes, or even
    have access at all to P20-WIN, and protects access to student social media and email accounts.( this is kind of what we got)

    9) P20-WIN shall never be allowed to evolve into any other purpose other than its current publicly stated purpose: “The Vision for P20 WIN is to inform sound educational policies and effective program practices through secure sharing of critical longitudinal data across state agencies to ensure that individuals successfully navigate educational pathways into the workforce.” It shall not be used for citizenmonitoring or sorting that determines decisions regarding those lives within it in regards to their “human capital” worth, their character, their desire to seek higher education nor place the individuals at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability & reputation.
    What is needed is an amendment before the vote on the bill we have. While we should be advocating still for all of the above at the minimum we need:
    True Breach protection
    A statement that “data ownership” lies with the student or the teacher who created the data, not the LEA ( which is what is in the bill)
    Access to P20 WIN for parents and annual disclosure of who has had access
    Attorney General approval to expand state agencies and data elements that will be a part of P20 WIN- there is no elected human who is responsible for this. Right now it is just “in consultation with the Office of the Attorney General”- offices can’t consult.
    I could go on but you get the gist.
    For the record there was one Dem who put in bills on ALL 3 areas.
    And true, HIPPA does not protect any medical information at school. It defers to FERPA and since it was written before FERPA got gutted that is why there is no medical protection ( physical or mental). We now are working on the FERPA federal update which has been released so I encourage all to do 2 things:
    Call for an amendment before bill 7017 goes to the floor with every rep and Senator and read and provide feedback on the federal FERPA update
    For starters on a nice state law check out New Hampshire 1587

  • buygoldandprosper

    Just think of it as part of Dan’s LEAN GOVERNMENT. Data like this can be used to create jobs and revenue. It is better than a suggestion box. Come on people!! Young ones can’t work,legally, but we all need to pitch in and their data is valuable.

    “The idea behind “lean” government is to eliminate waste. It’s a process, Barnes said, that is even more important at a time when there are fewer resources. He said employing “lean” strategies will free up staff to focus on other activities and improve “customer service.”
    “…First, if asked for facts and data, you should feel free to provide the information. If asked to evaluate alternatives or legislative proposals, you are encouraged to respond factually and with the Governor’s agenda in mind. Please provide copies of any information sent to OFA or the Appropriations or Finance committees to your assigned OPM budget analyst.”

  • Bluecoat

    Keep this up Jonathan
    I hate to sound like a broken record, but this is the number one reason for getting us out of the CC State Standards.
    And the vehicle that helps gather personal information is the SBAC testing scheme. We need to abolish the P-20 Council too!
    We need to stop the personality and psychological tests, exams, and questionnaires that are performed on our kids.
    Why is it so hard to have a parent or guardian sign a permission slip for this stuff, and better yet has anyone followed the money?
    How much money has made its way into the Dem and Repub coffers from the many various data mining companies?

  • paul dave

    Great article. Thanks for the info, this is really a helpful post. BTW, if anyone needs to fill out a Parental Consent form, I found a blank form in this site PDFfiller. This site also has several related forms that you might find useful.