Will CT elected officials enact appropriate safeguards on student privacy this session?

The Connecticut General Assembly will soon be acting on House Bill #7017, An Act Concerning Student Data Privacy.

However, as of now this critically important legislation is little more than an empty shell and it falls far short of what is needed to ensure that Connecticut law properly protects the state’s children by instituting appropriate safeguards on data collected by the state and school districts about students.

Although few parents are presently aware of the problems, as a result of federal action, the Common Core testing frenzy and the ever increasing desire to collect and warehouse massive amounts of data on everybody and everything, the notion of protecting student data at the federal, state and local level has been severely undermined.

Today student data is not properly protected.

In response to these developments, states all across the country have passed new laws aimed at putting appropriate safeguards in place on student data.

This year alone, 41 states have or are considering legislation that would increase the level of protection on student data.

The Connecticut’s General Assembly’s opportunity to step forward and protect Connecticut’s children rests with House Bill #7017, but significant changes would be needed if the legislation is to have a significant impact.

Jennifer Jacobsen, a long time educator, mother of three, a founding member of Connecticut Unites for Student Privacy and a member of the Connecticut Parental Rights Coalition has been a leading voice in the effort to ensure that Connecticut improves its laws on student data privacy.

In a recent letter Jennifer Jacobsen highlighted the steps needed to update loopholes with the Family Educational Rights and Privacy Act (FERPA), to institute appropriate provisions for dealing with online and third party vendors who contract with the state and schools that collect student data, and changes needed to ensure proper procedures for regulating Connecticut’s “state longitudinal data system,” known as P20-WIN, so that there is transparency, accessibility and protection in place.

The proposed law needs to include the following provisions;

  • Clarification that All student records are the property, and are under the control of, the parent or legal guardian of the child, and may be held in trust by the local board of education. The local board of education shall safeguard the privacy of student records, and shall protect student records from all unlawful release to third parties, in accordance with state and federal statutes and regulations.
  • A requirement that, upon request, the local board of education shall provide immediately to the student, parent, or legal guardian, a copy of any student record, or data of any kind, that is in the possession and/or control of the local board of education and its agents and the state longitudinal data.
  • Adding language ensuring that certain data elements cannot be disclosed to third-parties without parental consent including; (a) Juvenile court delinquency records; (b) Criminal records; (c) Student biometric information; and (d) Student medical Records.

In addition, tougher provisions are needed to limit the likelihood of a data breach and ensure that proper steps are taken if and when a breach of data security occurs. As Jacobsen notes, the legislature should add that:

The State Department of Education and its agents, and the local board of education and its agents, shall notify the student and parent or legal guardian of a student of any unauthorized access, or suspected unauthorized access, to any student record or data of any kind that is collected, maintained, or in the possession and control of the State Department of Education and its agents, the local board of education and its agents, and any other authorized third party.

Each unauthorized release of, or breached access to, any student record or data of any kind that is collected, maintained, or in the possession and control of the State Department of Education and its agents, the local board of education and its agents, and any other authorized third party, shall be considered a separate violation, punishable by (add appropriate penalties- fines, denied access to data systems, etc).

Upon notification of an unauthorized release or breach, or suspected unauthorized release or breach, of student records or data of any kind, the State Department of Education and its agents, the local board of education and its agents, and any authorized third party, immediately shall ensure that all necessary corrections are made to prevent further release or breach, and shall repair and rectify all harm caused by the unauthorized release or breach.

These additions are necessary to update Connecticut’s law on protecting student data.  As Jacobsen explains,

“These proposed changes and additions allow third party vendors and state agencies the opportunity to ensure their proper handling of the data they collect with ultimate responsibility to safeguard the students behind the data while still having access to de-identified data for research or product development purposes.

These recommendations also permit parents the access they need to ensure the accuracy of the data collected on their children and assures them that the state has taken every measure possible to protect their children’s information with serious consequences for those who would either intentionally or unintentionally misuse that information.”

The Connecticut General Assembly should add these provisions, Connecticut’s parents and students deserve nothing less.

They have your child’s data and they aren’t afraid to use it.

The first in series about the lack of adequate protections related to student data and privacy

Over recent weeks the focus of this blog has been on parental right and the importance of opting out of the unfair, inappropriate and discriminatory Common Core Smarter Balanced Assessment Consortium (SBAC) test, but that issue is only one piece of the puzzle when it comes to the unprecedented activities of the Corporate Education Reform Industry and their supporters like Governor Dannel Malloy.

While the vast majority of parents are blind to the issue, one of the most serious problems associated with the transformation of the nation’s education system is the creation of massive databases that track a broad array of data about children and how a variety of public and private entities mine that data for various uses including marketing to children and parents.

Just as troubling is the fact that few school administrators seem to understand the extent of these recent developments.

State and local school officials continue to tell parents that their child’s data is safe as a result of the federal government’s Family Educational Rights and Privacy Act (FERPA) which was originally designed to protect students and ensure that parents knew what data was being collected on their children and how that data was being used.

But even a basic review of the communications being sent out by Connecticut’s Department of Education and local superintendents reveal that these officials either don’t know about the massive changes that have been made to the FERPA law or are intentionally misleading and lying to parents.

The Family Educational Rights and Privacy Act (FERPA) was designed to control the use of “educational records” and any agency or institution that violates the FERPA law and its regulations can be denied funding. As the law is written, school officials cannot share student data with outside entities without parental consent.

However massive changes to the FERPA privacy law in 2008 and 2011 undermined the most important elements of the nation’s student privacy law.  The United States Department of Education now defines “school officials” to include “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”

This means the nation’s federal student privacy law allows schools to provide the data it collects on students to private companies, without parental consent, if the contract is related, in some way, to educational activities.

In addition, revisions to the FERPA privacy regulations, “removed limitations prohibiting educational institutions and agencies from disclosing student personally identifiable information, without first obtaining student or parental consent,” a change that now gives private companies access to data that specifically identifies each student.

The changes in the nation’s student privacy laws were pushed by the Corporate Education Reform Industry and companies that are financially benefiting from getting access to student data.

As Politco.com observed at the time, the private sector was overjoyed.

“This is going to be a huge win for us,” said Jeffrey Olen, a product manager at CompassLearning, which sells education software.

Politico went on to report,

CompassLearning will join two dozen technology companies at this week’s SXSWedu conference in demonstrating how they might mine the database to create custom products – educational games for students, lesson plans for teachers, progress reports for principals.

And we’re not talking about just a few companies using a few limited databases.

Pearson Education, ETS (Educational Testing Service),  Houghton Mifflin Harcourt, McGraw-Hill and dozens of other companies have spent tens of millions of dollars lobbying to weaken privacy laws or stop the federal and state governments from reducing their access to student data.

Just this week, The National Education Policy Center at the University of Colorado released a major report entitled, ON THE BLOCK: STUDENT DATA AND PRIVACY IN THE DIGITAL AGE.  The report references a 2013 study conducted by the Center on Law and Information Policy at Fordham Law School which looked into how California school districts were handling student data.  The report found that;

“[In California] 95% of school districts now rely on cloud-services providers for a wide variety of services, such as data mining for student performance, support for classroom activities, student guidance, and data hosting.

However, fewer than 25% of the agreements specify the permitted purposes for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to unilaterally change the terms. Many also allow vendors to retain student data into perpetuity.”

After reviewing federal and state laws, the new NEPC report makes it extremely clear that while more than 20 states have passed their own student privacy laws to fill in gaps in the federal laws, Connecticut is one of the states that has completely failed to develop appropriate student privacy laws designed to protect the state’s children.

In Connecticut, for example, there is no requirement that contracts with vendors:

Restrict the use of data collection for advertising and marketing purposes

Require that parents are notified and have an unlimited right to review data that is being handed over to third parties

Require that third parties have and maintain appropriate data security procedures.

Require that data must be destroyed following intended use.

Require parents be notified about breaches or that third parties be held accountable for breaches. (In fact, when it comes to protecting student data, Connecticut actually has a statute that provides for immunity of liability for data breach and NO notice to parents that a breach has occurred.) 

This year a group of Republican legislators in the Connecticut General Assembly introduced H.B. No. 7017, an Act Concerning Student Data Privacy, but following a public hearing, the Education Committee passed an extremely weak version of what might be called an attempt at beginning to address the student privacy problem.

As the proposed legislation now stands, Connecticut parents would continue to have virtually no meaningful protections when it comes to the use of data collected about their children.

Check back for much more on the key issues surrounding student data and privacy, the Corporate Education Reform Industry’s efforts and the failure of public officials to address this growing problem.