My school district is small and is located in Dutchess Co. Those of you who have been following my blog, know that I have spent hours doing research on FERPA, InBloom, privacy et al and had lobbied my district BOE to withdraw from RTT. Based on NYSAPEs alert, I requested an emergency BOE meeting to discuss withdrawing from RTT and the BOE agreed. Luckily, the BOE takes student privacy seriously and our financial status made that possible. Our school withdrew from RTT due to student privacy concerns and this was a big deal for us and for schools around us who took notice of this shining lead.
Here’s the catch:
Not sure if our BOE Members realize this or not, but I just researched my son’s computer lesson plans and see that we use Compass Learning in our elementary schools.
For all our attempts to withdraw from RTT to mitigate risk of student data being uploaded to InBloom and disseminated to 3rd parties via NYSED/InBLoom, the irony is that we use Compass Learning here at the Elementary level (not sure about above K-5). Thus, my school is feeding PII and student data directly to InBloom via that portal.
Compass learning is an InBloom partner.
Compass learning is a personalized online learning portal, by the way. Dashboard, maybe?
NYSED requires certain info from Schools and has made it clear that they plan to upload to InBloom, I know. NYSED mandates VADIR, SIRS, BEDS, Summary data and some other info together with student names and addresses. So, I know NYSED requires district compliance and will upload to InBloom such that withdrawing from RTT is symbolic, but you cannot deny that withdrawing does help mitigate PII info and data points that InBloom wanted though at the outset which is the reason why we withdrew. 400 data points? Whaaaattt???!!
Symbolic or not, withdrawing mitigates the risk of harm due to breached student privacy via PII being uploaded to InBloom and possibly disseminated to third parties after that.
But, what about Compass Learning? What are we feeding InBloom through Compass Learning? I know my son’s academic and personal info is in there because its personalized! His student ID, name, address, scores, test results. What else?
My concern is that I dont think Compass Learning is required, per se. I think this program we selected and chose to purchase to augment Core lesson plans. This is speculation om my part at this point, Im going to look into it more though. So, why are we using an InBloom provider when there are so many privacy concerns? It doesnt make sense!
Like InBloom, Compass Learning acquires PII and disclaims any liability for breach of security realting to the information. Here is Compass Learning’s Personal Information Practices regarding Children:
PERSONAL INFORMATION PRACTICES REGARDING CHILDREN
What personal information is collected from children?
Through the course of providing access to and use of certain CompassLearning or Renzulli products or services, such as, CompassLearning Odyssey and/or Renzulli Learning, we may collect or have access to: your name, grade level, student school ID, user name, password, gender, ethnicity, race, whether you have special needs, certain sociological/economic factors regarding you that may impact your learning, factors relating to your scholastic performance, status and/or enrollment status, log domain names, IP address, a processor or device serial number, geolocation data, and/or a unique device identifier.
How is this personal information used?
Any personal information that is collected is used to customize your learning experience, to improve our services, to assess and/or communicate your performance with you and/or your school, as applicable.
With whom do we share personal information collected from children? We may share your personal information with your school. Teachers, administrators and district administrators can configure reports based on such information. These reports can be exported to PDF’s or spreadsheets. We may also share personal information with researchers or analysts who have agreed in writing to protect the confidentiality of such information in order for them to prepare white papers or analysis regarding the efficacy of our products or services. No white papers or analysis shared publicly would disclose any personal information. In addition, if you are using a module of functionality made available by a third party that is not integrated in a CompassLearning or Renzulli product, including, for example, an assessment tool or a foreign language module, such third party may collect personal information from you and/or we may share personal information with such third party, in each case in order for you to receive such service. Except solely as provided herein, we will not sell, lease or provide any third party personal information collected from children under 13 except as necessary pursuant to a written confidentiality agreement to make one of our products or services available to such child, in connection with a sale or change of control of CompassLearning or any of its assets, or if CompassLearning has reason to believe that doing so is necessary to identify, contact, or bring legal action against someone damaging, injuring, or interfering with our rights, property, or users.
If you request that your information be removed or if we no longer need to store it, we will securely destroy, erase, or make the information anonymous or request that your school securely destroy, erase, or make the information anonymous.
PRIOR NOTICE AND CONSENT TO COLLECTION OF PERSONAL INFORMATION FROM CHILDREN UNDER 13
We rely upon consent from schools instead of parents for use by their students of our products and services. We provide information regarding our practices concerning the collection, use, and disclosure of personal information to such schools and to you.
And, their Privacy/Security Policies:
If we are hosting CompassLearning or Renzulli products or services, we review our Web security on a regular basis. Information collected from users of our products or services is stored on databases and other servers kept in secure locations under the custody and control of CompassLearning or its designees. CompassLearning also uses technologies and processes, such as encryption, access control procedures, and network firewalls that are designed to protect such servers. CompassLearning makes commercially reasonable efforts to protect such information and to limit its use and disclosure but cannot guarantee that such efforts will be successful. Please note that sending data over the Internet is never completely secure. Although we will endeavor to fully protect your information, we cannot guarantee the security of the data you transmit to us or allow us to collect, and you do so at your own risk.
HOSTING BY THIRD PARTIES
If we are licensing CompassLearning or Renzulli products on an enterprise basis to be hosted by a school or its designee, we not providing and are not responsible for any system security. In addition, the school that is hosting such product may collect different information than is indicated here. Consult such school. In addition, we are not responsible for how this information we may share with your school may be used or disclosed by such school.
I object to this! This is the rhetoric spewed by InBloom regarding FERPA and student privacy. There are no protections and there is no recourse for a breach.
Moreover, as discussed in a prior blog post I wrote,
Under the “new and improved” FERPA, NYSED is permitted to store your child’s PII and outsource it anywhere in the world!
FERPA makes no distinctions based on State or international lines.
While FERPA purports to hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records, the reality is FERPA does not explicitly require that education data be stored within the U.S leaving sensitive student information virtually vulnerable (no pun intended).
Although storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. is encouraged and considered a best practice by the USDE to ensures that they are subject to U.S. jurisdiction, FERPA does NOT require that the PII be stored in country leaving schools. Given hefty storage fees, Im guessing this will be pretty attractive option.
And for the sound effect: Cha-ching!
No really. Press play- http://youtu.be/Wj_OmtqVLxY
It is important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements so any outsourced PII material would undoubtedly be thief/hacker heaven!
Think Im exaggerating or being a drama queen? Nope. I wish I was, but sad to say Its all true.
Which best the question, does NYSED intend to sell our kids out……literally?
Read for yourself:
Privacy Technical Assistance Center (US Department of Education):
Question: Does FERPA require that confidential information in the cloud be stored within the United States? Is there a best practice?
Answer: The preamble to the December 2, 2011, amendments to the FERPA regulations states the following in response to a comment on this general subject: “FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement. For example, if the conditions under the audit or evaluation exception in FERPA are met, a State educational authority could designate an entity in a different State as an authorized representative for the purpose of conducting an audit or evaluation of the Federal- or State-supported education programs in either State. The disclosure of PII from education records is not restricted by geographic boundaries. However, disclosure of PII from education records for an audit or evaluation of a Federal- or State-supported education program is permitted only under the written agreement requirements in § 99.35(a)(3) that apply to that exception. Under these requirements, the disclosing entity would need to take reasonable methods to ensure to the greatest extent practicable that its authorized representative is in compliance with FERPA, as is explained further under the Reasonable Methods (§ 99.35(a)(2)) section in this preamble. More specifically, an LEA could designate a university in another State as an authorized representative in order to disclose, without consent, PII from education records on its former students to the university. The university then may disclose, without consent, transcript data on these former students to the LEA to permit the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education” (Family Educational Rights and Privacy, Final Rule. 76 Federal Register 75611-75612 [December 2, 2011]). While FERPA does not explicitly require that education data be stored within the U.S., it does hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records. This includes compliance with the “direct control” requirement that applies to schools and LEAs disclosing PII from education records under the “school official” exception, and the requirement for written agreements and the use of reasonable methods to ensure that the information is adequately protected that applies to SEAs disclosing PII from education records to their authorized representatives under the ￼ ￼Page 5 of 8
“audit or evaluation” exception. Regardless of which exception is used, it is important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements. Therefore, storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. would be considered a best practice as it ensures that they are subject to U.S. jurisdiction.
I am interested to know how parents feel about Compass learning because I know my child has lesson plans on it and I know I augment his lessons at home via computer. But, I did not know Compass was an InBloom partner or I would have brought that up at the time we sought to budget for the program last year or at least when we were discussing withdrawing from RTT, dont you know!!
So, it looks like for my district’s attempt to escape using the nefarious NYSED dashboard’s that suck up PII/InBloom and wreak havoc over Student privacy concerns, we defeated the purpose by opting to select, PURCHASE and utilize an InBloom partner education learning portal!!
Can you say, InBloom DASHBOARD?
Oh, the irony.
This is exhausting, trying to keep up with all the ways InBloom and NYSED are taking personal info and infiltrating our schools!
Which begs the question, why withdraw from RTT if we are feeding info right into their mouth. Sorry to be critical, but the BOE publicly stated that student privacy is paramount and here we have a situation where we gave NYSED the key to our FERPA protected records and paid COMPASS to disclose our kids info to InBloom at the outset.
Does YOUR school use a InBloom based program?
I will link this up more below.
Meeanwhile, here is a great article addressing this issue:
For the last year and a half, the Bill and Melinda Gates Foundation — a $36.4 billion philanthropic trust that focuses on educational, world health and population initiatives — has backed a $100 million public-school database that would freely share student information with private companies.
The Gates Foundation was joined by the Carnegie Corporation of New York and school officials from several states in the development of the national database. Amplify Education — a division of Rupert Murdoch’s News Corp. — after spending a year to develop the infrastructure for the system, helped to establish inBloom, a nonprofit corporation established to run the national database.
While the expressed purpose of this is to improve the educational system, the intentions of the Gates Foundation and Murdoch are unknown and worrisome to some. “The greatest immediate threat to children is the threat to their privacy,” Michael Farris, president of ParentalRights.org, told WND in an exclusive interview. “The Supreme Court has recognized a sphere of privacy within the family, but this project would take personal information about each child, apart from any considerations of parental consent, and put it into a database being managed and monitored solely by the government agencies and private corporations that use it.”
Finding the best way to teach
In recent years, there has been a push in American education circles toward personalized education, or teaching toward the individual needs of the student. The expanding use of technology in the classroom offers educators a chance to deviate, in part, from the traditional role of a teacher as instructor and instead have the teacher serve as facilitator, allowing students to learn independently and at their own rate.
This has proven to be a difficult proposition to execute, however. While there are excellent educational softwares available to the school districts, without a proper dataset of the needs of the typical student, it is difficult to craft and install an appropriate and fitting pedagogical program.
In addition, the implementation of the Common Core State Standards — U.S. Department of Education-authored curriculum standards that have been adopted by most states as a replacement to “No Child Left Behind” — have created new standards and new goals for student learning, in which many districts may not have the resources to ensure adherence.
Ultimately, education relies on systems that cannot necessarily speak to each other. Older computer systems are not able to interface with newer systems, districts may choose to use contrasting software protocols and there are no commonly-accepted standards for data archival.
The expressed hope behind inBloom is to build an open-source, cloud-based education data infrastructure that will bring interoperability to the various databases and computer systems used in education and make needed student information readily available where it is needed most, when it is needed most.
While many educators conclude that there is a need to reform the way data is accessed in education, there are clear misgivings about who is leading the charge and why. “I cannot speak to Mr. Gates’ personal motivations, [but] the Bill & Melinda Gates Foundation has been connected with human rights organizations that promote the internationalist mindset, and this project clearly fits with that agenda,” Farris continued. “The Convention on the Rights of the Child committee has repeatedly browbeat nations to create a national database just like this that will allow the government to track children, purportedly to make sure their human rights are being protected ‒ different declared purpose, same kind of system, same invasion of privacy for government purposes.”
As chairman of the Microsoft Corporation — a computer software publisher whose portfolio includes educational software — Bill Gates is posed to directly benefit financially from the existence of this database.
The Family Educational Records and Privacy Act (FERPA), known commonly as the Buckley Amendment, prohibits schools and educational institutions that receive federal funding from releasing school records or any other personally identifiable information (PII) without the prior consent of the student or a guardian if the student is a minor, with a few specific and narrow exceptions. Many states have laws that expand the basic protections FERPA offers.
Violations of FERPA can cause a school to lose their federal funding and criminal and civil charges may be imposed under the Privacy Act.
Educational records can be released to a third party under FERPA if the third party is another school the student intends to enroll in, governmental education officials, financial aid providers and testing and accreditation officials for the purpose of developing tests or improving instruction. In the later case, any disclosed information must not identify any specific student, must have a specific use and must be destroyed once that purpose is satisfied.
“We believe parents have the fundamental right to direct the upbringing, education and care of their children,” Farris stated. “Historically, the Supreme Court has supported that right. That means parents are the primary guardians of a child’s privacy.”
“Now the government is sharing private student information with other organizations without parental consent,” Farris continued. “We believe that infringes a child’s right to privacy, and it infringes the parents’ right to be the first line of defense for that child.”
Federal officials have maintained that the database does not violate privacy laws, as FERPA allows schools to share student records with any “School officials” with a “legitimate educational interest” — which, according to the U.S. Department of Education, includes school-contracted private companies. Colorado, Delaware, Georgia, Illinois, Kentucky, Louisiana, Massachusetts, New York and North Carolina have already agreed to share their records in a pilot run of the database.
Bill Gates is a major backer of International Data Privacy Day, which states on its website, “In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements and histories stored as so many bits and bytes, we have to ask – who is collecting all of this data – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.”
This principle directly contrasts with the inBloom database. As stated on inBloom’s privacy statement, “[inBloom] cannot guarantee the security of the information stored … or that the information will not be intercepted when it is being transmitted.”
Education in the United States is a $850 billion a year business. When News Corp. purchased educational technology startup Wireless Generation in 2010, Rupert Murdoch said “When it comes to K-12 education, we see a $500 billion sector in the U.S. alone that is waiting desperately to be transformed by big breakthroughs that extend the reach of great teaching.”
The Massachusetts American Civil Liberties Union (ACLU), the New York Civil Liberties Union (NYCLU), the Massachusetts State Parent Teacher Association, the Campaign for a Commercial-Free Childhood and Citizens for Public Schools have all formally complained against their states joining the database.
“This program forces public school students to trade their personal privacy for access to education — even without their knowledge or their parents’ consent. Students in the Commonwealth should be able to trust that state officials will not quietly hand over intimate information about them en masse to private corporations or other third parties,” said Kade Crockford, director of the Technology for Liberty program at the ACLU of Massachusetts.
Currently, 21 companies have announced that they will develop software that works with inBloom, including Agilix, BloomBoard, CaseNex, Clever, Compass Learning, ConnectEDU, CPSI, Ellevation Education, eScholar, Global Scholar, GoalBook, Gooru, KickBoard, Learning.com, LearnSprout, LoudCloud, PBS, Promethean , Scholastic, Schoology and Wireless Generation.
My district’s notes re Compass Learning et al:
InBloom Partner/Provider LIst- Compass Learning
Please see also:
Student Privacy Concerns via Loenie Haimson Blog
Class Size Matters Fact Sheet