This letter has been redacted where appropriate. Please see further blog posts in schoolsofthoughtny for additional sources and additional research regarding the issues and substance of this letter. Update 12/9/13 at the end regarding Compass Learning’s statement.
Dear BOE Members and Dr. _______:
I am writing to bring a concern to your attention regarding InBloom and student privacy. I apologize for the length of this message. If you prefer to discuss, in person I am more than happy to meet.
As you may recall, I lobbied extensively and requested an emergency BOE meeting in October which the BOE approved. Thank you for reviewing my research and granting that request. The BOE met for that emergency session to discuss and review matters that concern student privacy. After considering the evidence, the BOE then voted to withdraw from RTT citing student privacy concerns as the primary reason. Luckily, the District was in a position to withdraw from RTT financially not all schools are so lucky. By withdrawing from RTT, the District chose to mitigate risk of breach and student privacy concerns stemming from the 400+ data points being demanded by InBloom via NYSEDs data dashboard portals. While NYSED will continue to collect mandatory info and store InBloom, withdrawing from RTT helped mitigate risk to our students considerably. Other Districts surrounding us have looked up to _______ as a result of this shining example and lead. Thank you again.
As I discussed in prior correspondences, recent amendments to FERPA have weakened protection to student education records thus compounding the problem and making student info vulnerable to misuse, abuse and/or exploitation.
The bottom line, is that the risks of providing sensitive student info to InBloom outweigh the benefits and, please correct me if I am wrong, the BOE stated that student privacy is an utmost concern and must be taken seriously.
Which leads me to the reason I write today.
It has come to my attention that while the District has withdrawn from RTT in order to protect student privacy and to mitigate risks associated with InBloom, the District has also been volunteering PII and sensitive student information directly to InBloom and the District has been paying InBloom for these services at the outset.
Let me explain.
Compass Learning is a personalized learning program utilized at the elementary level in our school. CompassLearning Odyssey, with its comprehensive K-12 curriculum, promotes Common Core through rigorous curriculum, personalized learning, and ongoing assessment – See more at: http://www.compasslearning.com/common-core#sthash.RP0IZdDB.dpuf
Compass Learning is a partner of InBloom. Compass Learning is, actually, an InBloom service provider who shares its profits with InBloom, FYI.
Like its partner InBloom, Compass Learning acquires student data and PII and shares it with anyone who has a “legitimate interest” in the information including third parties. Like its partner InBloom, Compass Learning disclaims any liability for breach of security relating to the information. According to Compass Learning, parental consent is not required (under the new FERPA) Compass Learning operates off the consent provided by the District to collect and use student data and disclose it to anyone including third parties. This consent has been given to Compass Learning and InBloom to use PII and student data despite the risks associated with it that we have discussed in prior correspondences and that the BOE has made a ruling on when it voted unanimously to withdraw from RTT.
I find the Districts decision to buy and use Compass Learning as a tool to augment Core lessons and assignments disturbing because of the risks associated with the collection of sensitive student information as I have discussed previously. I write to bring my concerns to your attention so that they can be resolved.
Compass Learning’s Personal Information Practices regarding Children demonstrates that sensitive info will be uploaded and stored on InBloom through the Edu-portal:
PERSONAL INFORMATION PRACTICES REGARDING CHILDREN
What personal information is collected from children?
Through the course of providing access to and use of certain CompassLearning or Renzulli products or services, such as, CompassLearning Odyssey and/or Renzulli Learning, we may collect or have access to: your name, grade level, student school ID, user name, password, gender, ethnicity, race, whether you have special needs, certain sociological/economic factors regarding you that may impact your learning, factors relating to your scholastic performance, status and/or enrollment status, log domain names, IP address, a processor or device serial number, geolocation data, and/or a unique device identifier.
The info collected through the Edu-portal is used in a variety of ways above and beyond student personalization. The District has no say in how Compass Learning chooses to disperse data to third parties and no notice is required.
How is this personal information used?
Any personal information that is collected is used to customize your learning experience, to improve our services, to assess and/or communicate your performance with you and/or your school, as applicable.
With whom do we share personal information collected from children? We may share your personal information with your school. Teachers, administrators and district administrators can configure reports based on such information. These reports can be exported to PDF’s or spreadsheets. We may also share personal information with researchers or analysts who have agreed in writing to protect the confidentiality of such information in order for them to prepare white papers or analysis regarding the efficacy of our products or services. No white papers or analysis shared publicly would disclose any personal information. In addition, if you are using a module of functionality made available by a third party that is not integrated in a CompassLearning or Renzulli product, including, for example, an assessment tool or a foreign language module, such third party may collect personal information from you and/or we may share personal information with such third party, in each case in order for you to receive such service. Except solely as provided herein, we will not sell, lease or provide any third party personal information collected from children under 13 except as necessary pursuant to a written confidentiality agreement to make one of our products or services available to such child, in connection with a sale or change of control of CompassLearning or any of its assets, or if CompassLearning has reason to believe that doing so is necessary to identify, contact, or bring legal action against someone damaging, injuring, or interfering with our rights, property, or users.
If you request that your information be removed or if we no longer need to store it, we will securely destroy, erase, or make the information anonymous or request that your school securely destroy, erase, or make the information anonymous.
As a result of recent amendments to FERPA, parents have been deprived of any say in what info is collected and in how this info is used by the Edu-portal, third parties or companies associated with it and protection afforded to student education records has been weakened considerably suggesting that the new FERPA runs against its legislative intent.
PRIOR NOTICE AND CONSENT TO COLLECTION OF PERSONAL INFORMATION FROM CHILDREN UNDER 13
We rely upon consent from schools instead of parents for use by their students of our products and services. We provide information regarding our practices concerning the collection, use, and disclosure of personal information to such schools and to you.See more at:http://www.compasslearning.com/compasslearning/privacy_policy#sthash.eSTkHDvL.dpuf
The Edu-portal expressly disclaims liability for any breach of security/privacy, misuse or exploitation and states that the district assumes all risks:
If we are hosting CompassLearning or Renzulli products or services, we review our Web security on a regular basis. Information collected from users of our products or services is stored on databases and other servers kept in secure locations under the custody and control of CompassLearning or its designees. CompassLearning also uses technologies and processes, such as encryption, access control procedures, and network firewalls that are designed to protect such servers. CompassLearning makes commercially reasonable efforts to protect such information and to limit its use and disclosure but cannot guarantee that such efforts will be successful. Please note that sending data over the Internet is never completely secure. Although we will endeavor to fully protect your information, we cannot guarantee the security of the data you transmit to us or allow us to collect, and you do so at your own risk.
CompassLearning products may contain links to other carefully chosen sites. However,
Third parties are permitted to access student data without consent of knowledge of the District and parents have no say in the matter.
HOSTING BY THIRD PARTIES
If we are licensing CompassLearning or Renzulli products on an enterprise basis to be hosted by a school or its designee, we not providing and are not responsible for any system security. In addition, the school that is hosting such product may collect different information than is indicated here. Consult such school. In addition, we are not responsible for how this information we may share with your school may be used or disclosed by such school.
See more at:
As I discussed in research that I conducted that Board Member __________referred to at the last Board meeting, under the “new and improved” FERPA, InBloom/Compass Learning is permitted to store PII and outsource it anywhere in the world. FERPA makes no distinctions based on State or international lines. While FERPA purports to hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records, the reality is FERPA does not explicitly require that education data be stored within the U.S leaving sensitive student information virtually vulnerable (no pun intended). Although storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. is encouraged and considered a best practice by the USDE to ensures that they are subject to U.S. jurisdiction, FERPA does NOT require that the PII be stored in country leaving schools. Given hefty storage fees, I’m guessing this will be pretty attractive option.
It is also important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements so any outsourced PII material would undoubtedly be a tempting target.
Please see Privacy Technical Assistance Center (US Department of Education):
Question: Does FERPA require that confidential information in the cloud be stored within the United States? Is there a best practice?
Answer: The preamble to the December 2, 2011, amendments to the FERPA regulations states the following in response to a comment on this general subject: “FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement. For example, if the conditions under the audit or evaluation exception in FERPA are met, a State educational authority could designate an entity in a different State as an authorized representative for the purpose of conducting an audit or evaluation of the Federal- or State-supported education programs in either State. The disclosure of PII from education records is not restricted by geographic boundaries. However, disclosure of PII from education records for an audit or evaluation of a Federal- or State-supported education program is permitted only under the written agreement requirements in § 99.35(a)(3) that apply to that exception. Under these requirements, the disclosing entity would need to take reasonable methods to ensure to the greatest extent practicable that its authorized representative is in compliance with FERPA, as is explained further under the Reasonable Methods (§ 99.35(a)(2)) section in this preamble. More specifically, an LEA could designate a university in another State as an authorized representative in order to disclose, without consent, PII from education records on its former students to the university. The university then may disclose, without consent, transcript data on these former students to the LEA to permit the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education” (Family Educational Rights and Privacy, Final Rule. 76 Federal Register 75611-75612 [December 2, 2011]). While FERPA does not explicitly require that education data be stored within the U.S., it does hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records. This includes compliance with the “direct control” requirement that applies to schools and LEAs disclosing PII from education records under the “school official” exception, and the requirement for written agreements and the use of reasonable methods to ensure that the information is adequately protected that applies to SEAs disclosing PII from education records to their authorized representatives under the ￼ ￼Page 5 of 8 “audit or evaluation” exception. Regardless of which exception is used, it is important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements. Therefore, storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. would be considered a best practice as it ensures that they are subject to U.S. jurisdiction.
I also want to point out that once InBloom/Compass Learning has the PII/Student Data in its hands, they can and will share it with NYSED and the FEDS as they wish without notifying the District and without consent of any parties. NYSED has made it clear that they are in cahoots with InBloom despite the risks. New York is the only State left partnering with InBloom, all others have fled and distanced themselves from InBloom over student privacy concerns and possible exploitation of student data for profit.
Parents have no control over student records anymore due to recent amendments in FERPA and sharing between third parties is permitted by law, despite InBloom/Compass Learning claims that they will not do this to the contrary, I have researched this. I believe I addressed this in prior emails, but if not I am happy to provide source and references to support this contention.
I would also like to remind you that NYSED is on a quest to build a P-20 Electronic transcript system designed to follow students from pre K through high school and beyond. Please recall, from my earlier correspondences, NYSED will have you believe that InBloom and the longitudinal data system is simply to create personalized learning for students so that schools can communicate with one another and within districts for ease and efficiency. As if there was any question in our minds, that is far from the truth.
Data will be reported in an “electronic transcript that follows each student from Pre K through to career.” The data will be accessible by and reported to virtually all State and County agencies as discussed below. There are many exceptions in FERPA and the scope of those “authorized” to access info has been broadened and/or remains vague and unclear. Which means, a lot of employees/volunteers/authorized personnel (which means essentially anyone affiliated with the organization) of these agencies will have access to sensitive or protected info.
Courts seal youthful offender records so that offenses don’t cloud and follow perpetrators after they have served their time.
Doctors have HIPAA privacy laws and there are serious consequences for violating HIPAA.
But, education records do NOT have the same protection as they once used to and there is virtually no recourse in the event of breach.
The BOE voted to protect student privacy in light of parent/taxpayer concerns over student privacy. Part of that discussion and the reasoning to support it involved taking a stand and making a statement against NYSED for over reaching and, in one BOE Member’s opinion, to push back against perceived “blackmail.” But, NYSED has an agenda of its own and partnered with InBloom:
“NYSED is working with social service agencies, workforce development organizations, health agencies, criminal justice agencies, and community organizations to coordinate all parts of education, from early childhood through graduate school. The goal is to create a P-20 system that will follow individuals from birth through adulthood and provide the support needed to improve education and other life outcomes.”
“There currently is a lack of shared knowledge among all the agencies and stakeholders who are responsible for children and adults. Therefore, the essential bases of this P-20 coordination must be: the seamless sharing of information through a multi-institutional database, and follow-up actions developed through an analysis of that information. NYSED’s major tool will be a continuously updated electronic transcript that will follow an individual from early childhood through all aspects of education and into the workforce and include an “early warning system” of data indicators that will enable each agency or organization within the system to intervene early, as soon as the individual appears to need help.”
Source: (See RTTT assurance signed by former Governor Patterson and NYSED)
Compass Learning has partnered with InBloom too. There is nothing that prevents Compass Learning from disseminating info to NYSED, the FEDS or others to further NYSEDS goal of creating the P-20 longitudinal data, electronic transcript repository. In fact, it is a “legitimate educational” interest under the amended FERPA and is wholly permitted.
The slippery slope is clear.
I am respectfully requesting that the District reconsider its decision to use Compass Learning as a tool in our schools due to its partnership with InBloom, NYSED and over student privacy concerns.
At minimum, I would ask that the District and Principals adjust the settings on Compass Learning so that the minimum amount of student PII/info is inputted and that steps are taken to anonymize the data being submitted to InBloom/Compass Learning from District to the company with due diligence.
I would ask that security be reviewed periodically and that the District take steps to affirmatively request from Compass Learning every few months learn who has been authorized to acquire PII student data from Compass Learning/InBloom as third parties, for research or for other purported legitimate interest.
As stated in its policies, Compass Learning provides that the District can choose to opt PII and student info out, parents have been deprived of any say in the matter.
As stated in its policies, Compass Learning points out that the District has control over settings and what info is uploaded, parents do not have a say in this matter.
As stated in its policies, Compass Learning relies on consent provided by the District not parents over control and use of student data and PII. Parents wishes are immaterial according to NYSED and Compass Learning.
As stated in its policies, Compass Learning provides that Districts can ask info to be anonymized, parents have no right to protect the identity and information being dispersed by NYSED and/or InBloom/Compass Learning.
As stated in its policies, the District is in charge of student PII and have acquired rights to this information over the rights of parents, depriving us of withholding consent, to protect our own children.
As set forth in my many prior emails, child identity theft, among other things, is one of the fastest growing crimes and is a grave concern to law enforcement officials.
For all the above and foregoing reasons, I do not consent to my child’s PII, student data or other information being provided by the District to InBloom via Compass Learning.
However, since Compass Learning and NYSED tells me that I have no say in the matter , I am writing to you to do this because I have no other choice. As a parent whose child’s PII and sensitive information is being extracted and held at the mercy of the District, I am asking that you make every effort to assure that my child’s privacy is respected and security maintained to the utmost and best standards of care.
Below, please see some other links of interest relating to the matter. I thank you in advance for your kind cooperation in this matter and am open to talking more fully about this and my concerns if that is easier.
As you know, there has been much controversy surrounding the upload and dissemination of PII by NYSED through InBloom et al. Location data is worrisome. But, PII? The potential is astounding. Talk about 1984!
NYSED intends to build a P-20 repository of information to serve as an “electronic tanscript” designed to follow students throughout their life from childhood into adulthood. This info is to be shared via LEAs, County, State and across State lines eventually.
Many school districts are withdrawing from RTT due to student privacy concerns. My own distrct, Spackenkill, did just that. However, I recently brought to my districts attention that although the district withdrew from RTT over student privacy concerns related to InBLoom, we use Compass Learning edu-portals which apparently no one realized, is an InBloom partner delivering PII straight to InBloom at the outset.
I am relieved to report that the district pursued the concerns I raised about Compass Learning partnership with InBloom. Apparently, Compass Learning terminated their relationship with InBloom recently. I will confirm with InBloom before I rest on this matter and have suggested that Compass Learning may want to issue a statement clarifying that they no longer have a relationship with InBloom as InBloom continues to promote Compass Learning as a partner in the media and on its website.
I am pursuing concerns about edu-portal providers that have a relationship with InBloom with state advocacy groups as we speak. A list of providers can be found on InBloom’s website (or on my blog). Again, Compass Learning is still to this day listed as a partner on InBloom’s website and there is nothing in the media to suggest that this partnership has been terminated. I have encouraged Compass Learning to issue a statement denouncing this relationship.
Parents in school districts need to be aware of the technology that is used in our classrooms.
The transcript and rap sheet attached to each of our children as a result of data mining is positively Orwellian!
NY is the only State left who maintains a relationship with InBloom. All other States and many businesses have fled over student privacy concerns. NYSED and some of the Board of Regents members, on the other hand, remain committed to InBloom. Other Regents (Pillips, Cashin and Rosa) have expressed and validated concerns over student privacy. This speaks volumes.
Excellent Article that discusses InBloom Edu Partners, privacy and FERPA issues
District notes re Compass Learning et al:
InBloom Partner/Provider LIst- Compass Learning
Please see also:
Student Privacy Concerns via Leonie Haimson Blog
Class Size Matters Fact Sheet
Privacy and Data Mining Links
Courtesy, Stop Common Core in New York State
Family Educational Rights and Privacy Act (FERPA) guidelines (2009) by Gerald M. Zelin
Family Educational Rights and Privacy Act (FERPA) Changes (2011)
Pearson – Longitudinal Data Warehouse, Analysis, and Reporting
Pearson – Longitudinal Data Solutions Brochure
InBloom.org – Main Site
InBloom.org – Developer Documentation of Data Model
What is the “National Education Data Model
National Education Data Model by National Center for Education Statistics (printed to PDF)
P-20 from the National Center for Education Statistics (NCES) Handbooks
Data Quality Campaign – P–20/WORKFORCE PIPELINE
NCES – Statewide Longitudinal Data Systems (SLDS) Grant Program (map)
EngageNY – Data Dashboard Selection Guide
EngageNY – Portal Data Dictionary (11.3.2013)