Thanks to the advocacy efforts of officials and parent groups throughout New York State, concerns over student privacy were rewarded with the termination of NYS contract with InBloom via the State’s 2014-15 Budget Bill and a series of enactments regarding the handling of student data, including personal information.
An Op Ed in the NY Times discussed some of the concerns regarding student privacy, you may recall:
“The recent collapse of inBloom, the student data company, is a powerful reminder that in the era of Big Data, privacy still matters (“A Data Collector Drops Out,” Technophoria, April 27). As we see it, the problem was not misunderstanding by the public, but a lack of meaningful privacy protections.
The Department of Education also bears some responsibility for inBloom’s demise. Instead of defending important privacy laws that help protect student data, the department chose to loosen the rules so that private vendors could pull sensitive data out of local schools. Schools were also encouraged to collect far more information than they had in the past. Parents did not know what information was being collected, who would have access to it or what impact it might have on their children’s future. Not surprisingly, many objected.
The Education Department could help restore confidence in these data-intensive programs by strengthening privacy rules and establishing a Student Privacy Bill of Rights. Students should know what information about them is being collected and how it is being used. And schools should be more cautious about turning over their students data to others.“
Included as part of that State Budget Agreement, the New York State Education Department was prohibited from giving student information to outside entities that collect and store data for use in a data dashboard or portal systems effectively ending the SED’s relationship with the company inBloom. SED is also responsible for ensuring that all data provided to inBloom to date is deleted from the dashboard.
The new law also enabled SED to contract with the local BOCES to satisfy previously established federal grant requirements and requires SED to appoint a chief privacy officer to oversee the handling of student data. The chief privacy officer is supposed to be highly qualified in state and federal education privacy laws and regulations, civil liberties, information technology and information security.
Additional measures included guidelines for the handling of any student information and the establishment of a “Parent Bill of Rights” by every school district. The law also imposed fines for any breach or unauthorized use of student information in violation of the law or the local Parent Bill of Rights.
A sigh of relief was breathed by parents across the State.
But, that relief was short lived.
A letter was sent April 29, 2014 signed by parent leaders from throughout the state addressing these concerns here.
Adding insult to injury, Gary Stern of Lo Hud reports that NYSEDs Commissioner King has breached SEDs statutorily imposed obligation to protect student privacy leaving districts/parents in a lurch about what to do.
“With the state Education Department likely to miss a legally imposed deadline to create a “parents bill of rights” on the use of student data, some anxious school districts are considering writing their own statements.”
While the legislation required notice to parents, due to NYSEDS breach, districts have not gotten the information from the state they were expecting. Moreover, the Education Department has not yet started collecting public comments about a bill of rights leaving districts and school lawyers in a lurch. With the new school year rapidly approaching, schools are not sure about what their obligations are and are not clear about what to do to protect student privacy.
In the face of such uncertainty, some districts have taken the step of trying to craft their own “tentative” Parents Bill of Rights to meet their obligations to parents and students while they wait from input from the State.
The Greenburgh UFSD, writes:
Pursuant to an amendment to the Education Law, section 20-D, school districts are now required to publish, on their websites, a parents bill of rights for data privacy and security and to include such information with every contract a school district enters into with a third party contractor where the third party contractor receives student data or teacher or principal data.
The parents bill of rights for data privacy and security shall state in clear and plain English terms that:
(1) A student’s personally identifiable information cannot be sold or released for any commercial purposes;
(2) Parents have the right to inspect and review the complete contents of their child’s education record;
(3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;
(4) A complete list of all student data elements collected by the State is available for public review at (insert website address here) or by writing to (insert mailing address here); and
(5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to (insert phone number, email and mailing address here).
The parents bill of rights for data privacy and security shall include supplemental information for each contract an educational agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data. Such supplemental information shall be developed by the educational agency and shall include:
- the exclusive purposes for which the student data or teacher or principal data will be used;
(2) how the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
(3) when the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
(5) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
The chief privacy officer, to be appointed by the Commissioner, with input from parents and other education and expert stakeholders, may develop additional elements of the parents bill of rights for data privacy and security. In addition, the Commissioner is required to promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion. We will keep you updated should changes occur.
These requirements are effective July 31, 2014.
But are the measures to be taken NYSED sufficient? Not everyone thinks so.
A new coalition called the Parent Coalition for Student Privacy released a letter to the leaders of the committees of the House and Senate Education Committees, urging Congress to strengthen FERPA and involve parents in the decision-making process to ensure that their children’s privacy is protected.
The letter is posted here, and calls for Congress to hold hearings and enact new privacy protections that would minimize the sharing of highly sensitive student data with vendors and among state agencies and would maximize the right of parents to notification and consent. The letter also asks for strict security requirements, that the law be enforceable through fines, and that parents have the right to sue if their children’s privacy is violated.
Please contact your elected state officials to inform them that NYSED has failed to meet their obligation to protect student privacy, ask what they intend to do to protect our children’s personal information and demand that NYSED be held accountable for breaching their statutory obligation owed to students and parents…..again.