Guernsey Data Bill Ready
Missouri House Representative Casey Guernsey is ready to file a Student Data Privacy bill that will limit the data collected on our children and put back reasonable restrictions on who can have access to the data that is collected. Should federal law change, our state education agency will not automatically be able to comply. They will have to inform parents that they are being asked to collect additional data points. Transparency will be established for the process of data collection and reporting.
Please contact YOUR representative now and ask them to sign on to Rep. Guernsey’s Student Data bill.
A little data collecting history…
FERPA Protection was limited to start with and has gotten weaker over time.
FERPA was originally enacted in 1974 theoretically to protect the rights of parents and students under very specific situations that were known or understood at that time. FERPA has been amended 9 times since then, and the primary enforcement mechanism is the reduction or disqualification for funding directed at schools and states that fail to comply with FERPA regulations. There is no direct ability to sue for damages resulting from non-compliance with the protections delineated by FERPA or a breach of data protection.
The US Department of Education changes to FERPA over the last decade (plus) were not approved by Congress. The most recent and significant change occurred in 2012 when the definition of education agents who could have access to student level data was broadened to include other federal agencies, researchers, and third party vendors with a declared interest in education. Most of these agents do not receive federal funding and thus remain largely immune from repercussions or restrictions on their continued use or misuse of such data. The only recourse for the federal government is to first try to convince abusers to stop abusing their data access privileges or, failing that, forbid school districts from providing data to them directly for 5 years or more. If vendors obtain data from another source, say another vendor, agencies can bypass even this very minor censure. This is a matter of settled law and an opinion issued by US ED in this 2011 document. http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf
New technology, such as cloud services, have developed so quickly that most school districts or states have not been able to keep up with the new security risks inherent in using such technology.
FERPA does allow schools, school districts and states to set their own civil penalties in their contracts with data management vendors, but most, if not all, fail to do so. This was reported by Fordham Institute recently from their study of school district/cloud vendor contracts. What this means is that any vendor for any data system in any school district that has access to data can currently use that data however they want if their only restriction written into their contract is that they will comply with FERPA. The report found either lax or non-existent protections in the contracts that most school districts have with their data vendors. Significant findings include:
- Only 25% of districts inform parents of their use of cloud services, 20% of districts fail to have policies governing the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
- Fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.
- School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency.
FERPA does not restrict or target vendors. It only applies to schools and school districts. State agencies are also largely excluded from many of the provisions of FERPA although references to them have been sprinkled in throughout the years. Most of the wording and sanctions is directed at local school districts, not state agencies who subsequently acquire the data.
The public lacks the ability to recoup damages from these agents, for instance the loss of student loan eligibility due credit fraud resulting from stolen individual student data, especially if no one is required to report possible or actual data breaches. Parents do not have the right to sue or take actions against vendors, state agencies, local school districts, or individuals who use, misuse or abuse their children’s data, or their own data under FERPA. All enforcement actions are handled through the Family Policy Compliance Office (FPCO), who may choose not to act. Parents may make a formal complaint, but those complaints can be ignored and parents have no further recourse.
Clearly, FERPA protection alone is not sufficient to protect student, parent and teacher data currently being collected.
State Longitudinal Data Systems, developed using State Fiscal Stabilization Funds provided to Governors from the American Recovery and Reinvestment Act, are envisioned to contain far more information than the state currently collects.
Currently, the state is obligated to collect a number of data points to comply with federal accountability requirements for Title I, Title II, IDEA and other federal grant programs. (See DESE list at http://dese.mo.gov/dsm/coredata/CDcollect.html) However, the National Center for Education Statistics, operated by the US Dept of Education has developed a list of 400 data points that they would like to see collected on each student. That list can be found at:
http://nces.ed.gov/forum/datamodel/eiebrowser/techview.aspx?instance=studentPostsecondary A similar list of Common Education Standards can be found at: https://ceds.ed.gov/elements.aspx?v=3&ex= which is also operated by the US Dept of Education.
The collection of this type of data feeds into the current administration’s vision of a Federal Unit Record System, which would create an individual record for each student at participating schools and allow a researcher to see information about that student’s entire academic career. To be fair, the Obama administration not the originator of this idea. It became popular during the G.W. Bush administration.
(See Georgetown Law Journal for a defense of this system http://georgetownlawjournal.org/files/2012/08/13Custer.pdf)
To facilitate the populating of this system with data points, states set up the State Longitudinal Data System (SLDS) which is overseen by the P20 Data Council (P20=Pre-school to age 20 or workforce). This work was financed by State Fiscal Stabilization Funds from the ARRA. The P20 Council in Missouri is composed of: Department of Elementary and Secondary Education; Department of Higher Education; Department of Economic Development, Division of Workforce Development and Missouri Economic Research & Information Center; and Missouri Center for Career Education. The only thing holding these agencies back from collecting the 400 data points envisioned by the USDoEd is the weak and toothless aforementioned FERPA.
The case can always be made for any particular data point to be known by the teacher and possibly the principal of a particular student in order to help that student reach his/her maximum education potential. It is also somewhat understandable that these agencies might want the types of data noted in the National Center for Education Statistics data model. However, nowhere has the case been made that they have the right to collect such data about students simply because they attend a public school. The case has never been made why such personal data must be shared with the state, let alone the federal government.
Without some sort of Data Rights Bill passed by the Missouri legislature, whenever these agencies or the federal government decide they need more data, the SLDS will begin collecting it without public notice or approval.