HB1157 Not Really About Data Security
Rep Mike Lair (District 7) has introduced a student data privacy bill HB1157 that is intended to calm parents’ fears about their student’s data. A close reading of the language of the bill, however, shows that he is protecting the state and federal governments ability to make all collected data accessible to whoever they want.
The only protection of the data the bill sites is “all relevant state and federal privacy laws and policies, including but not limited to the Federal Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies.” We know there are very few state laws protecting student data. We know that FERPA definitions of an “education agent” who could have access to PII was expanded to include almost everyone.
Under the Common Education Data Standards (https://ceds.ed.ogv/) Version 3 January 2013, other data may be collected besides that required for education grant accountability. Anything described as an education program may collect data. Here is what counts as an education program according to CEDS:
Any program that is principally engaged in the provision of education, including but not limited to early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education and adult education, and any program that is administrated by an educational agency or institution.
Almost anything that teaches someone something could fall under this definition.
This chart is from a P-20 Council presentation that shows which government agencies are represented on the Council and are involved in the collection and have access to student data.
And here is how the access to information entered at the local school is ultimately made available to the federal government.
All of the agencies shown in the P20 council chart have interagency agreements to grant access to student level data. HB1157 provides them cover after having already signed these agreements.
(a) Access to personally identifiable student data in the statewide longitudinal data system shall be restricted to:
d. The authorized staff of other state agencies in the state of Missouri as required by law and governed by interagency data-sharing agreements;
They also like to say they are adhering to the law, but offer no protection should the federal government decide to change to the law or ignore existing law which would bar data sharing. Given the President’s unprecedented use of the Executive Order to selectively enforce or grant waivers from the requirements of existing law, the public is not unwarranted in its fear of the federal government changing its mind on student data rights and privacy.
HB1157 specifically leaves this option on the table.
161.108.1 (3) Prohibit the transfer of personally identifiable student data, unless otherwise provided by law and authorized by policies adopted under this section;
The rest of the bill says we should have these things:
(b) privacy compliance standards;
(c) Privacy and security audits;
(d) Breach planning, notification, and procedures;
(e) Data retention and disposition policies; and
(f) Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees;
Those are great, but the bill provides no details of what these measures will look like. They leave that up to the state board of education and probably the P20 council to determine. These groups spend a lot of time justifying why the government wants this data, which they acknowledge is dangerous to collect by citing repeatedly the need to protect such sensitive data. They never cite where they have the right to collect it or to know so much personal information about the youngest citizens in the state. They also, as far as I can tell, have no obligation to respond to public concerns, so their desire to have it will always trump the public’s right to privacy. The bill does not specify how the things in that list will actually be accomplished. There is no deadline for the development of these policies and plans. In other words, we will continue to collect PII in the mean time and worry about how we protect it later. This does not offer me a lot of comfort about my child’s data security.
The bill does have one good provision. It requires DESE to notify the governor and general assembly of any “new student data proposed for inclusion in the state student data system; and (b) Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the United States Department of Education.” At least we would have a heads up when the federal government decides to trample more on our fourth amendment rights. It also acknowledges the existing federal prohibitions in the Pupil Privacy Rights Act against the collection of certain types of data. That protection should be a given, but if we have to make sure everyone knows it by codifying it in state law, so be it.
The bill sponsored by Rep Guernsey (2) on Student Data Privacy Rights, which will be filed this week, lays out all the hows for protecting student data. It has received input from and been reviewed by actual data experts from the military, intelligence fields and fortune 500 company IT professionals. They have already done the work that HB1157 says should be done some time in the future by agency bureaucrats and unelected board members.
HB1157 will be heard Wednesday (2/12/14) in the House Education Committee. You may send your comments to the Committee Chair Rep Steve Cookson using the official witness form here.
A similar bill, sponsored by Senator Pearce (21) has also been introduced. SB815