State Considers Student Privacy Bill
On Wednesday the Senate Education Committee heard SB989 sponsored by Senator Onder on Student Data Privacy. The vast majority of the testimony was in favor of the bill. Representatives from the Missouri Coalition Against Common Core, including myself, testified in favor of the bill and offered personal experiences to demonstrate the real harm that can come from data collection. Even both teacher unions (MNEA, MSTA) spoke in favor of the bill. Both noted the section that protects teacher data from being sent outside the district. Members of the Committee seemed to respond positively to the testimony.
Several factors are lining up to support the need for this comprehensive bill at this time.
At the state level – DESE has been on notice since 2014, with language in HB1490, that policies were needed to protect student data they collect. In March of 2015 a rule was promulgated stating we needed policies but with no specifics on what the policies would be. In October 2015 the State Auditor released a report stating that our policies were inadequate to protecting the 1.5 million student data records the state currently maintains. Galloway found: serious weakness in DESE’s ability to monitor user accounts with access to the data, the collection of sensitive data for which the state has no defensible need, and the lack of an adequate data breach policy which increases the risk of potential harm to affected individuals.
At the federal level – At a House oversight hearing in November 2015, the Inspector General reported that the U.S. Department of Education received an “F” overall on the Federal IT Acquisition Reform Act scorecard. They allowed too much unchecked access to the data stored in the federal databases (6,000 user accounts for the primary database and 97,000 users of the financial aid system), the CIO of the independent contractor who managed the data for the department and the department itself failed to even detect illegal access during penetration tests, but most importantly they failed to address serious security weaknesses that have been pointed out repeatedly for more than 3 years. This leaves data given to the feds extremely vulnerable to security threats, a situation that is not likely to change any time soon.
FERPA Is Insufficient – As initially introduced by its chief sponsor Senator James L. Buckley, FERPA was specifically intended to prevent the linking academic data to non-academic data for the purpose of measuring schools’ impact. Senator Buckley’s statement in the Congressional Record describes FERPA as a safeguard against “the dangers of ill-trained persons trying to remediate the alleged personal behavior or values of students,” which include “poorly regulated testing, inadequate provisions for the safeguarding of personal information, and ill-devised or administered behavior modification programs.”
Changes made since its introduction 30 years ago have turned that original intent on its head and essentially gutted its effectiveness.
- Solomon Amendment in 1996 gave the military privileged access to student information for recruitment purposes.
- The Taxpayer Relief Act of 1997 gave the U.S. Internal Revenue Service access to certain personal information about students.
- The U.S.A. Patriot Act of 2001 lowered the oversight that federal judges have over requests that the U.S. Department of Justice makes for court orders to acquire information in student records.
- All three of these laws impose harsh penalties for noncompliance with reporting requirements.
- Administrative changes by the Secretary in 2011 to greatly broaden the definitions of “education programs” and “authorized agent” who could have access to records with personally identifiable information.
The latest regulation broadly defines “education programs” to encompass programs not only focused on “improving academic outcomes” but also related to “bullying prevention, cyber-security education, and substance abuse and violence prevention” regardless of whether the program is administered by an educational agency or institution. This opens up collection of data about behavior and values which FERPA was originally designed to prohibit.
A presentation prepared by the Privacy Technical Assistance Center, a subdivision of the USDED, advises potential data users repeatedly of the exemption for consent in the case of “audits and evaluations.” This exemption provides the pathway for those who previously would have been barred from accessing PII, for gaining such access. Notably this presentation calls FERPA “the floor for protecting privacy, not the ceiling.” Policies at the state and federal level which cite FERPA as the basis for the protection of the data they collect are essentially saying, “We do the bare minimum to protect student data.”
Expansion of Data Collection – Several programs at the federal level will require the collection of new additional data as part of their accountability measures. For example, the recently passed re-authorization of the Elementary and Secondary Education Act (ESEA), now named the Every Student Succeeds Act (ESSA) provides funding for the expansion of the Community Learning Centers in schools. In addition to extra meals and extended school hours, these centers will provide counseling, medical services and mental health screenings. ESSA also requires (p. 671) (B) “A needs assessment that identifies the academic, physical, nonacademic, health, mental health, and other needs of students, families, and community residents. “ Should the sensitive health or psychological information gathered in the process of providing these services find its way into the student’s education record, something for which there is currently no prohibition, the Family Compliance office of the USDED has confirmed that that information will only protected by FERPA, not HIPPA which would normally protect such information in a personal medical record. As explained above, that means that normally private medical information could now be available to many more entities without parental knowledge or consent. It is up to the states to provide more protection for that information.
The real impact of data – Jill Carter testified that she received a form from her son’s former school district (he is 19) asking her to indicate his current educational status. He was partially home schooled and thus did not receive a diploma from the district. The form said that she must indicate his current education status or else the state would code him as a drop out and place his name on a list tracked by the Missouri Literacy Council. In addition, his student data (with him being coded as a drop out) would be shared with the military and potential employers. Her local district was not able to respond to her sunshine request to tell her what data the state had on her son, nor could they tell her who all that data could be shared with or what sharing agreements there were. There is no readily available process for a parent to get that information from the state. She could find no information on the web about a MO Literacy Council to find out what they did or why they were to get her son’s information. The bottom line is, even if you try to get out of the state’s system and exercise your right to choose the best education for your child, they will track you and share your information.
Stacy Shore testified about a form that has been distributed by school districts across the state asking for military service status. The form indicates that “DESE requires this information from all school districts.” Families are asked to list all their children in public school by name and indicate whether any family members are active, inactive, national guard, or non-military. On DESE’s website they indicated that this information was being collected to assist in government decision making about the continued operation of the two military bases in Missouri. This is in contrast to the information supplied on the form which said that ALL school districts had supply data.
The concern with the collection of individual family data relates to the pentagon hack last spring where the names and addresses of 100 military families were obtained by ISIS agents who were then advised to go find and kill those families. Why the state, who clearly has less capable security than the pentagon, would also collect this kind of detailed military information linked to a family name and address which is part of the state’s MOSIS system, is unthinkable. The pentagon knows where all the active and retired military families live and should be able to provide those numbers in aggregate to the state, not the other way around.
Other supporting testimony was provided by Linda Laird of Concerned Women For America and Kerry Messer of the Missouri Family Network. Microsoft underscored the need for more protection of private student data while not commenting on specifics in the bill.
Senator Chappelle-Nadal found herself surprised to be in support of the bill after listening to testimony from MNEA’s lobbyist Otto Fagan. She said she saw now that this was not just a conservative issue. It addressed values shared on both ideological sides. She then reassured the audience that she was still a liberal.
Senator Brown made the keen observation that the act of collecting so much sensitive information in one place puts that data at greater risk for exposure by giving would be attackers a single high value target to go after. This hints at the philosophy embedded in SB989, that the numerous districts become the official repositories of sensitive PII which must not be shared outside the district.
Opposition to the bill came from two sources. MSBA testified that there were too many “poorly defined terms” in the bill and promised to work with the sponsor to address those concerns. This is the only complaint registered that the bill is not specific enough.
Google attempted to tell the state that our kids would be “disconnected” from the rest of the country if it were enacted. The bill does not address data collected by private vendors through the use of their products done via contract or privacy agreements with the local district. It only addresses data collected by the state on individual students. So unless Google is supplying the state with sensitive information specifically listed in the bill on individual students, there is no prohibition on normal business practices for Google. Districts, however, should be very cautious about that data collection and those contracts, as the National Association of School Board Executives has said that the liability for such data breaches lies with the district.
While we wrestle with these weaknesses in our collection systems, more and more data breaches occur at all levels, both in government and in private industry proving that the statement MCACC has been making for almost three years, there is no such thing as a secure database, is true. Hacks of Blue Cross, JP Morgan, Pearson, OCR and the pentagon released sensitive data to unknown attackers and are providing the cautionary tale for carefully choosing the data you collect in the first place. Our capacity to collect far outstrips our ability to protect, so more thought must go into decisions about whether sensitive data is really needed to carry out the function of government. In an ideal world, the function of government will also be affected by acknowledgement that there are some things it is just too sensitive for them to know about every citizen.