State Board of Education Considers Rules for State Longitudinal Data System
The State Board of Education will meet today to discuss a number of important items. One of them is the development of policies and procedures called for in HB1490 regarding the protection and management of data collected by the state in the state longitudinal data system known as the Missouri Comprehensive Data System (MCDS). Here is the notice of proposed rulemaking that they will be discussing.
Title 5 – DEPARTMENT OF ELEMENTARY AND SECONDARY EDUCATION Division 20 – Division of Learning Services
Chapter 700 – Office of Data System Management
PROPOSED RULE 5 CSR 20-700.100 Statewide Longitudinal Data System
PURPOSE: This rule explains the data collected by the Department of Elementary and Secondary Education within the statewide longitudinal data system commonly known as the Missouri Comprehensive Data System (MCDS). The rule also addresses the procedures that are used to ensure the confidentiality of student records maintained in the MCDS.
(1) Data Inventory.
(A) The Department of Elementary of Secondary Education (department) publishes annually an inventory of student data collected and posted on the department’s website.
(B) The department shall notify annually to the governor, president pro tempore of the senate, the speaker of the house, and the joint committee on education any changes to existing data elements.
(2) Data Access and Management Policies.
(A) The department adheres to the confidentiality requirements of both federal and state laws including, but not limited to the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and the National School Lunch Act. These policies include:
- Defining privacy, confidentiality, personally identifiable information, disclosure, access, and confidential data; and
- Maintaining adequate privacy and confidentiality protections; including the assignment of a unique student identifier, data security, restricted access, and reasonable statistical disclosure.
(3) Data Requests.
(A) Requests must be submitted to the department in writing including but not limited to what data are being requested, the purpose of the request, for whom the study is being conducted, and how the requestor will ensure data confidentiality and security. Requests including student level data will require a Memorandum of Agreement (MOA) and research IDs will be created for all records.
(B) All recipients/users of the requested information must sign a MOA that includes:
- Introduction and Relationship;
- Data Being Requested;
- Scope of Activities;
- Participant Non-disclosure;
- Release of Analyses;
- Right to Audit; and
- Agreement Period, Amendment, and Termination.
(4) Data Security Plan. The department, in cooperation with the Office of Administration Information Technology Service Division (OA-ITSD), reviews and maintains the data security plan. This includes but is not limited to:
- (A) Guidelines for authentication of authorized access;
- (B) Privacy compliance standards;
- (C) Privacy security audits;
- (D) Breach planning, notification and procedures;
- (E) Data retention and disposition policies; and
- (F) Data security policies including electronic, physical, and administrative safeguards.
AUTHORITY: sections 161.092 and 161.096, RSMo Supp. 2014
PUBLIC COST: This proposed rule will not cost state agencies or political subdivisions more than five hundred ($500) in the aggregate.
PRIVATE COST: This proposed rule will not cost private entities more than five hundred ($500) in the aggregate.
NOTICE TO SUBMIT COMMENT: Anyone may file a statement in support of or in opposition to this proposed rule with the Leigh Ann Grant-Engle, Assistant Commissioner of the Office of Data System Management, Department of Elementary and Secondary Education, PO Box 480, Jefferson City, MO 65102-0480 or email at email@example.com. To be considered, comments must be received thirty (30) days after publication of this notice in the Missouri Register. No public hearing is scheduled.
(Full notice is here)
As you can see, there are very few details here and most of what is required of the state is reporting only. There are no checks on the department for the collection of new data. Third parties must only submit certain information when requesting data access. There are no guidelines for when such requests can/must be denied. There are no consequences for anyone failing to keep data confidential. There is no ability for parents to see their child’s entire data record and/or make changes to it. There appear to be no limits placed on what data can be requested.
Consider this. Some of the data points currently collected by the state and included in the student information system (now MCDS) are: Offense Date, Offense Type, Weapon Type, Discipline Removal. It appears that this can be reported by student with a MOSIS # and SSN#. This amounts to a juvenile criminal record which is typically sealed by the court system, but appears to be available to researchers. It is possible that the PII associated with this data would never be reported outside the state data system, but the Department’s lazy system of simply listing data collected does nothing to reassure parents that their student’s sensitive data is protected. Part of the department’s job is to be clear and thorough in their reporting to the public. That means that any restrictions, caveats or sharing agreements on student data should be easy to find on the DESE website and not require parents to search through several pages and departments in order to find what the existing policies are.
The public needs to request the OA-ITSD Data Security Plan and review it for protection weaknesses. We also need to know what is in the Memorandum of Agreement that requestors must sign in order to receive data from the state. It will be important to make our concerns known during the public comment period.
Published January 12, 2015