Enormous Student Data Disclosure Threatens Student Privacy
The Hamden School District’s disclosure of personally identifiable student data—without the knowledge of parents or students—to an education industry group should be a lightning rod for legislative action on HB 7017, An Act Concerning Student Data Privacy.
“School districts must safeguard children’s privacy, and they should never leave students and families in the dark when it comes to sharing sensitive student data,” said CEA President Sheila Cohen.
She added, “The state legislature must not allow corporations to download and take ownership of sensitive and confidential student information for potential commercial use. This is not in the best interests of children, schools, and families.”
The Connecticut Council for Education Reform (CCER), an organization governed by corporate and industry officials, entered into an agreement with Hamden school administrators to secure personally identifiable student records. The agreement entitles CCER to own the student data and share it with subcontractors who have the capacity to commercialize the data.
Hamden was also requested to provide CCER school campus maps, square footage of buildings, maximum enrollment allowed in building, location codes for each individual school; grade levels, and secondary course info—such as periods of the day courses meet. This information transfer runs contrary to Connecticut General Statutes Section 1-210(b)(19) which discusses the disclosure of records when there are reasonable grounds to believe disclosure may result in a safety risk.
“The amount of information CCER received is staggering,” Cohen said. “According to the agreement, CCER has taken possession of and now owns all student academic information, as well as student identifying codes, demographic and performance information, designations of students with disabilities, students’ Individual Education Plans, their placement status, and detailed information about English Language Learners. Private sector data mining has exploded in many facets of our lives.” Cohen said. “CCER’s data mining has now reached down to our children. The state legislature cannot ignore this problem.”
Cohen also noted that CCER was able to access and take ownership of the student information at no cost—it only promised to provide Hamden with a “District Needs Assessment Report.” According to the agreement, CCER retains ownership of all the raw student data and can use or sell the aggregated data in any way it chooses.
Cohen explained, “There are numerous third parties seeking to build databases of student information. Some are doing so to sell educational software or other products to school districts. Some are collecting student data and misusing that data to tarnish public schools. The amount of information that can be made available for corporate gain is overwhelming and deeply troubling.
“Under this agreement, Hamden parents and students would lose ownership and control of sensitive personal information,” Cohen said. “This is a clear and present danger to students and families in Hamden and every other public school where similar agreements are proposed—a situation that provides irrefutable evidence that the legislature needs to act to avoid further privacy infringements. Lawmakers must defend and protect our children because data has never been more vulnerable to misuse, abuse, and breach.”
CEA Executive Director Mark Waxenberg said, “Public education has been called a five-hundred billion dollar sector. The Hamden disclosure is a tipping point and a sign of just how far corporate entities will go to encroach on the privacy of our children and endanger their futures. Public education should not be a profit center for Wall Street hedge fund managers and corporate executives.”
Legislature must make schools safe for children and families
CEA has told Connecticut lawmakers that the Association wants them to restore and improve education records protection. This necessitates the reversal of the U.S. Department of Education weakening of privacy rules by creating a strong Connecticut state law that:
- Restores requirements for parental consent before student Personally Identifiable Information (PII) is shared with a third party or other governmental agencies.
- Extends protections to personally identifiable teacher data, particularly data linked to individual students and classroom levels.
- Requires contractors with responsibility over educational PII to register with the state and to be subject to a fine of up to $50,000 for violating laws.
CEA also urges legislators to increase data use transparency and information available to parents:
- Require parental consent for the sharing of PII and require notification of data uses, data sharing contracts, and parental privacy rights.
- Require the SDE to make public an easily accessible inventory of all individual-level data elements it collects.
Strides in protecting students have been made in many states, including New York, Colorado, Idaho, and California. EducationCounsel provides critical information on this topic.
EducationCounsel also has published a helpful look at best practices, state policies, and model legislation: Key Elements for Strengthening State Laws and Policies Pertaining to Student Data Use, Privacy, and Security: Guidance for State Policymakers.
For news reports, court cases, analyses of data security issues, and legal analyses, see the Electronic Data Privacy and Information Center (EPIC).