Democratic Massachusetts Senator Edward J. Markey has written a vital letter to U.S. Secretary of Education Arne Duncan about the loss of student privacy under new education reforms. The Senator asks the Secretary eight great questions. My favorite is question #2.a): “Should parents, not schools, have the right to control information about their children?”
Senator Markey’s full letter is posted below. Please share it with your senators and with your state superintendents, who may, by their connection to the Council of Chief State School Officers (CCSSO) and its partnership with the U.S. Department of Education, have sway in getting to real answers more quickly.
October 22, 2013
The Honorable Arne Duncan
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202
Dear Secretary Duncan:
The efficient collection, analysis and storage of K-12 students’ academic records holds promise for improving scholastic performance and closing the achievement gap. By collecting detailed personal information about students’ test results and learning abilities, educators may find better
ways to educate their students. However, putting the sensitive infomation of students in private hands raises a number of important questions about the privacy rights of parents and their children.
According to a recent article in The New York Times (“Decidir1g Who Sees Students’ Data”, October 5, 2013), a growing number of school districts are outsourcing data storage functions to private companies. This change, the companies assert, will “streamline access to students’ data to bolster the market for educational products”. While better analysis of student reading may, for example, help educators better target the appropriate reading materials to students, disclosure of such information, which mayr extend well beyond the specific private company hired by the school district to a constellation of other firms with which the district does not have a business relationship, raises concerns about the degree to which student privacy mayI be compromised.
Moreover, as the article cited above also explains, sensitive information such as students’ behavior and participation patterns also may be included in files outsourced to third-party data firms and potentially distributed more widely to additional companies without parental consent.
Such loss of parental control over their child’s educational records and performance information could have longstanding consequences for the future prospects of students.
Recent changes to the Family Educational Rights and Privacy Act (FERPA) permit “schools to share student data, without notifying parents, with companies to which they have outsourced core functions like scheduling or data management,” according to the Times article. The infomation shared with private companies mayr vary from infomation such as grades, test scores, and attendance records, to other sensitive data such as disability, family relationships, and
In an effort to understand the Department’s views on the impact of increased collection and distribution of student data on their privacy, I respectfully request that the Department provide answers to the follow questions:
1) In 2008 and 2011, the Department issued new regulations with respect to FERPA that addressed how schools can outsource core functions such as scheduling or data management and how third parties may access confidential information about students. These changes also permit other government agencies that are not under the direct control of state educational authorities, such as state health departments, to access student infomation. Please explain those changes.
a. Why did the Department make these changes?
b. Did the Department perform any analysis regarding the impact of these changes on student privacy? If yes, please provide it. If not, why not?
2) Has the Department performed an assessment ofthe types of infomation that are shared by schools with third party vendors, including but not limited to Contact information, grades, disciplinary data, test scores, curriculum planning, attendance records, academic subjects, course levels, disabilities, family relationships, and reasons for enrollment? If yes, please provide it. If not, why not?
a. Should parents, not schools, have the right to control infomation about their children even when their data is in the hands of a private company?
b. Do you believe that parents should have the right to choose which infomation is shared by schools with third party vendors and which is kept confidential?
In other words, is it the Department’s view that some elements of personal data are more sensitive than others, and therefore deserve greater protections?
2) Has the Department issued federal standards or guidelines that detail what steps schools should take to protect the privacy of student records that are stored and used by private companies? For example, are there guidelines about access to the information, how long it can be retained, hcw it will be used, whether it will be shared with other parties (including but not limited to colleges to which students apply), and if it can be sold to others? lf yes, please provide those standards 0r guidelines. If not, why not and will the Department undertake the development and issuance of such guidelines?
4) Are there minimization requirements that require private companies to delete information that is not necessary to enhance educational quality for students?
5) Do students and their families continue to have the right to access their personal infomation held by private companies as they would if their personal information were held by educational institutions? If yes, please explain how students and families may exercise this right and how they should be informed of the existence of this right. If not, why not?
6) While there are significant potential benefits associated with better collection and analysis of student data, does the Department believe that there also are possible risks when students’ personal infomation is shared with such ñrms and third parties? If yes, what is the Department doing to mitigate these risks? If not, why not?
7) Does the Department require entities that access student data to have security measures in place, including encryption protocols or other measures, to prevent the loss of or acquisition of data that is transferred between schools and third parties? What security measures does the Department require that private companies have in place to safeguard the data once it is stored in their systems?
8) Does the Department monitor whether these third parties are safeguarding students’ personal infomation and abide by FERPA or guidelines released by the Department? If yes, please explain. If not, why not?
Thank you for your attention to this important matter. Please provide written responses to these questions no later than November 12, 2013. If you have any questions, please have a member of your staff contact Joseph Wender on Senator Markey’s staff at 202-224-2742.
Edward J. Markey
United States Senator
Thank you, Senator Markey.