Some of the biggest privacy news in Seattle broke last week . . . just in time for everyone to be completely distracted by the Christmas holidays. To recap, our local radio station KUOW reported that our state’s education department had offered to give our local newspaper an enormous slew of confidential student data. Like this:
Any personally identifiable student or staff-related information, including, but not limited to (a) student names, (b) the name of a staff/student’s parent or other family members, (c) staff/student addresses, (d) the address of a staff/student’s family, (e) personal identifiers such as a social security number or student number or staff/certification number, (f) personal characteristics that would make a staff/student’s identity easily traceable, (g) any combination of information that would make a staff/student’s identity easily traceable, (h) test results for schools and districts which test fewer than ten students in a grade level, and (i) any other personally identifiable information, or portrayal of staff/student related information in a personally identifiable manner.
There was a later clarification from KUOW that the data would in fact be de-identified. That is, the state would remove names, dates of birth, and Social Security numbers before giving the data to the Times. Anyhow, that’s what the state told us after the news broke.
Curiously, our local newspaper didn’t cover the story. Hmm, I wonder why? Fortunately, the Stranger, our independent weekly, did cover it. Unfortunately, it missed a few crucial points.
First, it reported that de-identified data would be shared, without mentioning that the agreement had originally been for the whole kit and caboodle. The agreement that’s linked to the KUOW article, and it says:
The purpose of this Agreement is to authorize the release of student and teacher information . . .
The Seattle Times may request access to and limited use of information contained in student assessment as well as other confidential data for the purposes stated in this Agreement.
Second, it didn’t mention the flaw with de-identified data: it is very, very easy for that data to be re-identified.
How come? My guess is that the Stranger’s reporters were just as confused as the rest of us. As I mentioned in my post on the Aqueduct Press blog, the kinds of privacy violations that are happening today are confusing. There is a big, big need for lots of people to become informed, and fast. Once data is released, that’s it. The cow’s out of the barn. (That’s kind of true. It depends on who is getting the data, how likely they are to share it with others both legally and illegally, and who they might be sharing it with.)
Where to start, where to start? Well, read the federal privacy law. Not a summary, but the actual law. Set aside some time for this, OK? In my opinion, it’s deliberately misleading. On top of that, sadly, trusted groups like the PTA are distributing privacy information that omits key facts. If you just have a minute for now, look at the parts that say “non-consensual.”
Stay tuned, folks! This isn’t the first privacy violations our students are facing, and it won’t be the last.