Tag Archives: privacy

Stranger, you missed something important

Some of the biggest privacy news in Seattle broke last week . . . just in time for everyone to be completely distracted by the Christmas holidays. To recap, our local radio station KUOW reported that our state’s education department had offered to give our local newspaper an enormous slew of confidential student data. Like this:

Any personally identifiable student or staff-related information, including, but not limited to (a) student names, (b) the name of a staff/student’s parent or other family members, (c) staff/student addresses, (d) the address of a staff/student’s family, (e) personal identifiers such as a social security number or student number or staff/certification number, (f) personal characteristics that would make a staff/student’s identity easily traceable, (g) any combination of information that would make a staff/student’s identity easily traceable, (h) test results for schools and districts which test fewer than ten students in a grade level, and (i) any other personally identifiable information, or portrayal of staff/student related information in a personally identifiable manner.

There was a later clarification from KUOW that the data would in fact be de-identified. That is, the state would remove names, dates of birth, and Social Security numbers before giving the data to the Times. Anyhow, that’s what the state told us after the news broke.

Curiously, our local newspaper didn’t cover the story. Hmm, I wonder why? Fortunately, the Stranger, our independent weekly, did cover it. Unfortunately, it missed a few crucial points.

First, it reported that de-identified data would be shared, without mentioning that the agreement had originally been for the whole kit and caboodle. The agreement that’s linked to the KUOW article, and it says:

The purpose of this Agreement is to authorize the release of student and teacher information . . .

The Seattle Times may request access to and limited use of information contained in student assessment as well as other confidential data for the purposes stated in this Agreement.

Second, it didn’t mention the flaw with de-identified data: it is very, very easy for that data to be re-identified.

How come? My guess is that the Stranger’s reporters were just as confused as the rest of us. As I mentioned in my post on the Aqueduct Press blog, the kinds of privacy violations that are happening today are confusing. There is a big, big need for lots of people to become informed, and fast. Once data is released, that’s it. The cow’s out of the barn. (That’s kind of true. It depends on who is getting the data, how likely they are to share it with others both legally and illegally, and who they might be sharing it with.)

Where to start, where to start? Well, read the federal privacy law. Not a summary, but the actual law. Set aside some time for this, OK? In my opinion, it’s deliberately misleading. On top of that, sadly, trusted groups like the PTA are distributing privacy information that omits key facts. If you just have a minute for now, look at the parts that say “non-consensual.”

Also, stay up to date by reading the blogs Save Seattle Schools and Seattle Education. They have excellent analysis on all this stuff.

Stay tuned, folks! This isn’t the first privacy violations our students are facing, and it won’t be the last.

Advertisements

Strange times to raise children

This week we found out that the state had agreed to hand over all kinds of confidential data to our local newspaper, so they could get grant money from a nonprofit funded by our local billionaire to help further his political goals. I wrote about some of the ramifications on the Aqueduct Press blog.

Parents, who’s got your kids’ student data?

Schools collect a whole lot of information about their students: demographics, grades, test scores, special education status, discipline information, medical information, and lots, lots more.

What’s their privacy policy?

Ask.

Seriously. Because they’re not going to tell you, unless you ask, that they can and do disclose personally identifiable information to the private sector.

I covered the “can” in another post, What are our students’ privacy rights, really? The short version is that recent changes to the federal privacy law (FERPA) allow schools to disclose personally identifiable information to “school officials” without parental consent, with “school officials” being defined to include people in the private sector.

Here is the “and yes, they do” bit. And yes, they do, without even telling you. If you are a parent with a child at any of these schools, your child’s data has been released to the Community Center for Education Results. It’s for a research study aimed at increasing the number of kids ready for college in South Seattle and districts farther south in King County. 

Schools whose data was released:

  • Aki Kurose Middle School
    Arbor Heights Elementary School
    Beacon Hill International School
    Brighton Elementary School
    Cleveland High School
    Concord Elementary School
    Dearborn Park Elementary School
    Denny Middle School
    Dunlap Elementary School
    Emerson Elementary School
    Franklin High School
    Garfield High School
    Gatewood Elementary School
    Gatzert Elementary School
    Graham Hill Elementary School
    Hawthorne Elementary School
    Highland Park Elementary School
    John Muir Elementary School
    Kimball Elementary School
    Leschi Elementary School
    Madrona
    Maple Elementary School
    Mercer Middle School
    Orca @ Whitworth
    Rainier Beach High School
    Roxhill Elementary School
    Sanislo Elementary School
    Sealth High School
    Secondary Bilingual Orientation Center
    South Lake High School
    South Shore K-8 School
    Thurgood Marshall Elementary
    Van Asselt Elementary School
    Washington Middle School
    West Seattle Elementary School
    Wing Luke Elementary School

And here is a link to the authorization form signed by a previous interim superintendent, Susan Enfield, in October of 2011. It authorizes the state Office of Superintendent of Public Instruction (OSPI) to release data from the 2009-2010 school year through the 2011-12 school year such as:

  • student and staff schedules
  • student enrollment and demographic information, including special programs information
  • state test data
  • student grades

If it had been available, student discipline data would also have been included.

Was it a good thing to release this data? Do the benefits of the research outweigh the privacy concerns? Was there a need to release personally identifiable data (as opposed to de-identified data)? Were enough safety precautions taken with the data? 

I don’t know, I don’t know, I don’t know, and I don’t know.

But I do think that parents should have had the opportunity to decide whether or not this was an appropriate release of information. However, they weren’t even notified. Nor are they being notified about the follow-up data release authorized by current superintendent Jose Banda in Sept 2012. It permits release of data through the 2019-20 school year.

Nor are they being notified that Seattle Public Schools is telling third-party organizations that they can get access to private student data. In this Power Point presentation, the district explains that they will share data as allowed by FERPA to “school officials” including “third parties to whom the school or district has outsourced institutional services or functions.”

What about the security of data, when it’s shared? The SPS Best Practices are woefully inadequate. For example: “Never send your student level data through email without it being password protected.” Sorry, but password protection just doesn’t cut it.

Have there been other releases of information?

I don’t know the answer to that, and this worries me.

What are our students’ privacy rights, really?

As a parent, I want to know that my children’s information is kept private. I tell them not to put their birthdates on any Web pages that ask for them, I keep their names out of this blog, and I have filled out FERPA opt-out forms to prohibit disclosure of student information.

But there are some things I can’t control, and information given away by my child’s school to the private sector is one of them. That’s because of recent changes to the federal privacy law (FERPA). These changes were made right around the time that it became possible to build massive databases of student data — databases that can be shared across states and over the life of my child, from cradle to grave. Let’s take a quick look at the law, to see where the weaknesses are.

A summary of the FERPA law is available here. It tells when schools need permission to disclose information, and when they don’t.

  • Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):

    • School officials with legitimate educational interest;
    • Other schools to which a student is transferring;
    • Specified officials for audit or evaluation purposes;
    • Appropriate parties in connection with financial aid to a student;
    • Organizations conducting certain studies for or on behalf of the school;
    • Accrediting organizations;
    • To comply with a judicial order or lawfully issued subpoena;
    • Appropriate officials in cases of health and safety emergencies; and
    • State and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

Note that organizations conducting studies on behalf of the school can get access to this data, and it’s nonconsensual — meaning that parents can’t opt out.

There’s also a little something in there that’s extremely misleading. School officials can get access. That’s reasonable, right? But wait — how are “school officials” defined?

For that, we have to check out the actual text of the law (20 U.S.C. § 1232g; 34 CFR Part 99). Under paragraph 99.31, it says, “A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party—”

(It goes on to list the specific conditions that have to be met.)

That’s awfully misleading.

There are also conditions under which this information can be redisclosed by “school officials” to other parties. That gets tricky and complicated.

Paragraph 99.33(a)(1) says:

An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.

That makes it safe, right?

Oops, no. Paragraph 99.33(b)(1) says:

Paragraph (a) of this section does not prevent an educational agency or institution from disclosing personally identifiable information with the understanding that the party receiving the information may make further disclosures of the information on behalf of the educational agency or institution if—

To make a long story short, there are times where a school can disclose personally identifiable information, such as social security numbers, to third parties in the private sector, and then those third parties can then disclose this information to somebody else. And this can be done without parental consent.

Even worse: if you dig into some other privacy laws, such as those protecting medical information and those protecting students with disabilities, you’ll find that they all point back to the FERPA law. This means that information can be shared to third parties as well.

Now we know this can be done. But is it?

The long answer is a subject for another post. But the short answer is “yes.” There have been different releases for different regions of the U.S. In the Puget Sound region (Washington State), this data has been released to a nonprofit called the Community Center for Education Results for all students attending in public schools residing in these areas:

Image

If you live in any of the affected areas and want to know more, post a comment and I’ll get back to you.

How to check out a nonprofit, part two

In yesterday’s post, “How to Check Out a Nonprofit”, I showed how to find out who’s calling the shots. The board of directors makes the strategic plan, which must be in line with the funders’ wishes. Why? Because a nonprofit lives or dies by its funders. I’ll go through this one more time, adding a couple other details.First a caveat: know when to stop. There is so much information out there that you could spend an infinite amount of time investigating a nonprofit or looking at the various connections between the nonprofit sector, billionaire foundations, and corporations. Don’t do that.

Let’s look at the National PTA today. They partnered with the nonprofit DQC to put out a white paper called “What Every Parent Should Be Asking about Education Data and Privacy.” It was extremely reassuring and evaded the real questions, like “what exactly do the federal privacy laws allow, and what don’t they?” It turned out that DQC is funded and directed by corporate interests who stand to make a profit off student data.

Why would the National PTA partner with them?

The National PTA does a lot of good. It’s a powerful voice for children. It’s mission has maybe changed a little recently, though. Their new motto, “Every Child, One Voice,” is a little concerning. Aren’t there a whole lot of voices with conflicting ideas about what constitutes a good education? In particular, there’s the question over whether our schools should be privatized. Some parents think yes, some think no.

Who funds it?

The National PTA is funded partly by its members and partly by its sponsors. It’s accountable to both its members and its sponsors. By and large, the sponsors support privatization, and that’s enough to tip the balance. The sponsors are:

  • AXA Equitable
  • Jamba Juice
  • Lifetouch
  • Promethean
  • Target

Two jump out. Promethean is “a leading education company committed to developing interactive learning technologies that inspire teachers and engage students.” They have a business interest in big data.

And then there’s Target. I shop there sometimes. I see the big sign that says it gives back 5 percent of its income to local communities. It doesn’t say that it gets power and influence by doing so. Now, didn’t we see Target somewhere before? Oh yes, they are also a funder of DQC, which coincidentally authored the white paper with the PTA.

Who’s on the board of directors?

Looking at the board of directors, I see a lot of people doing a lot of good. Big shout-out to Laura Bay, who as head of the Washington PTA supported the “Simple Majority” initiative, which made it easier for local communities to pass school levies.

The president, elected just this year, is a little unusual. Usually you see people with a background in education.  But President Otha Thornton has a military background. From his bio:

He is a retired United States Army Lieutenant Colonel and his last two assignments were with the White House Communications Agency and United States Forces-Iraq in Baghdad. Thornton earned the Bronze Star Medal for exceptional performance in combat operations during Operation Iraqi Freedom 2009-2010.

The military hasn’t got an interest in the PTA, has it?

He is also currently a senior operations analyst with General Dynamics in Fort Stewart, Georgia. Well, what do they do? Oh, they’re a defense contractor. They have an Information Systems and Technology group, which works with “defense, intelligence, homeland security, civilian government and commercial sectors.” Oh.

I don’t have any time to look into this further. My kids need breakfast. Remember what I said earlier? Know when to stop.

But I promised to show to more ways to investigate nonprofits: their annual report and their IRS tax form (Form 990). Sometimes these are hard to find or unavailable online. New nonprofits aren’t required to file Form 990 for three years. But it’s worth taking a look. Sometimes you find out that a small nonprofit suddenly got a big influx of cash, and its mission changed.

The National PTA has a page for annual reports and financials. It links directly to their 990 form and their annual report.
You can also find the 990 form really easily by going to the Foundation Center’s “990 Finder”  page and typing in the official name of the organization. In this case it isn’t “National PTA,” it’s the “National Congress of Parents and Teachers”. Type that into the “Organization Name” box and there you go!

They did have a jump in income between 2009 and 2010, from 16.7 million to 24.3 million dollars in total assets. Somebody started giving them cash.

Checking their 2009 and 2010 annual reports, I see a big change. In 2010, for the first year, their annual reports got glossy and colorful. The annual reports don’t show the jump in income, so I can’t tell right off the bat where it came from. If I had more time, I could figure it out.

But it’s time for breakfast!

One positive sign: it looks like they take in more cash from members from sponsors. That means that in theory they are more accountable to the members. But that depends on people keeping a really close eye on them. And this is how to do it.

So that’s how to check out a nonprofit.

Also see: