I am still gathering information about how you can directly complain to various agencies including OSPI, DOE and the Washington Bar Association. I hope to get that thread info by Monday.
First, the district has created a webpage on the issue, Student Information Protection.
It has the Superintendent's latest letter to the entire SPS community which includes this:
The student information that was given to a parent by mistake includes directory information on over 7,400 students, including date of birth, grade and school assignment. The files also include student identification numbers, special education assignments, disability categories and special education transportation information. We believe this information includes substantially all of the special education students in the district.
In addition, some data on Roosevelt High School students was released. That information, for smaller numbers of students, includes discipline data, test results, service models and scholarship information. At this time, we are not aware that any information was disclosed about general education students who do not attend Roosevelt. The district continues to review all files disclosed by the law firm.
-it was nearly all the Sped students in the district
-it did include some General Ed students at Roosevelt
- it states that "we have severed our relationship with the law firm in handling this case." In the DOE letter (referenced below), the district says they are going to sever their relationship in total with the law firm (who, according to published reports, has done business with the district for a decade).
- if you are a Roosevelt parent, I would ask for information on my student, whether using Sped programs or not.
Also on the webpage is their notification to the DOE on November 17th (partial):
We are still reviewing the facts of the disclosure, but based on our review thus far, it appears that the Firm failed to examine the attachments to emails it received from the District for review, and/or believed the links to the attachments in those emails had been disabled before the emails were electronically provided to the Guardian. The attachments include many spreadsheets that contain information about various sutdents, including the Student. As a result of the failure to review and/or disable the attachments, other students' information was inadvertently provided to the Guardian.
The above paragraph makes apparent that there is blame to be shared and still one burning question.
The district says "the Firm" failed to examine the attachments but why did the district send unredacted files at all on so many students? That's the two-fold burning question.
The "Firm" was supposed to check if they were redacted and/or if the attachments enabled? Because the district makes it sound like the only reason the law firm had the files was to answer the guardian.
Who didn't read the guardian's request properly OR possibly decided to tsumani him with documents?
- there were just two dates (at this point) that the law firm sent out files to the guardian of the student in question - Nov 7th and Nov 11th.
- the DOE letter says that the district had asked for the records back/destroyed from the guardian but he refused. They went to court over this and I was told today that yes, the Court ordered the guardian to destroy the data.
- the district told the DOE it "has notified all families in the District of this inadvertent disclosure." That is not what I was told by Communications nor is it what the Superintendent said at the Board meeting Wednesday.
1. We are using email notification because getting the information out to as many parents in the fastest way possible was important.
2. We have created a web page to house the latest information and updates. We will be promoting it through all of our communication channels in order to try and reach families that don’t have email or haven’t signed up for email communication.
3. The district is reviewing the data that was released in order to identify the appropriate parents/families to follow up with through direct communications (depending on what contact information is available – could be phone, email or letter )
That sounds to me like all families may NOT have been notified.
The Superintendent said at the Board meeting that they had sent notice to all families electronically, which again, so not mean all families have been reached.
I have to wonder if the district is being slower than they should because it's just one person who has/had the data? Would they be moving faster if it was a hacker? Hmm.
Newest letter from Superintendent to families:
As indicated in our last two letters to parents, our outside law firm mistakenly released records on more than 7,400 Special Education students district wide and as well as records on regular education students from Roosevelt High School.
Since that time we have taken the following actions:
- Terminated the law firm working on this case
- Sent a preliminary letter to you indicating the kinds of records released by mistake
- Gone to court to recover the records from the one individual who has them
Again, there is no indication the student information has been given to any other individuals.
The district has also been working to identify the specific information released for each individual student. This will take some time to review these records, student by student.
We are also working to prevent such errors in the future. Several departments met today to discuss steps to prevent inappropriate releases in the future.
You can find updates and additional information as it becomes available at: http://bit.ly/
I apologize again for this error. I sincerely regret the disclosure of personal and sensitive student information.
Dr. Larry Nyland