Friday, September 18, 2015

As School Year Starts, Think about Student Data Privacy

 Update: Great suggestion from reader MammaHynkel  on how to proceed with your child's FERPA form (if you want as little data going out as possible):

I read through familypolicy.ed.gov about FERPA and I read:
"FERPA requires that a consent for disclosure of education records be signed and dated,
specify the records that may be disclosed, state the purpose of the disclosure, and
identify the party or class of parties to whom the disclosure may be made."
So I am choosing to interpret on the Pre-K to 8 FERPA Form authored by SPS that:
Under FERPA, SPS may release "directory" information to anyone, including but not limited to parent-teacher organizations, the media, colleges and universities, military [recruiters], youth groups and scholarship grantors, unless you notify SPS in writing that you do not want the information released.
I'd amend the form by replacing the period ending text to the right of Box B with a comma, and " and except as outlined in the attached letter." 

Then I'd attach the letter with my conditions, sign it, mark Box B, and fill in the rest of the FERPA PreK-8 form, and have my tot return it to the school. Hence I would meet FERPA requirements.

end of update

From a group I belong to (and you should, too), Student Privacy Matters:

Five principles to protect student data privacyThe Parent Coalition for Student Privacy believes that the following five principles should be incorporated in any law or policy regarding the protection of personal student data in grades preK-12.  After   students reach age 18,  all these rights, including those related to notification and consent,  should devolve to them:


  • Transparency: Parents must be notified by their children’s school or district in advance of any disclosure of personal student information to any persons, companies or organizations outside of the school or district.
All disclosures to third parties should also require publicly available contracts and privacy policies that specify  what types of data are to be disclosed for what purposes, and provide a date certain when the data will be destroyed.

  •  No commercial uses: Selling of personal student data and;or use for marketing purposes should be banned.  NO advertising should be allowed on instructional software or websites assigned to students by their schools, since ads are a distraction from learning and serve no legitimate educational purpose.
While some of the current bills ban “targeted” ads, others ban targeted ads except for those derived from a student’s one- time internet use.   But how can any parent know whether an ad displayed to their children was based on data-mining their child a single time or over a longer period?

  •  Security protections:  At minimum, there must be encryption of personal data at motion and at rest, required training for all individuals with access to personal student data, audit logs, and security audits by an independent auditor.   Passwords should be protected in the same manner as all other personal student information.
There must be notification to parents of all breaches, and indemnification of the same.
No “anonymized” or “de-identified” student information should be disclosed without verifiable safeguards to ensure data cannot be easily re-identified.

  •  Parental/ student rights: NO re-disclosures by vendors or any other third parties to additional individuals, sub-contractors, or organizations should be allowed without parental notification and consent (or students, if they are 18 or older).
Parents must be allowed to see any data collected directly from their child by a school or a vendor given access through the school, delete the data if it is in error or is nonessential to the child’s transcript, and opt out of further collection, unless that data is part of their child’s educational records at school.

Any data-mining for purpose of creating student profiles, even for educational purposes, must be done with full parental knowledge.

Parental consent must be required for disclosure of personal data, especially for highly sensitive information such as their child’s disabilities, health and disciplinary information.

  •  Enforcement :  The law should specify fines if the school, district or third party violates the law, their contracts and/or privacy policies; with parents able to sue on behalf of their children’s rights as well.
Without strong enforcement provisions, any law or policy protecting student privacy is likely to be ignored.

Editor's note: SPS does not have strong enforcement - it's more like "if you break these rules, no more data for you."  That's not enforcement.  

11 comments:

MammaHynkel said...

I had to create four accounts for my tot just so s/he could follow a school course Instagram account.
I am not comfortable with my kid using existing email and socmedia accounts for SPS activities, other than direct communications with staff, exactly because of data mining from third-party providers and privacy breaches beyond my control. Instagram has a binding arbitration clause in its terms of use, which I'm not happy about, but as opting out would require a mailing address and real name, my kid's using an alias.

Anonymous said...

On a related note - discussed on another thread - FERPA form in new this year- Opting out by not consenting to release of student information means student name and photo can't be included in their school yearbook.
So SPS is making it so your kid can't have an innocent photo with their name and class in a yearbook thats distributed at your own school unless you also allow them to give your kids (and therefore your) name, address, contact details, photo, grade, employment status, awards, sports teams, etc to ANYONE, including, but NOT LIMITED TO the media, colleges, military recruiters, youth groups?!!! Cause that is like, totally the same thing, right?!
This was never the case before - i have always checked the 'no' box and my kids have always been in the yearbook. Last year, I recall there was a supplementary form that came from the school to allow to us opt in to have yearbook name/photo only but word has it that this is not longer going to happen, schools have been told not to give out supplementary forms.
Discuss......

Annoyed

Melissa Westbrook said...

I was told this was a principal option so ask your principal.

I will, once again, ask SPS for clarification.

MammaHynkel said...

I read through familypolicy.ed.gov about FERPA and I read "FERPA requires that a consent for disclosure of education records be signed and dated,
specify the records that may be disclosed, state the purpose of the disclosure, and
identify the party or class of parties to whom the disclosure may be made."

So I am choosing to interpret on the Pre-K to 8 FERPA Form authored by SPS that Under FERPA, SPS may release "directory" (almost wrote 'dictatory' -- good one, MammaHynkel) information to anyone, including but not limited to parent-teacher organizations, the media, colleges and universities, military [recruiters], youth groups and scholarship grantors, unless you notify SPS in writing that you do not want the information released.

I'd amend the form by replacing the period ending text to the right of Box B with a comma, and " and except as outlined in the attached letter." Then I'd attach the letter with my conditions, sign it, mark Box B, and fill in the rest of the FERPA PreK-8 form, and have my tot return it to the school. Hence I would meet FERPA requirements.

Lynn said...

The Gates Foundation has generously provided a grant to create a multi-district Community Based Organization data portal so that if a student moves from one district to another, CBO's in their new district can access their personal information.

Awesome.

http://sps.ss8.sharpschool.com/UserFiles/Servers/Server_543/File/District/Departments/School%20Board/Friday%20Memos/2015-16/September%2011/20150911_FridayMemo_PartnershipUpdate.pdf

Melissa Westbrook said...

MammaHynkel, thank you for this - I'm going to put it in the update of this thread.

Kathy Barker said...

The only way I can see that the SPS FERPA form changed this year is that the form no longer has to be filled out every year.
What is the difference?

I would like to point out that the FERPA form specifies that recruiters can talk to students in schools, whether the FERPA form is checked on the c box (to decline information to the military). This is not true- no student has to have a conversation with a recruiter under any circumstances unless it is their own choice on the 2x a year military recruiter visits.

In addition, all students, even those under 18, can sign the No Child Left Behind military opt-out, and refuse to have their information sent to the military. This is empowering for students, and this should be brought to all students' attention by parents.

Here is the letter that Garfield High School PTSA sent to all students last year:


Military Recruitment Opt-Out Advisory

Each October, the School District sends a list of high school students and their contact/directory information to the U.S. military, who can use it to contact students at home. The School District WILL send your student’s information to military recruiters unless you say NO (opt-out).

If you DO NOT WANT your student’s contact/directory information sent to military recruiters, you MUST fill out the following two forms (the forms are among the materials that the School District puts in your First Day Packet):

FERPA form [SEATTLE PUBLIC SCHOOLS (SPS) – NOTIFICATION OF RIGHTS UNDER THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) and OPTOUT FORM]
ALL high school parents/guardians (or students over 18) should:
Sign page 2 of the FERPA form and
Check box A, B, or C to indicate where they will allow student contact information to be sent. (Check C to withhold contact/directory information from military recruiters.)

NCLB form [LETTER FROM SEATTLE PUBLIC SCHOOLS]
Parents/guardians or students of any age should sign this letter if they do NOT want their contact/directory information given to military recruiters.

Questions? Please contact PTSA Military Recruiting Monitor Kirsten Rooks kwrooks@gmail.com.

Melissa Westbrook said...

Posted for DW:

I had to create four accounts for my tot just so s/he could follow a school course Instagram account.

What kind of accounts (email?), and does your child's school requirethe use of Instagram? I'm pretty sure that is seriously in violation of SPS legal/tech policies. Worth a quick call to legal.

I am not comfortable with my kid using existing email and socmedia accounts for SPS activities, other than direct communications with staff, exactly because of data mining from third-party providers and privacy breaches beyond my control.

Good for you for paying attention. But I'm curious how using these kinds of accounts "for SPS activities" is any worse than using them for any activities in general? Those accounts (like gmail and Instagram) are deeply mined by the corporate owners every instant they're used, and it's nearly impossible to use them anonymously. "Direct communications with staff" will almost always use real names and personal information, so they will be trivially attached to the individual kids without any effort at all, but these companies make their $billions by building profiles of individuals, so there's huge incentive for them to be very good at figuring out who's who in other cases.

For example, be careful if you're using 4 different accounts in order to try to keep separate activities from being correlated. One of the things the email and social-media companies excel at is figuring out how to correlate activity from different accounts to marry them together. Simply using multiple accounts with different fake names doesn't usually work very well, unfortunately.

Anonymous said...

Melissa - any more info on FERPA and principal discretion? I saw that Salmon Bay still either has the old form or decided to modify their form to allow for the no release except for some situations.

Kathy - in year's past for K-5 and K-8s there was an option to check option B/no release, but then check additional boxes allowing for info in the yearbook and school directory. Now it's either yes release (A) or no release (B). Annoying, of course, because as Annoyed says above, it's totally the same thing to allow your kid to be in the yearbook and allow blanket release of details to "anyone, including but not limited to…"

parent

Anonymous said...

Our principal referred us to the SPS Central Office for questions about the FERPA form. Does anyone have a suggestion of which person or department might be best to address this to?

- NE Seattle parent

Anonymous said...

I don't understand why SPS is bullying parents into disclosing their kids' info in this way. My students very much want to be in their yearbooks, but I don't want this info disclosed to outside entities. Where's the common sense here? Very frustrated trying to reach a person at the SPS Office of Communications (ironically, they are inaccessible by phone), and sent an email with this question:

I would like to find out if I am reading the new FERPA opt out form correctly. It appears to say that if I choose to not have my students’ directory information shared with outside parties such as the U.S. military, then my students’ cannot be in their school yearbooks. Is this correct?

Parent