Update on What You Can Do if Personally Affected by SPS Data Breach

I've made queries in several directions; one was to OSPI.  Here's what they have to say:

Can parents file a complaint thru OSPI or just DOE? If parents can file a complaint with OSPI, what is the process?  What could be the outcomes for the district?

The complaint process you identify (in sec. 300.151) refers to a citizen complaint, which is a written statement to OSPI alleging that a federal or state special education rule or law has been violated by a school district, among others. The citizen complaint process is defined by federal law, and all states are required to have one in place as a condition to receiving IDEA Part B grant funding. The U.S. Department of Education does not have a similar process of its own for special education complaints.


Has OSPI seen a case like this before involving a legal case and student data at a law firm?

To the best of our knowledge, we have not.

Is there any kind of regs/rules that any entity receiving student data from a district should check to make sure it IS the data that was asked for and/or that it has been properly redacted before releasing out on discovery?

Under the federal FERPA rules, outside contractors with legitimate educational interest in a student record can be considered “school officials” for purposes of the FERPA privacy rule, and may obtain copies of the records without parental consent in certain situations. But these officials are subject to all of FERPA’s limitations regarding the disclosure of personally identifiable student information. So, generally speaking, they should be aware of FERPA’s rules and best practices.

Does OSPI have any kind of statement in specific on this case and/or about student data and the handling of it by districts?

No.

End of statement by OSPI

I do find that reply to the FERPA question interesting because OSPI is saying the law firm should have known these limitations and "best practices."  It would seem whether or not the district is the law firm's client (and has lawyer-client privilege), the law firm may be responsible to have followed FERPA guidelines.  

Comments

Anonymous said…
There is no legal NEED for the 3rd party to have my students SPED information period. OSPI is wrong about this. The request was for information specific to a single RHS student, not the entire SPED population. Think about it, if OSPI was correct that would mean 3rd parties could be sent every bit of SPS student information for any issue they are working on. Usually lawyers will go to the district and review large amounts of sensitive information to prevent any possibility of inadvertent release, like having a laptop stolen. Also if they believe we parents are de facto lawyers then any of these reported onesy twosy FERPA violations would in fact NOT be FERPA violations.

connect the dots
Anonymous said…
I almost forgot, Thank you Melisa for not lettering this issue get swept under the SPS rug!

Oh OSPI said "To the best of our knowledge, we have not."

Nor have they seen such a dysfunctional district when it come to SPED!

SPS is setting many FIRST lately.

connect thedots
SPS dad said…
From SPS' communication team, appears the fault lies with the law firm. Just not sure why they would have ever sent out all the data. What other confidential info is being sent out?

We have received confirmation from the offending law firm of exactly which documents were shared. We are preparing communications to families with students in the district as well as specific communications to those families who were involved in the data breach. I sincerely hope I receive the information from legal in the next two days to contact families. Thank you for understanding our need to be certain of exactly what information concerning which students was compromised so we’re not sharing incorrect information.

 

And yes, you can be assured that actions are being taken against the law firm and systems reviews are taking place internally.

 

Best,

 

Communications Team
Anonymous said…
SPS dad, where are you getting this information? It is not terribly coherent. Please clarify.

Reader
SPS dad said…
First paragraph is mine the second two are from the communications team at seattle public schools. It is in response to an email I sent questioning how I might be contacted if my child's info was released and if anyone was going to be held accountable.
mirmac1 said…
SPS Legal, as usual, is pointing to everyone but themselves: "It's the law firm!" "It's the recipient!" If that were so, then why has SPS been faulted by OSPI on this matter twice? No, the fault lies at JSCEE, Floor 3.
SPS dad said…
I just don't understand why send so much sensitive information off of the districts servers in the first place! I would have thought there would be a couple firewalls and access only via VPN not just fly it off via email. Again many of these students have had diagnosis shared and for what purpose? If it was a fact dump there is certainly reason to question who perpetrated that dump and if it is one of Ron English's team they should be held accountable (fired) right? If it is Dewey Cheat and How then I will certainly participate in any legal action to gain retribution. Assuming my child's information was shared... Which it was based on the description of who was betrayed by this action.

Anonymous said…
The information was widely shared across the district via email. At this time it's unclear if each of the district recipients had a legitimate business need to receive it. It's also unclear if one or more of the recipients forwarded the information out off of the district's email server.

It is also unclear if any other entities inadvertently received the information as part of another case.

I do know SPS did not have parental authorization to share any of the HIPPA or PII or PHI information with any 3rd party service provider and is struggling to come up with it legal authorization for doing so.

connect thedots
Anonymous said…
WHO got my kid's info?

I get the law firm as been fired, but which lawyer actually had my son's info?

Name, please?

And, who did this law firm to over my kid's info to? Name please?


And WHY did SPS release my kid's name and diagnosis to a third party law firm in the first place?

Who did that, did that mass release? And, did they get fired?

I am so pissed and frustrated. SPS glass palacers are so fundamentally untrustworthy.

And yet, other than calling the persons who are not SPS and yet have my child's sensitive, personal and private info, there really is nothing I can do.

It is like, how many insults can they add to injury (because it is not like they respect his IEP anyway)?

And the new head of SpEd gave SpEd students and families a hard time at Hay, and now she is the boss lady? It never bleeping ends. Nightmare.


Livid
Anonymous said…
It's time to lawyer up. Maybe if we keep Ron busy he won't be able to do any more damage.

Ron mustgo

I have stated this before and this is the last time - Preg O'Donnell & Gillett is the law firm.

I cannot tell you all those answers.

I would suggest asking the SPED PTA if they could ask for a meeting with the head of Sped/Ron English for clear answers on these questions.
Anonymous said…
Here is an example of a Citizen Complaint, replace the bold text with your information

Your name address phone ect. Your students name and make sure to sign your name.
FAX it to OSPI and SPS at the fax numbers below.










John Q Public November 18, 2013
111 W 14th St
Seattle, WA 98111
206-222-2222



Attn: Special Education
P.O Box 47200
Olympia, WA 9504-7200
Fax: (360) 586-0247

Faxed to the Seattle Public school district office on 11/18/2014 (206) 252-0053

To OSPI investigators,
I am writing to inform you of a situation concerning compliance with FERPA for my Student name here who is attending School in the Seattle School District. On or about November 13th 2014. Seattle Public school or it agents released FERPA protected information to a privet citizen.
It appears this release was the entire roster of special educational students along with IEPs and evaluations for every student with an IEP attending Roosevelt High school in school year 2013-2014.
The Recipient of the information confirmed on local TV on November 15th that my students PII information was included in the information released by the district or it’s consultant Preg O'Donnell & Gillett.

Sincerely,

John Q Public


connect thedots
Anonymous said…
So, I want NAMES of actual, real-live, breathing individuals who were so callus and disregard my son (along with everyone else's sons and daughters). From within SPS and from the Law Firm.



From the Lawyer's web site:
Preg O’Donnell & Gillett’s knowledge of the intricacies of school law and its sensitivity to the practical needs and concerns of the school administrators has created an excellent relationship between school administrators and educational professionals and our firm, allowing us to deliver value and service to districts of all sizes.

Curtis Leonard joined us from his position as in-house counsel for Auburn School District, where he spent five years as In-house Counsel, Director of Legal Affairs and Director of Human Resources for Auburn School District. Prior to that time, he worked in Washington, D.C. handling employment and labor law. Curtis’s practice focuses on day-to-day issues specific to school districts, employment law issues, special education matters, labor law and labor negotiations, and collective bargaining agreements.
Lawyers Practicing School Law
In Seattle:

Lara R. Hruska
Emma O. Gillespie
Curtis M. Leonard
Christine E. Tavares
Mark F. O’Donnell



Do I as an individual have a right of private action again Mr. Leonard for his unethical behavior? He is the apparent team leader of that practice area within Preg. Presumably, they have malpractice insurance. To be clear, I am not interested in money, I am interested accountability and responsibility and genuine remorse.

The other missing piece for me is WHO in SPS doled out this massive amount of info? And, why?





Livid
mirmac1 said…
"And the new head of SpEd gave SpEd students and families a hard time at Hay, and now she is the boss lady?"

That is quite a conclusion. She is not the new head of SpEd. And if she is, then all hell will break loose (as far as I am concerned). This is someone who has no knowledge of SpEd beyond "oh yeah, we had some of them in our building."

I am tired of this crap. There are quality candidates that a) do not require a "nationwide search" and b) actually know SOMETHING about special education. Not to make it some mysterious subject, but it truly requires having lived through the neglect and discrimination many of us often find in buildings.

I wish I could teach each and every family their rights. If I can't, then I'll try to get the district to do so.

At the same time, I don't see how tearing down what we have and replacing it with....Ed Murray...really makes any difference.

This new silo Liaison is worthless unless she has any concept of what buildings must deliver. Based on her tenure at John Hay - I have very low expectations.
Anonymous said…
Livid,

Ronald English, General Counsel
Andrea Schiers, Sr. Ast. General Counsel

Mr. English is the supervising attorney for SPS legal and approves contract service providers (outside counsel), Andrea Schiers is the SPS staff attorney responsible for overseeing this matter and who the paralegal who produced the information at issue. I highly doubt she bothered to know what she was having sent out and in turn failed to tell outside counsel that what they were getting wasn't what was being asked for - it was more. The WSBA holds the supervising attorney - English - responsible for the actions of his subordinate attorneys and paralegal.

- also livid
english must go! said…
English most go then. This is the third time i've written that on this blog. Actually forth but I wrote Irish for some distorted reason.

ENGLISH MUST GO
English Must Go
english must go

lost my yell when I realized it was only me... and Livid.

If you think like YELL back!
incompetentfools said…
How can I find out if my kid's info was released? My kid is at Roosevelt, non-SPED. My understanding is that some RHS student info was released, but how can I find out if my specific kid's was?
Anonymous said…
If want to find out if your students information was included in the SPED FERPA disclosure the best way to know the truth would be to file a citizens complaint with OSPI. OSPI will investigate.

connect thedots
Incompetent Fools, if you didn't get a letter, probably not.

If your child is Sped, call that department and yes, demand an answer.
SPS dad said…
no letter yet and probably so.
Anonymous said…
Funny, I have 2 students with IEPs and did not receive a letter.

However SPS did receive a letter from me, a citizens complaint letter.

SPS FOOLS
Anonymous said…
SPS FOOLS, a citizen 's complaint should go to OSPI, or OCR not SPS. Unless it goes to OSPI, or had the potential to do so... it never happened, according to SPS.

Director 85
Anonymous said…
No, you must send a copy to both OSPI and SPS, trust me I've submitted many CCs.

I was being funny, you know they didnt bother to write be about the FERPA violations, so wrote them..get it?

You must mail or fax the citizen complaint to:

Office of Superintendent of Public Instruction
Attn: Special Education
P.O. Box 47200
Olympia, WA 9504-7200
Fax: (360) 586-0247

—AND—

The school district superintendent or other agency head

https://www.k12.wa.us/SpecialEd/DisputeResolution/CitizenComplaint.aspx

SPS FOOLS
Anonymous said…
I still do not understand what this law firm was doing with all of this information in the first place. The student in question is a high school student in RHS. Why did SPS give details, including bus stops!, about 8,000 students with disabilities? What possible reason is there for this?

Reader
Reader, there are a couple of issues.

Possibly the guardian gave a date for his discovery request and SPS let it get away from them. Then Legal sent masses of info to the law firm which, upon district instruction, sent it to the guardian.

The guardian let them know "wrong stuff for my case and fyi, other students info in there."

He may have made another discovery request. Same thing.

They simply did not give him the info pertinent to his case. Why? Rush, laziness, lack of communication, take your pick.

At the end of the day, somebody didn't care enough about student data privacy.

That's the bottom line.

And apparently, the district doesn't really care enough to notify parents involved because they only tried to contact parents electronically. (That's what Nyland said at the Board meeting.)
Anonymous said…
The district is waiting to send out the FERPA violation emails so they can say "We have retrieved the documents". Today the districts lawyers are going to ask the ALJ to compel the keeper of the documents to return/destroy the documents. I don't believe the ALJ has the authority to compel.

connect thedots

Anonymous said…
What Are the Consequences of Violating FERPA?
The consequences for violating FERPA are serious and include:

Temporary suspension of access
Inability to perform ones work
Possible prosecution under criminal codes
Dismissal or Termination
Loss of Federal funding to the institution

In light of these consequences, access to student records must be used responsibly. On-going training and communication are important.

Should you have questions about what is permitted under the Act, contact the Office of the Registrar or the Office of the General Counsel.

And, as a rule of thumb, remember... If in doubt, don't give it out!

SPS BooBoo
Anonymous said…
PHOENIX – An Arizona lawmaker wants to create state-level penalties for schools that violate a federal law prohibiting them from releasing students’ private information to non-educational entities.

“When we’re going outside the scope of education and giving this type of private information to anybody, it’s really a problem,” said Sen. Kimberly Yee, R-Phoenix.

The federal Family Educational Rights and Privacy Act already prohibits schools from disclosing student records without consent. Exceptions to that rule include schools releasing “directory information” such as students’ names, phone numbers and addresses unless a parent or student signs a non-disclosure form.

Penalties for violating the law can include a school, district or charter losing all of its federal funding.

Under SB 1450, knowingly committing a FERPA violation would cost up to 10 percent of an entity’s monthly state funding disbursement. The cuts would remain in place until the violation is corrected.

SPS BooBoo

Popular posts from this blog

Tuesday Open Thread

Why the Majority of the Board Needs to be Filled with New Faces

Who Is A. J. Crabill (and why should you care)?