Update on What You Can Do if Personally Affected by SPS Data Breach
I've made queries in several directions; one was to OSPI. Here's what they have to say:
No.
End of statement by OSPI
I do find that reply to the FERPA question interesting because OSPI is saying the law firm should have known these limitations and "best practices." It would seem whether or not the district is the law firm's client (and has lawyer-client privilege), the law firm may be responsible to have followed FERPA guidelines.
Can
parents file a complaint thru OSPI or just DOE? If parents can file a
complaint with OSPI, what is the process? What could be the outcomes
for the
district?
The
complaint process you identify (in sec. 300.151) refers to a citizen
complaint, which is a written statement to OSPI alleging that a federal
or state
special education rule or law has been violated by a school district,
among others. The citizen complaint process is defined by federal law,
and all states are required to have one in place as a condition to
receiving IDEA Part B grant funding. The U.S. Department
of Education does not have a similar process of its own for special
education complaints.
Has OSPI seen a case like this before involving a legal case and student data at a law firm?
To the best of our knowledge, we have not.
Is
there any kind of regs/rules that any entity receiving student data
from a district should check to make sure it IS the data that was asked
for and/or
that it has been properly redacted before releasing out on discovery?
Under
the federal FERPA rules, outside contractors with legitimate
educational interest in a student record can be considered “school
officials” for purposes
of the FERPA privacy rule, and may obtain copies of the records without
parental consent in certain situations. But these officials are subject
to all of FERPA’s limitations regarding the disclosure of personally
identifiable student information. So, generally
speaking, they should be aware of FERPA’s rules and best practices.
Does OSPI have any kind of statement in specific on this case and/or about student data and the handling of it by districts?
End of statement by OSPI
I do find that reply to the FERPA question interesting because OSPI is saying the law firm should have known these limitations and "best practices." It would seem whether or not the district is the law firm's client (and has lawyer-client privilege), the law firm may be responsible to have followed FERPA guidelines.
Comments
connect the dots
Oh OSPI said "To the best of our knowledge, we have not."
Nor have they seen such a dysfunctional district when it come to SPED!
SPS is setting many FIRST lately.
connect thedots
We have received confirmation from the offending law firm of exactly which documents were shared. We are preparing communications to families with students in the district as well as specific communications to those families who were involved in the data breach. I sincerely hope I receive the information from legal in the next two days to contact families. Thank you for understanding our need to be certain of exactly what information concerning which students was compromised so we’re not sharing incorrect information.
And yes, you can be assured that actions are being taken against the law firm and systems reviews are taking place internally.
Best,
Communications Team
Reader
It is also unclear if any other entities inadvertently received the information as part of another case.
I do know SPS did not have parental authorization to share any of the HIPPA or PII or PHI information with any 3rd party service provider and is struggling to come up with it legal authorization for doing so.
connect thedots
I get the law firm as been fired, but which lawyer actually had my son's info?
Name, please?
And, who did this law firm to over my kid's info to? Name please?
And WHY did SPS release my kid's name and diagnosis to a third party law firm in the first place?
Who did that, did that mass release? And, did they get fired?
I am so pissed and frustrated. SPS glass palacers are so fundamentally untrustworthy.
And yet, other than calling the persons who are not SPS and yet have my child's sensitive, personal and private info, there really is nothing I can do.
It is like, how many insults can they add to injury (because it is not like they respect his IEP anyway)?
And the new head of SpEd gave SpEd students and families a hard time at Hay, and now she is the boss lady? It never bleeping ends. Nightmare.
Livid
Ron mustgo
I cannot tell you all those answers.
I would suggest asking the SPED PTA if they could ask for a meeting with the head of Sped/Ron English for clear answers on these questions.
Your name address phone ect. Your students name and make sure to sign your name.
FAX it to OSPI and SPS at the fax numbers below.
John Q Public November 18, 2013
111 W 14th St
Seattle, WA 98111
206-222-2222
Attn: Special Education
P.O Box 47200
Olympia, WA 9504-7200
Fax: (360) 586-0247
Faxed to the Seattle Public school district office on 11/18/2014 (206) 252-0053
To OSPI investigators,
I am writing to inform you of a situation concerning compliance with FERPA for my Student name here who is attending School in the Seattle School District. On or about November 13th 2014. Seattle Public school or it agents released FERPA protected information to a privet citizen.
It appears this release was the entire roster of special educational students along with IEPs and evaluations for every student with an IEP attending Roosevelt High school in school year 2013-2014.
The Recipient of the information confirmed on local TV on November 15th that my students PII information was included in the information released by the district or it’s consultant Preg O'Donnell & Gillett.
Sincerely,
John Q Public
connect thedots
From the Lawyer's web site:
Preg O’Donnell & Gillett’s knowledge of the intricacies of school law and its sensitivity to the practical needs and concerns of the school administrators has created an excellent relationship between school administrators and educational professionals and our firm, allowing us to deliver value and service to districts of all sizes.
Curtis Leonard joined us from his position as in-house counsel for Auburn School District, where he spent five years as In-house Counsel, Director of Legal Affairs and Director of Human Resources for Auburn School District. Prior to that time, he worked in Washington, D.C. handling employment and labor law. Curtis’s practice focuses on day-to-day issues specific to school districts, employment law issues, special education matters, labor law and labor negotiations, and collective bargaining agreements.
Lawyers Practicing School Law
In Seattle:
Lara R. Hruska
Emma O. Gillespie
Curtis M. Leonard
Christine E. Tavares
Mark F. O’Donnell
Do I as an individual have a right of private action again Mr. Leonard for his unethical behavior? He is the apparent team leader of that practice area within Preg. Presumably, they have malpractice insurance. To be clear, I am not interested in money, I am interested accountability and responsibility and genuine remorse.
The other missing piece for me is WHO in SPS doled out this massive amount of info? And, why?
Livid
That is quite a conclusion. She is not the new head of SpEd. And if she is, then all hell will break loose (as far as I am concerned). This is someone who has no knowledge of SpEd beyond "oh yeah, we had some of them in our building."
I am tired of this crap. There are quality candidates that a) do not require a "nationwide search" and b) actually know SOMETHING about special education. Not to make it some mysterious subject, but it truly requires having lived through the neglect and discrimination many of us often find in buildings.
I wish I could teach each and every family their rights. If I can't, then I'll try to get the district to do so.
At the same time, I don't see how tearing down what we have and replacing it with....Ed Murray...really makes any difference.
This new silo Liaison is worthless unless she has any concept of what buildings must deliver. Based on her tenure at John Hay - I have very low expectations.
Ronald English, General Counsel
Andrea Schiers, Sr. Ast. General Counsel
Mr. English is the supervising attorney for SPS legal and approves contract service providers (outside counsel), Andrea Schiers is the SPS staff attorney responsible for overseeing this matter and who the paralegal who produced the information at issue. I highly doubt she bothered to know what she was having sent out and in turn failed to tell outside counsel that what they were getting wasn't what was being asked for - it was more. The WSBA holds the supervising attorney - English - responsible for the actions of his subordinate attorneys and paralegal.
- also livid
ENGLISH MUST GO
English Must Go
english must go
lost my yell when I realized it was only me... and Livid.
If you think like YELL back!
connect thedots
If your child is Sped, call that department and yes, demand an answer.
However SPS did receive a letter from me, a citizens complaint letter.
SPS FOOLS
Director 85
I was being funny, you know they didnt bother to write be about the FERPA violations, so wrote them..get it?
You must mail or fax the citizen complaint to:
Office of Superintendent of Public Instruction
Attn: Special Education
P.O. Box 47200
Olympia, WA 9504-7200
Fax: (360) 586-0247
—AND—
The school district superintendent or other agency head
https://www.k12.wa.us/SpecialEd/DisputeResolution/CitizenComplaint.aspx
SPS FOOLS
Reader
Possibly the guardian gave a date for his discovery request and SPS let it get away from them. Then Legal sent masses of info to the law firm which, upon district instruction, sent it to the guardian.
The guardian let them know "wrong stuff for my case and fyi, other students info in there."
He may have made another discovery request. Same thing.
They simply did not give him the info pertinent to his case. Why? Rush, laziness, lack of communication, take your pick.
At the end of the day, somebody didn't care enough about student data privacy.
That's the bottom line.
And apparently, the district doesn't really care enough to notify parents involved because they only tried to contact parents electronically. (That's what Nyland said at the Board meeting.)
connect thedots
The consequences for violating FERPA are serious and include:
Temporary suspension of access
Inability to perform ones work
Possible prosecution under criminal codes
Dismissal or Termination
Loss of Federal funding to the institution
In light of these consequences, access to student records must be used responsibly. On-going training and communication are important.
Should you have questions about what is permitted under the Act, contact the Office of the Registrar or the Office of the General Counsel.
And, as a rule of thumb, remember... If in doubt, don't give it out!
SPS BooBoo
“When we’re going outside the scope of education and giving this type of private information to anybody, it’s really a problem,” said Sen. Kimberly Yee, R-Phoenix.
The federal Family Educational Rights and Privacy Act already prohibits schools from disclosing student records without consent. Exceptions to that rule include schools releasing “directory information” such as students’ names, phone numbers and addresses unless a parent or student signs a non-disclosure form.
Penalties for violating the law can include a school, district or charter losing all of its federal funding.
Under SB 1450, knowingly committing a FERPA violation would cost up to 10 percent of an entity’s monthly state funding disbursement. The cuts would remain in place until the violation is corrected.
SPS BooBoo