Follow up to meeting with NYSAPE and Class Size Matters – Student Data Privacy Regulations

March 14, 2017
  
Re: Follow up to meeting with NYSAPE and Class Size Matters – Student Data Privacy Regulations
 
Dear Beth, Alison and Temitope:
 
We appreciate that you took the time to meet with us in New York City on March 1 and listen to our concerns about the need to make real progress in protecting student data privacy in our state. We hope this will the beginning of a positive collaboration and free exchange of ideas.
 
We also hope that the draft Parents Bill of Rights that you showed us will be promptly revised so that it aligns with what the law requires, that the new NYSED privacy website will be further enhanced and improved, and that public hearings and robust process of stakeholder input will soon be scheduled to further expand upon the Parent Bill of Rights, as the law envisions.
 
We understand that you intend to create a temporary working group to give advice on the Parent Bill of Rights. This seems like a good idea.  However, this does not obviate either the need for a more open and robust process of stakeholder input including public hearings, or the establishment of a permanent Stakeholder Data Advisory Board.  Unlike a temporary workgroup, this Board would be subject to Open meetings law and would provide oversight on an ongoing basis about best practices and stewardship in the collection, use and disclosure of personal student data. 
 
As the 2009 NYSED application that promised the creation of this Board pointed out, “New York State has approximately 3.3 million students housed in over 700 local school districts.  These entities are impacted greatly by how the LDS [Longitudinal Data System] is constructed, how its business rules are created and disseminated, how timelines are created and implemented, and how reports for their use are designed and distributed.  Yet they have little or no input into any of these processes.  Project Next Gen will create a system to provide active and ongoing review by local constituents.  Regional Advisory Councils will be organized across the state.  Major policy initiatives as well as detailed functional plans related to operation of the LDS will routinely be reviewed by these groups.  “
 
We believe that if this Board had been established as promised, the inBloom fiasco would never have occurred.  But in our view, it is not too late to prevent another one.
 
We also feel the need to alert our members, including thousands of parents across the state who have become frustrated at the state’s slow progress in implementing the student privacy law since it was passed almost three years ago, Thus, we would like to be able to tell them whether the four goals cited above will be addressed and if so, when they will be accomplished.
 
Finally, as mentioned during our meeting, we urge you to send out a message as soon as possible to districts planning to give the PSAT and the SAT in the next few weeks that their contracts with the College Board should bar the selling of student data, though the College Board may call this “licensing” the data.  See this Washington Post article that explains how the College Board sells this data for 40 cents per name: http://wapo.st/1QhIOzv?tid=ss_tw  In addition,  parents of students taking these exams should be alerted in advance  that providing a wide range of personal data, including  such highly sensitive information including grades, ethnicity, religion, parent income and disability status,  is completely voluntary – and both parents should be provided a consent form in advance, as Colorado has done here: http://tinyurl.com/jbysgkg   
 
Thank you again very much for your time; our updated detailed list of suggestions on how to strengthen the Bill of Rights and implement the Student Privacy Law is below.  As we said to you during the meeting, we would very much like feedback on whether and when these concerns will be addressed, as well as a timetable by which the goals mentioned above will be achieved, so we can assure parents that NYSED is indeed making progress on protecting and securing personal student data.
 
Yours sincerely,
 
 
Lisa Rudley, Executive Director, NYS Allies for Public Education
Leonie Haimson, Co-chair, Parent Coalition for Student Privacy and Executive Director, Class Size Matters
Allison White, Founding Member, Port Washington Advocates for Public Education

Attachment:
Updated CSM and NYSAPE concerns with the Parent Bill of Rights, the Student Privacy website, the need for public input and enhanced oversight and enforcement of the law – Omissions in draft Parent Bill of Rights dated 2/28/17
 

• Links to WRONG list of data elements at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx

Current list as of 2/24/2017 is posted here: http://www.p12.nysed.gov/irs/sirs/NYSEDDataElements2016.xlsx

• In addition, merely linking to this spreadsheet is not sufficiently compliant with New York State Education Law Section 2-d, which states in section 3 (b)4 that the Parents Bill of Rights (PBR) should make available for public review, “A complete list of all student data elements collected by the State “.  Either in the PBR or on the website there should be that list which now can be discerned only by looking at the SIRS manual.  For example, just looking at the spreadsheet one would have no idea that the personal student data collected by the state includes many types of disabilities, suspension data, and/or whether a student who has been enrolled in US schools for less than 3 years and thus called an “Immigrant”, under the Program Service Code.
• The PBR needs to include a list of specific state contractors that receive personal student, teacher or principal data, as specified in Section 3 (c) of the law: “The parents bill of rights for data privacy and security shall include supplemental information for each contract an educational agency enters into with a third-party contractor…and shall include (1) the exclusive purposes for which the student data or teacher or principal data will be used.” Etc.  This clearly indicates that the PBR should include the names of third party contractors with whom NYSED shares data, and well as for what purposes.
• Also, see section 3 (c) 2,3,4,5 of the PBR, requiring that the Bill of Rights include information as to the security provisions used by each contractor which receives data from the State, when the agreement expires, how parents, students, teachers etc. can challenge the accuracy of the data they hold., where the data will be stored, and under what conditions.
• Instead the draft document only seems to repeat these terms as a general requirement for other LEAs – leaving out itself.
• The PBR should also state the methodology required for encryption – and not just say “as specified in Education Law Section 2-d” but cite more specifically “Section 13402(H)(2) of Public Law 111-5.”

 
Improvements needed for website at http://www.nysed.gov/student-data-privacy
 

•  Though the website now links to New York State Education Law Section 2-d  it omits a link to Section 2-c.  Release of student information to certain entities
• Nowhere on the website either in the Resources section or the PBR does it mention the NY Personal Privacy Protection law, which is stronger in certain respects than federal laws regarding student privacy.
• Nowhere on the site either in the Resources section or the PBR are included additional federal student privacy protections in IDEA and the NSLA (National School Lunch Act)
•  The site should also include a user-friendly list of personal student data elements collected by the state as well as why each of these personal data elements are being collected — see Section 4 (b) “with an explanation and/or legal or regulatory authority outlining the reasons such data elements are collected and the intended uses and disclosure of the data.”   (see above section on PBR)
• The site should include a way for a parent to ask questions, raise concerns or ask for the information of what specific data the state holds for one’s child.  Only a data-breach complaint form and website feedback form are now posted.
• There should be contact info for the CPO added, including email and phone no. and a description of his/her role under the state law.
• FAQ should answer the question about whether the privacy rights of students at charter schools are protected by the law. 
• FAQ doesn’t make clear if districts and schools must have contracts before disclosing personal data to 3rd parties who are providing “services”, including researchers– only that if there are contracts, that they must include certain restrictions and abide by the provisions in the law.
• FAQ should include fact that parents have right to ask state for a copy of the personal data they hold for their child, as well as who it has been shared with – and to make this available within 45 days as FERPA requires.
• FAQ should cite that the data should be encrypted and protected by conditions specified under “Section 13402(H)(2) of Public Law 111-5” and explain what that means.
• FAQ should also make clear that the Parent Bill of Rights is supposed to be expanded with input from public including stakeholder groups – Section 5 (d):  The chief privacy officer with input from parents and other education & expert stakeholder, shall develop additional elements of the parents’ bill of rights…etc.”

 
Problems with enforcement
 

• Many districts (including NYC) fail to post the temporary Parents Bill of Rights or link to it.  See for comparison: http://schools.nyc.gov/NR/rdonlyres/596D9F3C-4938-4DB0-95B7-A0F1D9F44A3B/0/NYCDOEParentBillofRightsforDataPrivacyandSecurityEnglishversion.pdf
• They also do not inform regularly parents of their rights under FERPA to opt out of directory information, as required under FERPA.
• In other instances, districts are not posting with their PBR the information about each contractor they share data with, for what purpose and under what conditions.
• They are allowing teachers and others to share data via click wrap agreements, which are not contracts, and without seeing whether the privacy policies and agreements comply with the law.
• As mentioned above, many districts including NYC are now administering the PSAT and SAT to students in school, without ensuring that their data will not be sold, as is the customary practice of the College Board.
• There are many other problems with enforcement and district lack of compliance too numerous to go into detail here.

 
Need to develop an expanded Parents Bill of Rights:

• According to law, the CPO is required to solicit the input of parents and other stakeholders to help develop “additional elements of the Parents bill of rights” before it is released for public comment and put into final form.     Same with regulations.  When will this occur? 
• We urge you to hold public hearings throughout the State to gain input from parents, district officials, educators, and other stakeholders vis-à-vis their privacy concerns and what should be incorporated into the PBR, as well as solicit input through the website. 
• After this occurs, the proposed PBR should be drafted and made publicly available during a 45-day period of public comment, pursuant to proper notice, during which time interested parties would be allowed to submit comments online, to be posted by NYSED and answered by the CPO.
• In addition, the CPO, along with Commissioner, is required to promulgate regulations that establish standards to govern educational agencies’ data security and privacy policies, and to develop one or more model policies for them to use. 

Need for a Stakeholder Data Advisory Panel:

• NYSED promised the US Department of Education in 2009 in exchange for a $7.8M federal grant that a permanent advisory board would be created, called the Statewide Stakeholder Advisory Panel, to oversee the collection, storage and disclosure of student data in the State Longitudinal Student Database.    (See http://nces.ed.gov/programs/slds/pdf/NewYork2009.pdf)
• This board, we believe, should be enacted by regulation, include representatives from stakeholder groups and privacy and security experts, be subject to open meetings law, and should help guide the state on an ongoing basis on the responsible collection, use and disclosure of personal student data.  The creation of a temporary advisory workgroup, while potentially useful as a stop-gap measure, does not fulfill the same need as a permanent board that would give expert guidance as well as solicit public input on these important questions on a long-term basis.

 Additional concerns with the state’s collection of personal student data

• The state collects much personal information about immigrant students that could put their future at risk if accessed by ICE officials or others. For example, the current list of mandated data elements includes a student’s country of birth, whether the student is an immigrant (defined as born outside US and not attending school in any of the states for more than 3 years); as well as migrant status. We are also concerned about the collection of detailed personal student suspension and disability data.
• Why is so much of this data required, and how is it to be protected from disclosure?  Which of these personal data elements is the state required to collect on an individual student level, rather than as aggregate data from schools?