Testimony Before the New York State Assembly Committee Regarding the Disclosure of Student Information

November 20, 2013

Introduction:
Good morning. My name is Corinne Carey, and I am the Assistant Legislative Director at the New York Civil Liberties Union. The NYCLU is a non-partisan, not-for-profit organization with approximately 50,000 members from across the state, and the foremost defender of civil rights and civil liberties in New York.

I would like to thank the committee for giving me the opportunity to speak today. There have been many news reports in recent months about a significant new threat to student data privacy arising from a partnership between the New York State Education Department (NYSED) and an organization called inBloom. Perhaps the most startling aspect of the controversy over inBloom is how long it has taken for public attention to focus on students’ privacy rights. Over the last several years, the amount of information about students that schools have collected and stored for an indefinite period of time has grown significantly. New York’s partnership with inBloom continues, centralizes, and perhaps accelerates, this trend. This new partnership adds a new dimension: until now the student data that the state collects has been stored in government operated Regional Information Centers. Now, it will be uploaded and stored via private computing services. This partnership creates new opportunities, but also significant new risks for New York’s students.

The NYCLU is deeply committed to defending students’ rights to privacy, including their “data privacy.” In the school context, data privacy means that students and their parents must have, to the extent possible, “control over their own information,” including the “right to decide when and whether to share personal information, how much information to share, and the circumstances under which that information can be shared.”

The ACLU, of which the NYCLU is the New York state affiliate, has a long history with student privacy laws, including playing a major role in passing FERPA, the Family Educational Rights and Privacy Act, in 1974. In the years leading to FERPA’s enactment, the ACLU demonstrated that student records were freely shared with government agencies, including the FBI, courts, and health departments around the country. Students and their parents had no control over this disclosure, nor an affirmative right to review and correct their own records. FERPA created that right, and limited third party disclosure of student information to cases where the student could not be personally identified or where she had granted the school permission to share.

Under changes to FERPA, third party vendors, including cloud service providers, can be granted the same access to records as the school itself. The NYCLU respects that school districts have legitimate reasons for sharing certain student information with vendors. Vendors may help plan school schedules by processing students’ class requests; use enrollment and attendance data to order food for the cafeteria; track incidents of bullying or fighting; or use test scores to develop teaching tools that are targeted for students’ particular needs. These vendors could not provide these services without access to school records.

Centralizing student data in the cloud brings opportunities and risks.
Today, we face a new challenge. Unimaginable when lawmakers passed FERPA in 1974, cloud computing technology enables a single company to collect data about students in every grade and at every school, store it in a single online service, and create interfaces to allow many different parties, including students, parents, teachers, administrators, and vendors, to access a broad range of information about students. The technology can allow users to access information in aggregated datasets or at the individual level. The potential of data sharing made possible through cloud computing is unprecedented and offers important benefits, but not without risks.

Benefits of centralizing data
A shared infrastructure for student records has the potential to actually strengthen security protections for student records. Currently security practices differ widely among school districts; educators regularly transmit information about students by means that are not secure, such as on paper or by email. A shared infrastructure can require educators to use secure communications tools that conform to widely accepted security standards.

Centralizing student data also presents enormous possibility for transparency and informed public policy. Aggregate longitudinal school discipline data, for example, can enable public oversight of discipline practices across the state. New York State lags behind other states when it comes to disclosure of aggregate student discipline data, information that can help policymakers interrupt the so-called “school-to-prison pipeline.”

Other uses of aggregate student data include analysis of the “achievement gap,” tracking of incidents of bullying and harassment in schools, close examination of drop-out rates, and cross-tabulations of student poverty and achievement data. The large data set created with information from all students in all districts allows for sophisticated statistical analysis that cannot be done at the local level. Where student data is de-identified, aggregated, and made publicly available, the policy benefits of centralization are invaluable.

New Risks of centralizing data
However, centralizing student data by storing it through a cloud service also creates a host of new risks for students and their families. Centralizing data creates vulnerabilities for the security of student data. If a malicious actor broke through the security protecting the shared datastore, the actor would have access to all of the data inside: including contact information, special education history, and more.

Centralizing data also increases the likelihood that the system’s administrators might authorize greater data sharing than necessary. When access to private information only depends on selecting or de-selecting user permissions administrators could easily expose private information to individuals or companies beyond what is necessary, useful, or permissible.

Centralizing data makes it much easier for schools to add new data points to the shared datastore, capturing an ever-expanding array of details of students’ lives. The New York State Education Department’s Memorandum of Understanding with the Shared Learning Collaborative identifies “400 granular data elements and the flexibility to add more as needs evolve.” Like granting excessive permissions to users, adding one more data point to a central repository is likely to be so simple that it would be easy to skip thoughtful analysis of whether collecting the information is necessary to support students’ education.

A central record of information about a student may put students into categories from which the database code may never let them escape. For example, the New York Times reported that inBloom’s database allows students to be labeled “victim,” “perpetrator,” or “principal watch list.” Loaded terms such as these can lead future teachers to make biased judgments about a student based on the report in a Data Dashboard.

Additional privacy risks arise when private companies store and provide access to centralized student data instead of the state government. Private entities like inBloom or Amazon Web Services may have incentives to grant access to other companies or mine student data themselves, if state policymakers do not clearly define how these private companies may use student data.

These risks do not mean that New York should never take advantage of the benefits of creating a centralized repository and interface for education data. The right policy framework can empower a “shared learning infrastructure” with robust protections for students’ privacy.

Lawmakers should develop legislation to exploit the opportunities and mitigate the risks of using cloud services for student data.
The NYCLU offers several recommendations for the committee today on how to adequately protect students’ personally identifiable information, while still promoting efficiency and transparency in school district operations and allowing students the benefit of new learning technologies. The state legislature must act immediately to prevent the serious harms that could flow from improper storage or encryption, and inadequate protection of student data.

Our recommendations are not exhaustive. Striking the appropriate balance between the benefits and risks of centralizing student data is a challenge. There are a variety of emerging best practices and standards that lawmakers should look to in crafting policy to ensure confidentiality and security of student data. Our recommendations are informed by those emerging standards.

1. Create tiers of information, with different privacy protections for different types of data. We suggest the state create three tiers of student records, based on the sensitivity of different types of information:
   a. Publicly available information: De-identified, aggregate student information can and should be publicly available to inform public policy debates about schools. Any such public datasets should comply with strict policies to ensure that the data contains no personally identifying information.
   b. Protected information: Identifiable student records that may be shared with third parties only after obtaining the parent and/or student’s permission (for older students), and only where there is a specific, identified educational benefit to the student. These include, for example, sharing a student’s transcript with college admissions personnel, sharing a student’s IEP with her therapist, or sharing performance data with a tutor. These data also include, in the parlance of FERPA, “directory information”; current regulations require students to opt out of sharing this data, not to opt in. But given the enormous potential for abuse of a centralized, longitudinal data repository, we recommend that New York State adopt an “opt in” requirement for this entire category of records, including directory information. These consent requirements should apply as well to further disclosures by third parties who are granted access to student information.
   c. Confidential information: Identifiable student records that can never be shared with parties other than the parent, student, and employees of the school district. These would include immigration records, social security numbers, health records, and criminal or juvenile justice records. These data carry such enormous risk to students and families, and their potential to further educational progress so unlikely, we recommend that, to the extent possible, they are segregated from cloud storage.
2. Require an annual hearing in each school district dedicated to the issue of student privacy. Districts should be required to explain to parents what specific benefits they receive from usage of the data cloud, what data is classified in each tier, and how much is being spent by the district on these services. Districts must also provide a list of all third parties who accessed data in the previous year and to whom data could be disclosed in the coming school year. These hearings must comply with the State Open Meetings Law.
3. Maintain strict retention and destruction policies for identifiable student data. The Fair Information Practice Principles call on organizations to only collect data that is necessary for a particular purpose, and then to only use the data for that purpose. After the purpose of a piece of information has been fulfilled, data should be destroyed or returned to the person who is the subject of the data. New York’s school system should ensure that any cloud service provider will destroy information that is no longer needed, while complying with the NYSED’s records retention schedule.
4. Incorporate a private right of action into New York’s Data Privacy Law. The Supreme Court decided in 2002 that individuals cannot sue schools that violate their rights under FERPA. Without a private right of action under FERPA, there is no accountability for institutions handling—or mishandling—students’ information. New York’s legislators should establish such an accountability mechanism by creating a private right of action for parents and students against public and private entities that misuse students’ personal information.

Conclusion
Legislators should act quickly to incorporate privacy protections such as these into state law. The recent controversy over inBloom has brought much needed public attention to data collection and storage practices that have been developing in New York for years. Legislators’ response to today’s headlines should address the full scope of student data collection and storage. Students and parents deserve control over the personal information they share with schools, no matter who collects and stores it.