Comments of the Parent Coalition for Student Privacy
to the
Institute of Education Sciences, U.S. Department of Education

Privacy Act of 1974; System of Records—“Impact Evaluation of Data-Driven Instruction
Professional Development for Teachers” (#18-13-39)

[FR Doc. 2015-30526]

February 13, 2016

In response to the Institute of Education Sciences of the Department of Education’s published notice, dated December, 2, 2015, to create a new system of records for the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” (#18-13-39) (“Study”), the Parent Coalition for Student Privacy (“PCSP”) respectfully submits the following comments objecting to the Department of Education’s (“Department”) proposed collection, use and disclosure of students’ personally identifiable information for purposes of this Study.

According to the System of Records Notice (“SORN”), the Study will facilitate the collection of “personally identifying information on approximately 12,000 students, 500 teachers, and 104 principals from 104 schools in 12 school districts…”

The SORN further states that records “[f]or students… will include, but will not necessarily be limited to, standardized math and English/Language Arts test scores, age, sex, race/ethnicity, grade, eligibility for free/reduced-price lunches, English Learner status, individualized education plan status, school enrollment dates, attendance records, and discipline records.”

We oppose the federal government collecting this highly sensitive personally identifying information from students, on the following grounds:

1. We agree with the Electronic Privacy Information Center that the Department could likely achieve its research goals by using aggregate data instead of students’ personally identifiable information.
This would also reduce the risk that the personal data of students might be misused or breached by the federal government or the private contractors to whom the agency proposes to share the data. If the Department or its contractors cannot achieve their goals by collecting and analyzing aggregate data, they should be obligated to explain why. The goal of data minimization is a requirement of the Fair Information Practice Principles as delineated by the National Institute of Standards and Technology (“NIST”).

2. The Department should be obligated to define specifically which student personally identifiable information (PII) it plans to collect and why.
The Department’s vague declaration that the student information it will collect “will include, but will not necessarily be limited to…” lacks the precision necessary to meet the Department’s own transparency guidance for local education agencies. According to the document entitled “Transparency Best Practices for Schools and Districts,” the Department’s Privacy Technical Assistance Center (“PTAC”) advises that schools and districts communicate the following information to parents:

What information are you collecting about students?
• Develop and publish a data inventory listing the information that you collect from or about your students. A best practice is to provide this information at the data element level.
Why are you collecting this information?
• Explain why you collect student information (e.g., for state or federal reporting, to provide educational services, to improve instruction, to administer cafeteria services, etc.). A best practice is to provide this information at the data element level.

Just as the PTAC advises local education agencies to develop and publish an inventory at the data element level, the federal government should be obligated to maintain at least the same level of transparency as it recommends that schools and districts display. Transparency is also one of the key Fair Information Practice Principles.

3. Notify the parents of children involved in this Study that their student’s personally identifiable information will be collected and disclosed to researchers.
While FERPA no longer requires parental notification and consent of student participation in a federal study, audit or evaluation since the regulations were re-written in 2011, best practices for transparency developed by the PTAC for local education agencies urge them to answer the following questions and communicate the answers to parents:

Do you share any personal information with third parties? If so, with whom, and for what purpose(s)?

The Department should adopt this practice for the unit record system developed for purposes of this Study. This is yet another Fair Information Practice Principle as articulated by NIST: “Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information.”

4. The Department should obtain informed consent from parents before children participate in the Study.
Approximately 50 million students are currently educated in the U.S. Of those 50 million, 12,000 children will be taking part in the Study, representing 0.024% of the entire student population. Obtaining consent from parents of this relatively small sampling of families would not be overly burdensome. The Department or participating districts should ask parents for their permission to participate before the Study begins, in accordance with the following Fair Information Practice Principle: “Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.”

5. Improve the Department’s data security protocols before developing yet another unit record system.
Troubling findings from the U.S. Department of Education: Information Security Review Hearing (“Hearing”) by the Full House Committee on Oversight and Government Reform on November 17, 2015, include:

1. The Department maintains 184 information systems.
• 120 are managed by outside contractors
• 29 are valued by the Office of Management and Budget (OMB) as “high asset”
2. The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication
3. The Department received an “F” on the FITARA scorecard
4. The IG penetrated DoEd systems completely undetected by both the CIO or contractor
5. The Department needs significant improvement in four key security areas:
• Continuous monitoring
• Configuration management
• Incident response and reporting
• Remote access management

Until the Department markedly improves its information security practices for the data systems it currently maintains it should not be in the business of creating additional unit record systems. Security is yet another principle of Fair Information Practices that the federal government should be obligated to respect: “Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.” At the very least, the Department should be obligated to reveal what security protections will be used to safeguard this data, as in this PTAC recommendation: “Explain your institutions information technology (IT) security and data protection policies.”

5. Reveal when the data will be deleted or destroyed.
Another Fair Information Practice Principle refers to data deletion: any organization, including the Department should “only retain PII for as long as is necessary to fulfill the specified purpose(s)” for which it has been collected. Yet nowhere in the SORN does the Department disclose exactly when the data will be deleted. To the contrary, according to the General Records Schedule 4.1 referred to in the SORN, an unsatisfactorily vague statement is made that the personal information collected for this Study will be “Destroy[ed] when no longer needed.”

6. Explain why the Department must collect any personally identifiable data for the purpose of a study that other researchers are conducting.
Finally, we are unable to discern why the Department needs to acquire this information at all. If a study of Data-Driven Instruction Professional Development by contractors must involve the analysis of personally identifiable student information, why cannot these researchers obtain the data directly from participating districts, without the data being collected or maintained by the federal government?

Conclusion

For the preceding reasons, the Department should cease development of the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” unit record system. The PCPS feels strongly that the Department should never collect personally identifiable student information for any reason.

However, if the Department is intent on moving forward with this study, it should be obligated to: (1) explain why aggregate information would not be sufficient for the purposes of the Study; (2) specifically define the personally identifiable data elements that will be collected and why each data element is needed; (3) notify parents of students who are involved in the Study, or at least reveal which districts are participating, and report the names of any other third parties to whom the personally identifiable information will be disclosed; (4) demand that districts obtain informed consent from parents whose children are participating in the Study; (5) demonstrate “significant improvement” in the four key security areas identified as a result of the Hearing, or at least report what security protections will be used to safeguard the data (6) disclose specifically when the data will be deleted; and (7) explain why the federal government has a need to collect or maintain any personally identifiable data when districts could provide it directly to the researchers for their analysis.

The PCSP awaits the Department’s responses to each of these questions and/or recommendations.

Respectfully submitted,

Rachael Stickland
Co-Chair

Leonie Haimson
Co-Chair

Parent Coalition for Student Privacy
124 Waverly Place
New York, New York 10011
[email protected]

Click here for a downloadable version of the comments with references.