How NY State Ed Department is trying to weaken student privacy by allowing the selling & marketing of personal data

The New York Board of Regents is currently considering whether to approve a radical weakening of the state student privacy law, which would allow the College Board, the ACT and other companies that contract with schools or districts to use the personal student information they collect for marketing purposes – even though the original New York law that was passed in 2014 explicitly barred the sale or commercial use of this data. Parents and all others who care about protecting children’s privacy should send in their comments to the state now, by clicking here or sending their view to REGCOMMENTS@nysed.gov. Deadline for public comment is Sept. 16. More on this below.

Starting in 2014, many states, including New York, approved legislation to strengthen the protection of student privacy, due to a growing realization on the part of parents that their children’s personal data was being shared by schools and districts with a wide variety of private companies and organizations without their knowledge or consent. The US Department of Education had weakened the federal student privacy law known as FERPA twice over the past decade, rewriting the regulations during the Bush and Obama administrations to allow for non-consensual disclosures for different purposes.

At that time, few parents were aware how federal law had been altered to allow their children’s information from being passed into private hands. Then controversy erupted over the plans of nine states and districts to share personal student data with a comprehensive databank called inBloom, developed with more than $100 million of funding from the Gates Foundation.

InBloom Inc. was designed to collect a wide variety of personal student data and share it with for-profit vendors to accelerate the development and marketing of the ed tech industry, to facilitate the adoption of online instruction and assessment. As a result of widespread parental activism and concerns, all nine states and districts that had originally intended to participate in the inBloom data-sharing plan pulled out, and 99 new state student privacy laws were passed across the country between 2014 and 2018.

New York was one of the first to pass a new student privacy law. In March of 2014, our State Legislature approved Education Laws § 2-c and §2-d , which among other things, prohibited the state from sharing student data with inBloom or another comprehensive databank, and also regulated the way schools and vendors must secure student data, including imposing a complete ban on the sale of personal student information or its use for marketing purposes .

As a result of these provisions, New York received a grade of A- in the category of “Limitations on the Commercial Use of Data” in our State Student Privacy Report Card, released last January by the Parent Coalition for Student Privacy (PCSP), which I co-chair, and the Network for Public Education. In turn, this high mark raised New York’s overall grade for protecting student privacy in our rating system to B-, the second highest grade of any state after Colorado. (You can check out the interactive map that grades every one of the fifty states on its student privacy laws, overall and in seven different categories).

Yet to the frustration of many parents and privacy advocates, it would be nearly five years before New York State Education Department drafted any regulations to implement its 2014 student privacy law. In October of 2018, NYSED finally released proposed regulations for public comment. In March 2018, PCSP along with the statewide coalition New York State Allies for Public Education (NYSAPE), submitted recommendations on how to strengthen and clarify those regulations, as did more than 240 parents and privacy advocates.

After the initial period of public comment had ended, instead of strengthening the regulations, the NYSED gutted them, and now proposed allowing student data to be used for commercial purposes as long as there was parental “consent” – a huge loophole that would create the opportunity for districts, schools and vendors to misuse this data in myriad ways.

In their rationale to the Board of Regents, posted here, NYSED officials were frank about their reasons for revising the proposed regulations in this way: to allow the College Board and ACT to offer “college search services to students and parents who consent to the release of college entrance test data to colleges and higher education institutions by college admissions testing companies.”

Yet the College Board and ACT do not just share the test score data in the ordinary ways that parents expect, that is, send these scores to whatever specific colleges that their children have applied to attend. They also sell personal student data to many unspecified organizations and institutions which then re-sell it to unscrupulous for-profit companies.

In particular, the College Board makes untold millions of dollars from marketing personal student data through their “Student Search Service”. Much of this confidential data is deceptively harvested through surveys administered to students right before they take the PSATs and SATs, or when they register for the test online, a practice that we have written about previously and more recently has been criticized by the US Department of Education.

In May of 2018, the Privacy Technical Assistance Center (PTAC) of the US Department of Education released guidance that if states and districts contract with the College Board or ACT to give these exams to students, as is increasingly the case across the country including in New York City, they may be violating federal privacy laws in several different ways.

First of all, as PTAC officials pointed out, the supposedly “voluntary” surveys given to students before taking the PSAT or SAT may include questions relating to highly sensitive issues including their religion, grade point averages and/or family income. Often, it’s not clear to these students that they have a choice not to offer this information, and since they are already feeling high levels of anxiety before taking these exams, they may feel pressured to do so. They certainly are not told that the data is sold will be sold at a profit by the College Board. In any case, some questions relating to sensitive issues cannot be asked legally of students who are under 18 without the prior notification and opt out or consent of their parents, according to the federal law known as the Protection of Pupil Rights Amendment (PPRA).

As the PTAC guidance document also makes clear, “the testing companies then sell [personal student] information to colleges, universities, scholarship services, and other organizations for college recruitment and scholarship solicitation.” If students are asked to take these exams by their districts, and the data is offered to third parties without explicit parental consent, this widespread practice also likely violates both FERPA and IDEA, the Individuals with Disabilities Education Act, the latter which has special provisions to protect the private data of students with disabilities.

To make things worse, the College Board is deceptive about whether this data is actually sold. In the College Board privacy policy for the “Student Search Service,” they falsely reassure parents that “The College Board does not sell student information.

Yet on another page on their website, they hedge this claim by saying they don’t “sell information about participating students to any third party without the student’s permission.” [Never mind that many of these students have not reached the age of consent.]
On a different, third page on their website designed for potential commercial customers, the purchase price of this data is made clear: 47 cents per student name.

The College Board is just as cagey and at times contradictory about what specific student data is shared with third parties through their “Student Search Service.” On their privacy policy page, they say the data may relate to the students’ “academic and extracurricular interests, career and field of study interests, family income, and religious preferences.”

A longer and more specific list of data is listed on the Student Search webpage, revealing that, depending on the test taken, it may include student email addresses, ethnicity, GPA, sports, or “educational aspirations.” On that same page, the College Board affirms that “we never share” information through this service relating to a student’s “disability status, self-reported parental income, Social security number, phone numbers, or actual test scores.”

Parents are forced to dig even deeper into a SAT registration booklet, to discover that while their child’s “actual test scores” may not be sold to third parties, “Colleges participating in Student Search … can ask for names of students within certain score ranges[emphasis mine].”

So unknowingly, students who are asked to answer questions from a survey before the administration of these exams may at the same time be unknowingly giving their permission to sell their data to a variety of institutions and organizations, who in turn, may then redisclose the data to other organizations and/or for-profit companies.

Last summer, in July of 2018, in an explosive article entitled “For Sale: Survey Data on Millions of High School Students,” the NY Times exposed how the College Board sells the personal information they collect via these surveys to various “partners,” who in turn may re-sell the data to for-profit companies, allowing them to use the information to market their dubious products and services to unsuspecting families.

The article described how thousands of students attended a “Congress of Future Science and Technology Leaders” costing $985, run by the for-profit National Leadership Academies. The company had bought their names and other data from an unnamed university, which in turn had purchased it from the College Board: “In filling out those surveys, the teenagers ended up signing away personal details that were later sold and shared with the future scientists event.” Once the data is sold by the College Board, it is nearly impossible to monitor any other use or redisclosures of the data.

College Board is far from the only untrustworthy actor in this regard. ACT has been similarly surreptitious about what personal student data is collected and sold to colleges and other third parties, through the survey on the online ACT Student Profile Section that students are asked to voluntarily fill out when registering or before taking the exam.

Without their knowledge, ACT allegedly identified student disability status through this information on the score reports sent to colleges and sold this information to colleges and other third parties. After this practice was discovered, a class action lawsuit was filed in August 2018 in the US District Court in Los Angeles. In a recent legal filing, ACT informed the court that it will no longer sell student disability status in the data collected voluntarily by students, but refused to admit to flagging its regular score reports with this information.

As Joel Reidenberg, a professor at the Fordham University School of Law, the head of the Center on Law and Information Policy told the NY Times, “The harm is that these children are being profiled, stereotyped, and their data profiles are being traded commercially for all sorts of uses — including attempts to manipulate them and their families.”

A research report co-authored by Professor Reidenberg found that there exists a thriving marketplace in student data, in which brokers offer a wide variety of sensitive student information for sale, including their ethnicity, income, religion, and interests, and that this data could “be used for a range of malicious purposes, including discrimination and identity theft.”

In 2014, after both New York and California passed laws prohibiting the selling of personal student data or their use for any commercial purposes, College Board and the ACT stepped in, realizing how these laws represented a severe threat to their thriving business in student data.

In Colorado, the College Board stepped in to persuade legislators to provide a special exemption from the law for their benefit – to allow school vendors to “sell, rent, or trade” personal student information for the “purpose of providing the student with information about employment, educational scholarship, financial aid, or postsecondary educational opportunities “ – as long as parents or students over the age of thirteen gave their consent.

In Arizona, Nebraska, North Carolina, Texas and Washington D.C. as well, their student privacy laws incorporated these exemptions, to allow the College Board and ACT to continue selling personal data for these purposes.

Now, these same companies, College Board and ACT, have apparently persuaded the NY State Department of Education to rewrite our state law by creating an expansive new loophole that would allow these practices to continue, by redefining the term “marketing” in the following way:

Where a parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of personally identifiable information by the third-party contractor for purposes of providing the requested product or service, such use by the third-party contractor shall not be deemed a marketing or commercial purpose prohibited by this Part.”

As PCSP and NYSAPE wrote in a letter to NYSED after the new draft regulations were revealed,

“To create a new, huge loophole in the law that would allow the College Board, ACT or any other contractor or subcontractor to sell student data and/or use it for marketing purposes, by making the untenable claim that such sale or marketing purpose is not truly marketing if there is consent, is a drastic weakening of the law which should NOT be contemplated….

If the College Board lobbyists or its supporters would like to eliminate the prohibition of the sale or marketing of student personal data in the law, they should go to the Legislature and ask that it be amended. This should not be done through regulations or by attempting to redefine the meaning of the term “marketing.”

In fact this loophole could benefit many other vendors, and even perhaps schools or districts that may want to profit off the use of student data, by asking for parental or student consent in surreptitious ways, for example requesting that they click on a button to signal their “consent” without carefully reading the privacy policy. Even if students or their parents knowingly consented to the initial marketing use or sale of the data, once the transfer of information has occurred, it is nearly impossible to track how it will be commercialized from that time on.

This wholesale rewriting and evisceration of the New York student privacy law should not be allowed. The deadline on public comment on the new regulations is September 16, and the Board of Regents are due to vote on the new regulations during their monthly meeting on October 8-9. Parents and all others who care about protecting children’s privacy should send in their comments now, by clicking here or sending their view to REGCOMMENTS@nysed.gov.

They should also call their Regents members, to urge them to reject these regulations which would violate the original intent of the law, and would open a Pandora’s box of an unfettered marketplace of personal student data, with potentially damaging results.

Inordinate delays into US Dept of Education response to FERPA complaints lead to more blatant violations of student privacy by Eva Moskowitz and Success Academy

Update:   On May 31, 2019, the  US Dept of Education finally released their findings after waiting 3 1/2 years, showing that indeed Eva Moskowitz had violated FERPA by posting online the details from the files of  Fatima Geidi’s  son and sending them to reporters, and then again when she included them in her book.  Yet they didn’t penalize her or the school or even require that she omit theses details from her book, merely schedule some trainings in FERPA.  The Daily News covered this story and reported that Eva Moskowitz plans to appeal the decision.  The story was also reported in Education Week and PoliticoMore here.


This is cross-posted at the NYC Public School Parents blog.

On  May 4, 2019 , the NY Daily News ran an article about the plight of Lisa Vasquez and her autistic daughter Jazmiah who was pushed out of a Success Academy charter school; Success also repeatedly threatened to call the city’s Administration of Child Services on Ms. Vasquez.  Her daughter has now been out of school for 18 months. The NYC Department of Education has failed to place her in any setting that provides her the services she needs, and refuses to pay for the private school that an impartial hearing officer has agreed would be appropriate.

The same day, the media outlet Chalkbeat  ran a longer story about this family’s predicament. While answering questions from Chalkbeat reporter Alex Zimmerman,  Success school officials showed him detailed confidential records from the student’s files, including “including progress reports, contemporaneous notes from multiple educators and psychologists, and a copy of her learning plan.”

This is a clear violation of the Family Educational Rights and Privacy Act,  also known as FERPA.  Though Success Academy officials claim they had the right to “rebut false claims without violating FERPA when a parent has chosen to go the press,”  there is no such provision in FERPA.

I contacted Ms. Vasquez through her attorney, and offered to help her file a FERPA complaint.  She accepted and on May 9, she sent it to the US Department of Education.  The complaint is below.  We also filed a complaint with the NY State Education Department Chief Privacy Office, as this disclosure also violates NY State Education law 2D, the student privacy law passed in 2014 as a result of the controversy over inBloom.

What’s especially infuriating about these events is that Success Academy and its CEO, Eva Moskowitz, have been using these same illegal tactics for years to retaliate against families who dare criticize the way her schools treat students.

In October 2015, after Fatima Geidi was interviewed on a PBS News Hour show by John about how her son was mistreated by the principals and teachers at Success Academy, Eva Moskowitz sent a letter with details of his records, full of trumped up offenses, to every education reporter in the nation, and posted it on the Success website.

Fatima filed a FERPA complaint on Oct. 30, 2015, more than three years ago, a complaint that she is still waiting for the US Department of Education to respond to, though the Director of the Student Privacy Policy Office  Michael Hawes told me the investigation into her complaint was essentially complete months ago. What is worse is that because of the long delay in responding, Moskowitz subsequently wrote a book in 2017 published by Harper Collins, containing many of the same false allegations against Fatima’s son, a book that is still sitting on the shelves and in libraries throughout the nation.

Moreover in at least five Success Academy  charter schools, SAC Cobble Hill, SAC Crown Heights, SAC Fort Greene, SAC Harlem 2, and SAC Harlem 5, FERPA violations were noted by the SUNY Charter Institute during 2016 site visits, as noted in their Renewal reports.  In each of these Renewal Reports, the same observation is made:

“The Institute and school worked cooperatively to correct minor infractions at the site visit regarding Family Educational Rights and Privacy Act (“FERPA”) wherein the intent of the school was laudable but technically a violation…”

I wouldn’t necessary assume that the intent of these school officials was laudable – especially given the SUNY Institute’s tendency to rubberstamp renewals and ignore all the many federal and state lawsuits against Success Academy, but I do find it interesting that they felt compelled to note these violations in their reports in any case.

Clearly Eva Moskowitz and Success Academy officials remain intent on ignoring federal law and violating the privacy of students  – and continue to get away with it because of inaction from the federal government.

Last October, the Inspector General’s office released a scathing audit of the US Department of Education’s record in responding to FERPA complaints.  The IG office reported that there were 344 open investigations as of May 2018, with many more pending complaints including some two years old for which no decision had yet been made as to whether to investigate or not.  No that no systematic process existed for even tracking and calculating how many complaints went unresolved over time.  They wrote that “The Privacy Office is not meeting its statutory obligation to appropriately enforce FERPA and resolve FERPA complaints,” and they required a corrective action plan.   This audit was reported on in Ed Week and other publications.

The US Dept of Education wrote a response to the audit, detailing how they would reform their process. Michael Hawes was appointed the new Director of Student Privacy Policy to clean up the mess.

On Friday, Michael Hawes left the Department of Education to join the Census Bureau, but before he left he told me that the active investigations into Fatima’s two complaints had been completed for some time, and a “findings letter” written, but that the letter could not be released because it had not yet been approved by senior leadership at the Department of Education.  A timeline of these events is below.

October 12, 2015: PBS News Hour runs a segment with an interview of Fatima Geidi and her son.

October 19, 2015: Ann Powell, VP of Public Affairs and Communications at Success Academy Charter Schools, sends out a media release to reporters, which includes a long letter from Eva Moskowitz to Judy Woodruff of PBS that includes personally identifiable information from the child’s education records.  The letter is also posted the same day on Success Academy website.  The letter by Ms. Moskowitz includes an email from John Merrow of PBS, in which he writes that Fatima “was unwilling to release [my] son’s records.”  Eva Moskowitz herself admits in her letter that Fatima  was “refusing to waive her son’s privacy rights.”

October 22, 2015: Fatima sends a cease and desist letter to Eva Moskowitz, demanding that she remove the letter to PBS from the Success website containing false disciplinary charges against her son,as well as a second follow up letter she had sent concerning her son on October 21.

October 23, 2015: Eva Moskowitz responds with a letter to Fatima, saying she had a “constitutional right to speak publicly to set the record straight about the reasons that your son received suspensions.”

October 29, 2015:  NY Times reports on the infamous “Got to go” list composed by a principal at a Success charter school, specifying the children he would try to push out of the school.

October 30, 2015: Fatima files her initial FERPA complaint, which is covered in several publications, including Slate.

November 19, 2015:  Along with Zakiyah Ansari of the Alliance for Quality Education, Fatima meets with Ebone Woods and David Krieger from the Office of Civil Rights of the US Dept. of Education in NYC to deliver a petition with thousands of signatures about Success Academy’s excessive suspensions and disparate treatment of black and Latino students which contributes to the school to prison pipelines.   They urge the federal government to stop funding the charter chain, which received $37 million in federal grants since 2010, including $13.4 million this past year.Fatima also submits a formal civil rights complaint about her son’s treatment by the school.

December 1, 2015:  Fatima receives a letter from  OCR confirming that Success Academy is under investigation. At about that time or shortly thereafter, Eva Moskowitz removes the details of Fatima’s child’s records from the Success website

January 22, 2016: Many more parents file a federal complaint with the US Department of Education Civil Rights office, accusing the Success network of charter schools of discriminating against students with disabilities. Officials in that office tell them Success is already under investigation.  This new complaint is reported in the NY Times and elsewhere.  .

September 2016:  SUNY Charter Institute notes unspecified violations of FERPA at several Success charter schools.

October 20, 2016: A full year has gone by without any response from the US Department of Education to Fatima’s complaint.

November 16, 2016:  President-elect Donald Trump interviews Eva Moskowitz for a job as Secretary of the US Department of Education. The next day, she says she would decline the position if offered it but that she supports Trump’s “strong support for school choice.”

November 18, 2016:  Ivanka Trump visits a Success Academy charter school.

September 12, 2017: Eva Moskowitz publishes the same chronicle of trumped-up allegations against Fatima’s son in a book published by Harper Collins.

September 28, 2017:  The US Department of Education awards  $6,130,200 to Success Academy charter schools to further expand their schools.

December 7, 2017: More than two years later, Fatima receives a letter from the US Department of Education, saying they are now ready to investigate her FERPA complaint from Oct. 31, 2015.

December 14, 2017: Success illegally releases information to a reporter  from another child’s records, a first grader after his mother files a lawsuit against his being suspended for forty-five days without a hearing .

December 20, 2017: Fatima files another FERPA complaint with the US Department of Education, having just discovered that many more details about her child’s records, some of them falsified, are contained in the new Moskowitz book.  In her new complaint,  she references her earlier complaint, and writes that because of the inordinate delay of more than two years, the harm to her child ‘s privacy has been seriously aggravated.

February 16, 2018: Fatima receives a letter from Frank Miller of the US Department of Education saying they had now received information from Success regarding her first complaint, filed more than two years ago, and in a few weeks would let her know the results.  He doesn’t mention the second complaint, though Fatima responds with the information about the Moskowitz book that has since been published.  She doesn’t hear back anything.

October 20, 2018:  Three years have lapsed from the date of Fatima’s original FERPA complaint,  without any action taken by the US Department of Education.

November 26, 2018: The Inspector General’s  audit is released, showing the Department is years behind in responding to FERPA complaints, and demanding a corrective action plan.

December 13, 2018:  I have a conversation over the phone with Michael Hawes, who by then has been appointed  Acting Director, Family Policy Compliance Office, and is about to be named  Director, Student Privacy Policy Office.

Hawes says they will soon release a “findings letter” about Fatima’s FERPA complaints. He points out that his office had already posted a 2015 “technical assistance” letter to the Virginia Attorney General, saying that a school’s desire to defend itself against accusations by parents or students is NOT a legal justification to disclose confidential information from their records without their consent.   As that letter points out, “the Department has declined on previous occasions to extend the doctrine of implied waiver of the right to consent when parents or students have shared information with the media or other members of the general public due to the harm that this would cause to students’ privacy interests.”

December 20, 2018: The US Dept of Education responds to the IG audit, promising to take various steps to speed up its responses to complaints.

January 2019: Michael Hawes is appointed Director of the Student Privacy Policy Office.

January 9, 2019: Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, and I have a conversation with Michael Hawes about the many positive changes he plans for the office, including making their response to FERPA complaints more speedy.  I suggest that they post more of the results of their investigations and findings letters online, so that the public can see they’ve made progress and can better understand what sorts of actions violate FERPA; this  might also help prevent future infractions of the law. I again bring up Fatima’s complaints, which are still waiting for resolution more than three years later they were initially sent to his office. He assures me that the results of their investigation into both of her complaints will be within a few weeks or months.

April 16, 2019: The US Department of Education awards $9,842,050 to Success charter schools.  According to Success, this will help fund the opening of four new elementary schools, one new middle school, and one new high school, and help them expand four existing middle schools. By this point, there are at least four different pending federal lawsuits against the Success chain for violating the rights of students with disabilities.

April 22, 2019:  Another lawsuit is filed vs Success Academy, for forcing a special needs student out of its schools, as well as calling Children’s Services on the mother, and forcibly removing the student to a Brooklyn police station.  In this case, Ann Powell, Success Academy spokeswoman, writes in an email,  “the lawsuit is completely without merit and contains numerous factual inaccuracies” but said she could not go into detail due to federal privacy laws.”

May 2, 2019: Michael Hawes announces he is leaving the US Dept of Education to join the Census Bureau.  He writes me, “Re the Geidi case, it’s cleared my office, but is being held for review by my leadership.  I’m hoping I’ll be able to issue it before I depart.”

May 4, 2019:  In response to the allegations made by Lisa Vasquez, Success Academy releases details of her child’s file to reporters, and claims that they have the right to do so in order to “rebut false claims without violating FERPA.”

May 9, 2019:  Lisa Vasquez files her FERPA complaint against Success Academy. (see below).

May 10, 2019: Michael Hawes’ last day at the US Dept. of Education.  Needless to say, the results of the investigation into Fatima’s complaint against Success Academy violations of her son’s privacy have still not been released.

May 9, 2019

U.S. Department of Education
Family Policy Compliance Office
400 Maryland Ave, SW
Washington, DC 20202-8520

By postal mail and email to: FERPA.Complaints@ed.gov

My name is Lisa Vasquez and I reside at the following address: [redacted].  I am the mother of Jazmiah Vasquez, my daughter who has been diagnosed as autistic and is seven years old.  Jazmiah was a student at Success Academy Prospect Heights, 760 Prospect Pl, Brooklyn, NY 11216 from September 2017 to November 2017.

The principal of the school at that time was Sydney Solomon.  The principal now is Darielle Petrucci.  The  CEO (or Superintendent) of the Success Academy Network is Eva Moskowitz, whose office is located at the following address: 95 Pine Street, Floor 6, New York, NY 10005.

On  May 4, 2019 , the NY Daily News ran an article about the fact that my daughter was pushed out of this charter school and still has not  received a placement in a school that can provide her with the intensive services that she needs. https://www.nydailynews.com/new-york/education/ny-18-month-wait-school-disabilities-20190505-kfmsidunyjhzfmmkfvve2ylsv4-story.html   The same day, the media outlet Chalkbeat also ran a longer story about her predicament. https://www.chalkbeat.org/posts/ny/2019/05/04/how-special-education-failed-jazmiah/

As the Chalkbeat reporter Alex Zimmerman wrote, Success officials showed him confidential records from my daughter’s file: “Success officials provided detailed records of Jazmiah’s time at the charter network, including progress reports, contemporaneous notes from multiple educators and psychologists, and a copy of her learning plan.”

On Twitter, the reporter exclaimed at the level of detail he was provided: “The way Success responded to my questions shocked me. They turned over detailed records of Jazmiah’s time at the school, including progress reports, contemporaneous notes from multiple educators and psychologists, and a copy of her learning plan.” https://twitter.com/AGZimmerman/status/1125405362709049344

At no time did I provide my consent for the school to release any of this information – and yet Success Academy officials claim that it was their right to do so.  Here is an excerpt from the Chalkbeat article:

Ann Powell, Executive Vice President of Public Affairs & Communications at Success Academy Charter Schools, defended this  disclosure. “It is our position that we are allowed to rebut false claims without violating FERPA when a parent has chosen to go the press but our critics don’t accept that position,”

As also noted in the article, Success Academy is a serial violator of students’ privacy rights; see the FERPA complaint filed by Fatima Geidi , submitted on Oct. 30, 2015, more than three years ago, about how Success Academy CEO Eva Moskowitz shared details of her son’s disciplinary records with reporters:  https://nycpublicschoolparents.blogspot.com/2015/10/ferpa-complaint-from-fatima-geidi-to.html   Here is an article about this:   https://slate.com/human-interest/2015/10/success-academies-eva-moskowitz-published-a-students-disciplinary-record.html   In that article, Ms. Moskowitz was quoted as follows:

“The First Amendment limits a person’s ability to use privacy rights to prevent others from speaking. When somebody chooses to make statements to the press, they waive their privacy rights on the topics they have discussed, particularly when, as here, those statements are inaccurate.”

Yet there is no such waiver or provision in FERPA.  Ms. Geidi’s complaint still has received no response from your office though it was submitted three and half years ago, even though she has heard that an investigation was launched and completed.   Because of this undue delay, Success Academy officials apparently assume that they do not have to follow the law.

This disclosure by Success Academy of my daughter’s education records  is an egregious and willful violation of both FERPA and IDEA.  I urge you to take action in an expedited fashion to alert school officials to these repeated violations of the law and to exact punitive damages.

I certify that this information is accurate and true to the best of my knowledge.

Signed Lisa Vasquez, May 9, 2019

McPherson KS students join the rebellion vs Summit and depersonalized learning and win the right to opt out

Yesterday, in a NY Times front page story, the reporter Nellie Bowles explored the many problems experienced by Kansas students and parents when the online Summit Learning program was imposed on their schools, including health problems, poor curriculum and lax privacy. “It sounded great, what they sold us,” said one parent. “It was the worst lemon car that we’ve ever bought.”  Please read the article and if you’re a Summit parent anywhere in the country, share your experiences in the online portal at the end of the article.

I’ve written about the resistance to the Summit platform since 2016, here, here, here  and here, including my visit to a Summit charter school here.  Though the NY Times article gives short shrift to the issue of privacy it does contain a quote from me about the tremendously intrusive wealth of personal data that Summit and the Chan Zuckerberg Initiative are collecting. Mark Zuckerberg has repeatedly broken every promise he’s made about keeping personal data private and neither CZI nor the new nonprofit that will take over Summit headed by Zuckerberg’s wife have provided any reason that parents should trust them any more.

What’s particularly moving about the article is that while Summit and its funders, including Bill Gates, Mark Zuckerberg, and  the Chan Zuckerberg Initiative all claim Summit students are able to demonstrate ” “greater ownership of their learning activities,” the McPherson Kansas students are actually taking ownership of their education by walking out of school and engaging in sit-ins.  Though of a very different demographic, they resemble the remarkable Brooklyn students who earlier this year walked out of the Secondary School of Journalism in protest against Summit, and who followed up by writing an open letter to Mark Zuckerberg, saying “We refuse to allow ourselves to be experimented on in this way.“ 

This is a growing phenomenon.  Note the thousands of Ontario students who organized a mass walk-out earlier this month of schools throughout the province,  against rising class sizes and the requirement that all high school students  take online courses.  All of these students are showing courage and agency by resisting the narrow technocratic and ultimately dehumanizing policies that threaten to fatally damage their education.

It was just announced that at as a “compromise” at the McPherson middle school that the NY Times reported on, up to 225 students will be allowed to opt out of Summit next year.

Five years ago yesterday, inBloom closed its doors after parents rebelled against this Gates Foundation $100 project, designed to collect and share the personal student information of nine states and districts with for-profit ed tech companies.  At that time I asked, does that mean government officials, corporations  and  foundations have learned their lesson? The continued invasion of ed tech into our classrooms, including the expansion of Summit, sadly shows not.  But as parents are increasingly joined with students in rebellion against depersonalized learning, perhaps we have a chance to beat it, once and for all.

Our updated fact sheet on Summit, including questions that parents and students should ask before the program is implemented in their schools is here: Summit fact sheet 4.22.19 and below.

Parents beware! SAT day is here; please ask your kids what personal questions they were asked

Starting today and through the beginning of April, many schools across the country give the SATs and PSATs to their students.  Before the administration of these exams, the College Board asks students many personal questions, without making clear that answering these questions is voluntary, and later sells the information they collect to other organizations and companies at 45 cents per name.  An article about this practice was published in the NY Times last summer.

Meanwhile, the US Department of Education has also advised states and districts that allowing the College Board to ask students certain sensitive questions in school which is then shared with other organizations without parental consent may be illegal, according to three federal laws: FERPA, IDEA and PPRA.

Please ask your children what questions they were asked before taking the SATs or PSATs,  and whether they were informed that answering these questions was optional.  If they provided any personal information you don’t want shared or sold, you can opt out of the Student Search Service on the College Board website, and/or  demand that College Board delete the data.

Also please let us know if you find out that your children were asked certain questions in these pre-test surveys that you consider overly personal or sensitive by emailing us at info@studentprivacymatters.org

thanks!

Comments on proposed regulations for NYS student privacy law Education Law §2-d

Comments on proposed regulations  for NYS student privacy law Education Law §2d

March 27, 2019

PDF version here.

Submitted by the Parent Coalition for Student Privacy, New York State Allies for Public Education and Class Size Matters by email: REGCOMMENTS@nysed.gov

 Proposed regulations posted here: http://www.nysed.gov/common/nysed/files/programs/student-data-privacy/proposed-part-121-for-pii.pdf

Deadline for comments March 31, 2019

Summary:

  • In the Parent Bill of Rights, the following federal laws that afford parents and their children important rights to privacy must be included: Protection of Pupil Rights Amendment (PPRA), National School Lunch Act   (NSLA) and Children’s Online Privacy Protection Act (COPPA) .  Each of these laws provide parents with rights to protect their children’s personal data and is inexplicable why they have been omitted from the NYSED Parent Bill of Rights and the Student Privacy website for so long, especially as Education Law §2-d states that the Parent bill of rights  shall include all “State and federal laws [that] protect the confidentiality of personally identifiable information.
  • The Education Law §2-d also states that “The chief privacy officer, with input from parents and other education and expert stakeholders, shall develop additional elements of the parents bill of rights for data privacy and security. The commissioner shall promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion.”  This clause should be included in the regulations as over time there will likely be more threats to student privacy as districts contract with additional vendors collecting personal student data in digital form.
  • The personal information of former students and former teachers as well as current students and teachers should be explicitly protected and covered by the regulations.
  • The state should not be collecting the personally identifiable data on individual students regarding to their country of birth or their in-school or out-of-school suspensions, given the extreme sensitivity of this data.  If necessary, both categories of information can be reported to the state by districts in an aggregate basis and if the state is worried about its accuracy, this reporting should be audited.
  • The regulations omit  specific provisions in  Education Law §2-d, including that school districts shall not report to the department the following student data elements:(1) juvenile delinquency records;(2) criminal records;(3) medical and health records; and(4) student biometric information unless required by law except in the case of law or required educational enrollment data.  This should be added.
  • The words “license” should be added to the section on the Parent Bill of Rights and in the section on prohibiting the selling of data by districts or their vendors.  The latter provision should read as follows “Personally identifiable information maintained by educational agencies, including data provided to third-party contractors and their assignees, shall not be sold, licensedor used for marketing purposes.” There is no significant difference between selling and licensing data, and yet College Board exploits an unacceptable loophole, claiming they so not sell student data but instead “license” it for a fee to other companies and organizations, even as the US Department of Education points out that they are really selling it.
  • Each educational agency should publish its data security and privacy policy on its website and provide notice of these policies to parents, not just to employees.
  • Vendors who collect personal information of students on behalf of school districts must be responsible for making sure that their children’s data is available to parents upon request and correcting errors if challenged.
  • In order to receive personal student information,  vendors must have written contracts with education agencies or else all the specific requirements outlined in the law and the regulations for these contracts could be evaded.  This is implied in the law and the regulations but  it should be clearly stated.
  • Education agencies should be required to post all contracts with vendors that receive personal student data or make them available within a limited period of time upon request, including which categories of personal student data the vendors are collecting and how parents may request access to that data. Education agencies should also have to explain why they are providing vendors access to this data and what is the educational purpose for this access.
  • Breach notification to parents and affected parties should be carried out by snail mail and email; not phone calls, which are too difficult to verify and track.
  • The regulations should incorporate all the powers and responsibilities of the Chief Privacy Officer as stated in Education Law §2-d; right now many are omitted from the proposed regulations, including the responsibility to issue an annual report on data breaches and improper data disclosures, as well as the results of investigations into parental complaints.  This annual report should include information on how many districts are complying with the law, and providing the required training of staff in data privacy and security.  A deadline for the completion and release of this annual report should also be specified in the regulations.

More detailed comments are below.

§121.1 Definitions

 p. 6; lines 54-55:

 (o) Student means any person attending or seeking to enroll in an educational  agency.

Add: “or a former student” who must also be covered under the law.

lines 56-57:

(p)  Student Data means personally identifiable information from the student records of an educational agency.

Add: “or collected by vendor on behalf an educational agency.”

§121.2 Educational Agency Data Collection Transparency and Restrictions.

p. 7 – important to add:

d) No educational agency shall disclose personally identifiable information to any contractor or third party without a contract or written agreement that specifies its use and the conditions under which it will be kept private and secure.

This is implied – that contracts or written agreements are required but never explicitly stated in the text of the regs.

Also need to add from Ed Law §2D but missing in the regs:

e) Except as required by law or in the case of educational enrollment data, school districts shall not report to the department the following student data elements:(1) juvenile delinquency records;(2) criminal records;(3) medical and health records; and(4) student biometric information.

§121.3 Parents Bill of Rights for Data Privacy and Security

p. 7lines 92-93:

(a) Each educational agency shall publish on its website a parent’s bill of  rights for data privacy and security (“parent’s bill of rights”) that complies with the  provisions of Education Law §2-d (3).

The above should include the State Education website which currently lacks any mention of four prominent and critical applicable federal student privacy laws, including PPRA, IDEA, COPPA and NSLA.

Lines 115-116:

(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected .

The word “if” above should be deleted.   According to FERPA, parents and eligible students have the right to challenge the accuracy of any of the personal data that pertains to them.

p. 9, line 121:

(6) address encryption of the data as provided in Education Law §2-d 5(f)(5).

The mode of encryption should be spelled out as it is on p. 14 – Section 121.9

Also add: These contracts shall be posted on the agency’s website or be available upon request within 30 days.

And:  For each contract, information should be included as to whether parents may opt out of the specific data disclosure and if so, how they may do so.

§121.5 Data Security and Privacy Standard.

p. 10, lines 153-155:

(a)As required by Education Law §2-d (5), the Department adopts the National Institute for Standards and Technology Framework for Improving Critical  Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.

As NIST Framework is updated regularly in order to respond to new cybersecurity threats, the regulations should say that these requirements may themselves be updated regularly.

lines 163-164:

c (1) every use of personally identifiable information by the educational agency shall benefit students and the educational agency (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations).

The word “disclosure” should be added to the above; so that it reads “every use AND DISCLOSURE” of personally identifiable information.

p. 11 lines 169-172:

2(d) An educational agency’s data security and privacy policy shall include all  the protections afforded to parents or eligible students, where applicable, under FERPA and the Individuals with Disabilities Education Act (20 U.S.C. 1400 et seq.), and the  federal regulations implementing such statutes. 

It is important to add the protections granted under federal laws PPRA, NSLA and COPPA here as well as include them in the Parent Bills of Rights..

Lines 173-174:

2 (e) Each educational agency must publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.

Add: “and to all parents.”

§121.6 Data Security and Privacy Plan.

Line 189:

4 comply with Education Law §2-d.

 Add: “or collected by vendor on behalf an educational agency.”

 §121.9 Third Party Contractors

p. 13 lines 217-218

A 2) limit access to personally identifiable information to only those employees or sub-contractors that need access to provide the contracted services

ADD: these sub-contractors shall be specified in the contract.

lines 221-223:

(4) except for authorized representatives of the third-party contractor such as  a subcontractor or assignee to the extent they are carrying out the contract and in compliance with state and federal law, regulations and its contract with the educational agency, not disclose any personally identifiable information to any other party:

Question: how does this differ from (2) above?

lines 231-234

(5) maintain reasonable administrative, technical and physical safeguards to  protect the security, confidentiality and integrity of personally identifiable information in  its custody as prescribed by state and federal law, regulations and its contract with the  educational agency;  

“Reasonable” has no substantive meaning here; it should instead say “industry best practices”

p. 14; lines 239-241:

(7) not sell personally identifiable information nor use or disclose it for any  marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

Add the word “license” after sell – i.e. “not sell or license PII”

§121.10 Reports and Notifications of Breach and Unauthorized Release

lines 258-259

(d) Educational agencies shall report every discovery or report of a breach or unauthorized release of student or teacher data to the Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery .

 This seems to repeat the same words as in (b) above, lines 253-253; see below:

(b) Each educational agency shall in turn notify the Chief Privacy Officer of 252 the breach or unauthorized release no more than 10 calendar days after it receives the 253 third-party contractor’s notification in a format prescribed by the Department

p. 15, line 261:

(e) Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible ….

Add:  former students should be informed to the degree possible if their PII has been breached

lines 275-281 etc.:

(g) Notifications required by this section shall be clear, concise, use language 275 that is plain and easy to understand, and to the extent available, include: a brief 276 description of the breach or unauthorized release, the dates of the incident and the 277 date of discovery, if known; a description of the types of personally identifiable 278 information affected; an estimate of the number of records affected; a brief description 279 of the educational agency’s investigation or plan to investigate; and contact information 280 for representatives who can assist parents or eligible students that have additional 281 questions .

ADD: Notifications shall also include what actions affected individuals can take to mitigate the damage from the breach, as well as what actions the party responsible for the breach will take to mitigate the damage.

p. 16: lines 283-284:

(h) Notification must be directly provided to the affected parent, eligible student, teacher or principal byfirst-class mail to their last known address; by email; or by telephone.

Notification should occur by email AND first-class mail; not by telephone as there will be no record of the message and thus no proof of whether it occurred.  Also former students should be notified as well if their PII is breached.

§121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records

lines 350-351:

(c) Requests by a parent or eligible student for access to a student’s education records must be directed to an educational agency and not to a third-party contractor.

 ADD: “and the educational agency shall arrange for the records to be delivered to the parent or eligible student.”

  1. d)Educational agencies are required to notify parents annually of their right  to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

ADD: or any student data stored or maintained by a contractor on the agency’s behalf.

  • 121.13 Chief Privacy Officer’s Powers

pp. 19-20

There are many more powers and responsibilities enumerated of the CPO in Section 2D of the Education Law than those mentioned here. These should all be included here,  including the responsibility to issue “ an annual report on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaints.” 

This report for the previous school year should be released to the public and posted on the State Education Department website by Jan. 1 of each year, and made available upon request to any interested party.  All of the following  functions of the Chief Privacy Office included in Education Law §2-d should be incorporated into the regulations:

b.The functions of the chief privacy officer shall include, but not be limited to:

  1. (1) promoting the implementation of sound information practices for privacy and security of student data or teacher or principal data;(2) assisting the commissioner in handling instances of data breaches as well as assisting the commissioner in due process proceedings regarding any alleged breaches of student data or teacher or principal data;(3) providing assistance to educational agencies within the state on minimum standards and best practices associated with privacy and the security of student data or teacher or principal data;(4) formulating a procedure within the department whereby parents, students, teachers, superintendents, school board members, principals, and other persons or entities the chief privacy officer determines is appropriate, may request information pertaining to student data or teacher or principal data in a timely and efficient manner;(5) assisting the commissioner in establishing a protocol for the submission of complaints of possible breaches of student data or teacher or principal data;(6) making recommendations as needed regarding privacy and the security of student data on behalf of the department to the governor, the speaker of the assembly, the temporary president of the senate, and the chairs of the senate and assembly education committees; and

    (7) issuing an annual report on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaint submitted pursuant to subparagraph five of this paragraph.

    c. The chief privacy officer shall have the power to:

    (1) access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by an educational agency that relate to student data or teacher or principal data;

    (2) to review and comment upon any department program, proposal, grant, or contract that involves the processing of student data or teacher or principal data before the commissioner begins or awards the program, proposal, grant, or contract; and

    (3) any other powers that the commissioner shall deem appropriate.

Submitted by the Parent Coalition for Student Privacy, NYS Allies for Public Education and Class Size Matters

For more information, please contact info@studentprivacymatters.org