If your child takes the SAT or PSAT, is his or her personal information being collected, profiled, licensed and sold?

Cross-posted from the Washington Post Answer Sheet.  Cheri Kiesecker is a Colorado parent and a member of the Parent Coalition for Student Privacy.

By Cheri Kiesecker

In schools all over the country, middle and high school students are being assigned to take PSAT and SAT assessments in a few weeks. I’m a parent and after my child’s class was asked to take the practice SAT (PSAT 8/9) this past October, I discovered that the College Board, owner of these college entrance assessments, solicits personal information from each student without parental consent.

Several weeks after the test, the College Board returned the completed PSAT answer sheets and test booklets to students once the exam had been scored and recorded. I was surprised to learn that the PSAT 8/9 answer sheet begins by asking many very personal questions of each student; though nowhere on the form or booklet does it say these questions are optional.

The PSAT 8/9 instructions printed on the answer sheet said only this:

  • Use a number 2 pencil only. Print the requested information in the boxes for each item.
  • Fill in the matching circle below what you write in each box. Erase errors completely.
  • In very fine print, at the top of page 4 on the answer sheet, it states,

QUESTIONS TO HELP THE COLLEGE BOARD HELP YOU Your answers to the following questions will help the College Board ensure that tests and service are fair and useful to all students. Your responses may be used for research purposes and may be shared with your high school, school district and state.

The answer sheet had spaces for the student’s name, grade level, sex, date of birth, student ID number or social security number, race/ethnic group, military relation, home address, email address, mobile phone, GPA, courses taken, and parents’ highest level of education.

If parents or students were to take it upon themselves to peruse the College Board website, they would find a page which urges students to participate in the College Board’s Student Search Service. See the table below for a list of the data that is potentially collected and shared, depending on the specific College Board assessment, SAT, PSAT or AP.   Many of these questions are also asked of students right before they take the exam, as part of the Student Data Questionnaire.  (click to enlarge on the left)

As you can see, among students’ personal information collected and sold includes citizenship – a particular concern given the increased risk that undocumented students may be identified and targeted by immigration officials. In New York City, apparently because of these concerns, public schools that are administering the SAT have now been alerted not to include the Student Questionnaire as part of the test.

After searching the College Board website, I promptly contacted the College Board and asked why students are asked about their family’s race, religion or military background. What does the College Board do with this personal data? Who specifically do they share data with? You can see my questions and the confusing and evasive response from the College Board here. Oddly, it took the College Board over three months to answer. Additionally, my immediate follow up questions sent two months ago, which include asking whether they sell student data and whether it is required for students to provide their religion, are still unanswered.

In their January response, the College Board claimed that students were told which questions were optional and that students had given “express consent” to share this information. In actuality, after talking to students, parents, and administrators at the school, it was clear they were unaware that these questions were optional. Additionally, Colorado law says students must be at least 18 years old to consent to the use, sharing, or retention of their personally identifiable information.

Neither the PSAT 8/9 answer sheet or test booklet informed students that most of these questions were optional, or distinguished them from the obligatory questions, demanding they fill out their name, school, etc. In fact, the “optional” questions are not identified in the PSAT 8/9 Supervisor Manual or the script which proctors are instructed to follow.

However, according to the College Board’s response to my query, only the first five questions on the answer sheet are obligatory, including student name, grade level, sex, date of birth, and student ID number. The remainder of personal questions, including race, religion, military background, GPA, home address, phone, etc. are optional.

When sitting down to take this high stakes test, how is a student able to know which questions are considered voluntary if this is not clearly marked or communicated? With the answer sheet instructions stating to fill in every box, students tend to follow suit, fearing that an incomplete answer sheet could render their scores invalid. Why does the College Board even have a space for a student’s social security number in place of student ID number, when most states forbid using social security numbers as primary identifiers? Why aren’t parents asked for consent before information about their child’s attitudes, religion and race are collected and apparently shared, accessed by outside organizations via purchased license according to the College Board website?

Under federal PPRA law, sensitive questions like religion or income, require prior informed parental consent.

Remarkably, there is no federal law prohibiting the sale of personal student data. However, there is a self-policed software industry privacy pledge in which signers promise not to sell a student’s personal information. The College Board has signed this pledge. In addition, like many other states that have recently enacted student data privacy laws, Colorado’s student data transparency and security law also prohibits vendors from selling personal student data except in the case of a merger or acquisition. Accordingly, the amended contract between the State of Colorado and the College Board for SAT and PSAT10 expressly says that the “contractor shall not knowingly….License or sell Covered Information, including PII to any third party.”

Consider the astonishing amount of data collected on students today, in particular, think of the data collected and analyzed when students take a college entrance assessment. Many states now require high school students to take the SAT in 11th grade. Some states, districts, or individual schools require students to take the practice SAT assessment in 8th, 9th or 10th, grades, in hopes of improving their scores later on the SAT. However, what many parents and schools do not know, is that their student’s personal data, including “geographic, attitudinal and behavioral information” can be profiled and accessed by organizations via a license they purchase from the College Board. Yet the College Board’s privacy policy to parents and students claims they do not sell student data. Rather, they sell a license to access a student’s personal data. What is the difference? Indeed, this distinction seems only semantics and seems deceptive.

The College Board sells licenses to access the data through a tagging service called College Board Search. The Segment Analysis Service™ is one of three featured tools of the Search, along with the Enrollment Planning Service™, and the Student Search Service®. These are “enhanced tools for smart recruitment”. The College Board’s Authorized Usage Policies states, “Student Search Service in connection with a legally valid program that takes such characteristics into account in furtherance of attaining a diverse student body.

The pricing for the College Board Search student data tagging service is $0.42 cents per student, and allows college admission professionals to identify prospective students based on factors such as zip code and race and to Leverage profiles of College Board test-takers for all states, geomarkets, and high schools.” Segment Analysis Services is “for admission offices that need market and attitudinal information early in the recruitment process in order to better segment and target the admission pool,” and “Use Educational Neighborhood and High School Clusters as criteria when licensing names with Student Search Service, Access individual cluster factor scores. Tag an unlimited number of files…”

Which organizations buy personal student data licenses from the College Board? They are not listed anywhere on the website, but a NY Civil Liberties Union fact sheet reveals that the Department of Defense is among the institutions which buys student data for recruiting purposes.

College Board, ostensibly a non-profit, had $77 million in profits and $834 million in net assets in 2015,  according to Reuters. How much of that income garnered through the licensing of student data?  

Please see Pricing & Payment Policies for specific information.
But why is the College Board allowed to share personal student data through the Student Search Service, in which companies are charged via a “license agreement” if this is specifically prohibited by Colorado law?

Is the College Board selling personal student data in other states, through their “license” agreements, despite having signed the student privacy pledge?

Interestingly, since I’ve started asking questions to College Board and the state, the College Board recently sent home Student Data Consent Forms for the PSAT 10 and SAT to some Colorado families the week of March 6, 2017. This is a good first step and should have been done prior to students taking the PSAT 8/9 assessment last fall. However, there is no parent signature required on these new consent forms. Why is the College Board still asking for consent from a minor student and not the parent?

Here is an excerpt of the new SAT consent form sent home to Colorado students (click to enlarge):

The SAT Student Data Questionnaire asks students about their personal attitudes and interests:

The Colorado contract with the College Board for SAT and PSAT10 states the following about this Student Descriptive Questionnaire:

Curiously,  the SAT Consent Form links to instructions for the College Board’s Student Data Questionnaire which say, “The data you provide will be added to your College Board student record, even if you choose to not participate in Student Search Service.” What personal information is being “added” to a student’s record and what is the purpose? Can that information still be licensed and shared?

As reported by independent consultant Nancy Griesemer in 2015, ACT also has a lengthy pre-test survey that collects personal data from students which, combined with other data, is being used by colleges and universities to assess the student’s “Overall GPA Chances of Success” in various majors and courses, measured in terms of likely to receive “B” or “C” or in these areas. You can see what these scores look like on this updated sample ACT report. (Notice this ACT report also includes the student’s citizenship status.)

As discussed in the Washington Post last year, there’s still a lot students and parents need to know about how data is collected, shared, and accessed via licenses sold. And as Politico reported in 2014,

Many kids also put their personal profiles on the market — whether they realize it or not — when they take college entrance exams. Students taking the SAT, ACT, Advanced Placement exams and other standardized tests are asked to check off a box if they want to receive information from colleges or scholarship organizations. Depending on the exam, at least 65 percent — and as many as 85 percent — of test takers check that box, according to the College Board and ACT. That consent allows the College Board and ACT, both nonprofits, to market students’ personal profiles…”

That struck me as almost predatory, playing on students’ hopes and fears by having them surrender their personal data. So, I wrote to the College Board and asked, what happens if students do NOT give their data to Student Search? Will this limit their ability to get into colleges? Will they still be considered for scholarships?

The answer from the College Board is important for every student, parent and school administrator to hear: “if a student does not opt in to Student Search Service it will not impact their chances at being accepted into colleges or scholarship programs in any way.”   This should be printed on instructions, every test booklet, and website.

My experiences as a Colorado parent show that this frustrating lack of transparency still exists today. And it’s getting worse as increasingly, data and algorithms are being used to make decisions about students’ lives, without their even knowing. These algorithms can analyze and recombine data to make predictions about their futures. As an article in Fast Company reveals, Students’ data footprints are affecting their lives in ways they can’t even imagine:

“...Even major life decisions like college admissions and hiring are being affected. You might think that a college is considering you on your merits, and while that’s mostly true, it’s not entirely. Pressured to improve their rankings, colleges are very interested in increasing their graduation rates and the percentage of admitted students who enroll. They have now have developed statistical programs to pick students who will do well on these measures. These programs may take into account obvious factors like grades, but also surprising factors like their sex, race, and behavior on social media accounts. If your demographic factors or social media presence happen to doom you, you may find it harder to get into school—and not know why.”

Despite much opposition, a 2011  regulatory change to the Family Educational Rights and Privacy Act,  FERPA,  weakened this federal law that once protected student information from being shared without consent.  FERPA needs to be fixed and parents need to be given back their rights to consent to student data sharing. State laws as well as the Student Privacy Pledge need to be scrupulously enforced so that personal student data is not sold for profit. Bottom line, parents and students after they reach 18 should own and control their own data. They should have a say as to whether and how personal information about their child is shared outside of the school walls.



SXSWedu as seen through the eyes of a privacy advocate

By Rachael Stickland, Co-chair, Parent Coalition for Student Privacy

Until 2013, I had never heard of SXSWedu — the nerdy fusion of education and technology that descends on the city of Austin, TX every spring just before the real SXSW festival begins. That year, vulture philanthropist Bill Gates took SXSWedu by storm when he launched inBloom, yet another of his efforts to disrupt the public education system. If you’ve never heard of inBloom, back in 2012 the Bill & Melinda Gates Foundation invested over $125 million to create a private corporation with a technology platform designed to slurp up student data, store it in the cloud, to facilitate the ability of ed tech companies to use the data to develop products and services to sell back to schools.

inBloom was on my mind in 2013 because my children’s school district in Colorado, along with eight other states and districts, agreed to pilot the project using our students as guinea pigs without ever notifying or obtaining consent from parents. Reading everything I could about it at the time, I found tweets and articles coming out of SXSWedu about inBloom parties and coding competitions, and saw photos of Bill Gates taking the stage to make the case for his big data idea.

Bill Gates appearing with inBloom CEO Iwan Streichenberger on the SXSWedu 2013 stage. Credit Amy E. Price/inbloom, via Pr Newswire

But while ed tech companies were celebrating in Austin in March 2013, parents across the country became alerted and increasingly worried about how their children’s data was being captured and re-disclosed by inBloom.  They ignited a firestorm, and in a little more than a year after Gates and his plans took center stage at SXSWedu, the corporation was history.

Important questions arose from the ashes: How can our current privacy laws allow this to happen? Why aren’t our schools, and the companies they contract with, held to higher standards to protect student privacy?

With funding provided by the tech industry and the Gates Foundation, think tanks and organizations jumped in to try to control the damage by producing student privacy websites,  writing white papers,  issuing survey results, and holding various forums and meetings on the subject. In addition, these organizations, including some of the same individuals directly responsible for the inBloom fiasco, returned for the next three years to the SXSWedu stage to dissect the inBloom carcass, to try to determine what went wrong and recoup, without ever inviting any of the many parents and advocates who organized against inBloom to explain their concerns.

After the inBloom collapse, I along with some of the other parents and advocates alerted to the perilous state of student privacy created a new national organization called the Parent Coalition for Student Privacy.  In the last three years alone, over seventy new student privacy laws have been passed in thirty-six states to try to close the numerous loopholes in federal law.

We have also been busy developing privacy principles, testifying before Congress, and bringing attention to the need for  stronger protections for student data.  We are about to release a Parent Toolkit for Student Privacy, in collaboration with the Campaign for Commercial-Free Childhood.  I co-chair this organization, and this year, due to a generous donation from one of our coalition members, I was able to fly from Denver to Austin and participate in SXSWedu 2017, if only as a spectator. Over the course of three and a half days, I attended every session physically possible on the topics of data, privacy and personalized learning. While expecting to feel like a fish out of water, I had no idea just how punishing the experience would be.I’ve become accustomed to having some unpopular views when it comes to student privacy. Having attended school board and PTA meetings, testified at numerous bill hearings, and sat on a few committees and panels all dealing with the issue, my uncompromising positions often labels me as most radical person in the room. I’m okay with that. But never in my life have I felt so disenfranchised as I did at SXSWedu.

Surrounded by thousands of latte-sipping edupreneurs, technocrats, and snake-oil salesmen, my nerve endings were bombarded by words like “disrupt,” “dismantle,” “data,” “innovate,” “online,” “personalized,” “blended,” and “dollars” more times than I could count. I watched from the outside as those within this ideological echo-chamber pitched recycled ideas, swapped snazzy looking business cards, and patted each other on the back. They seemed eager to reinforce each other’s convictions that they were the smartest people in the room, because they had figured out the rules of the ed tech game.

While school board members, administrators, teachers, students and parents fight on the front lines against Common Core, high-stakes testing and data collection, we leave behind us an unattended treasure chest full of billions of taxpayer dollars just waiting to be plundered. The message at SXSWedu is loud and clear:  To win the game, hurry up and get your fair share before the research, evidence and privacy laws catch up to us!

Never was that more clear than when I attended a session called, “Insights into the next generation of EdTech Unicorns” hosted by the co-founders of EdTechXGlobal. A “unicorn” is a start-up company worth $1B or more and the co-founders, who looked like young clones of Austin Powers’ nemesis Dr. Evil, gave quite a show. They predicted edtech will produce the next unicorn because, as they claimed, the global education market is now worth $5.2 trillion (far more than the global gaming market worth only $91 billion), and proclaimed that “Digital education is the oil of [the] knowledge economy.”  You could just feel the excitement in the room.

But there were also some bright moments last week.  After my very first session, a young woman sitting behind me struck up a conversation. She had just returned from six years abroad and took a job with a predictive analytics firm where she, along with others in her company, were stunned to learn the privacy laws protecting students in the U.S. were so porous as to be utterly useless. After explaining to me the limited amount of de-identified data her firm needs to identify a specific individual (e.g. only 2-3 pieces of information like a zip code and birth date), she handed me her card; she wanted to learn more about student privacy and help parents any way she can.

My second favorite moment came at a packed Starbucks on Wednesday afternoon. Sitting only inches away from the table next to me, three people — one from the Chan-Zuckerberg Initiative (CZI) — were speaking typical SXSWedutechbabble: “virtual schools” this and “personalized learning” that. I tried not to eavesdrop but I couldn’t help but overhear the person from CZI say, “2013 was all about inBloom.” Honestly, this was the first time I had heard that word uttered the entire conference. Just four years after inBloom’s rise and fall, no one speaks its name anymore, maybe out of fear that their grandiose projects may  suffer the same fate.

Overall, I’m thankful I was able to experience in person this conference that until now I’ve only read about. Now that we’ve opened the door a crack, maybe next year we can push it open a little wider. It sure would be fun to crash the party with a big group of grassroots privacy advocates. That would really keep Austin weird!

Alert! CT parents — don’t let your state legislators strip your children’s privacy protections!

The below is  by Cheri Kiesecker and is reprinted from the Missouri Education Watchdog blog.  Among other things, this new CT bill would strip privacy protections that students currently receive and eliminate notifications of contracts that allow for the sharing of personal student information without parent consent- including breach notifications.  For more information on this bill, check out this action alert from Connecticut Alliance for Privacy in Education (or CAPE), and join their Facebook page on how you can help stop this bill from becoming law.  Here is our Testimony In Opposition to Bill 7207.

Connecticut passed a student data privacy and transparency bill, Public Act 189,  in 2016.

The bill adopted common sense policies associated with contracts between school districts and corporations that collect, maintain, and share student data.  The CT law does NOT limit data collection, does not require parental consent prior to collecting data, it only asks that NEW  or renewed contracts and bids collecting student data must handle data appropriately. The law requires parents to be notified if their child’s data is breached. To their credit, the CT Commission on Educational Technology has done great work and is prepared and ready for this law to be implemented.  You can see their plan here: Operationalizing Public Act 189.

Why then, are some lawmakers in CT  introducing bills to cripple this new law that protects student data privacy? Do they not think that keeping student data safe, notifying parents of a breach is important?

You may remember one Connecticut legislator introduced a bill in January to entirely repeal this new student privacy law.  As CT blogger and parent Jonathon Pelto wrote,

“…in an astonishing, baffling and extremely disturbing move, State Representative Stephen Harding (R-107th District) has introduced legislation (HB 5233) to repeal this important law (Public Act 16-189)

…It is not clear who would ask Representative Harding to propose such a bill or why the representative would seek to do such harm to Connecticut’s students, parents and public schools.”

Fortunately, Representative Harding withdrew the bill after receiving much pushback (understandably) from the parent community.

New bill “Revising” CT Student Privacy to be heard Monday, March 6

This past week a new bill,  7207 to “revise” the student data privacy law,  was introduced, and will be heard by the CT Joint Education Committee this Monday, March 6.  This kind of a rush job could imply that they are hoping to pass this bill without giving parents time to react.  This new bill, 7207, wants to repeal the data privacy law and  delay further  implementation until July 1, 2018.   This would remove existing protection of school children for over a year.  WHY?

The Student Data Privacy Law has been in effect since Oct. 1, 2016; it only applies to NEW contracts, only asks for transparency, the CT  Edtech Commission has already done the work to implement it. WHY, would Connecticut want to now repeal protection and transparency?

Please email your comment or testimony in Word or PDF format to EDtestimony@cga.ct.gov . Testimony should clearly state your name and the bill you are commenting on: Bill 7207- AN ACT MAKING REVISIONS TO THE STUDENT DATA PRIVACY ACT OF 2016.

Connecticut citizens  please contact your legislators directly. If you are not sure who they are or how to contact them you can look that up here: https://www.cga.ct.gov/asp/menu/cgafindleg.asp

Is it asking too much that when a company contracts with a school and collects and uses and shares children’s data, that the data be kept safe and parents be able to see how that data is used, breached,  and not sold?

By repealing or delaying this law, who are they protecting?

How a parent discovered a huge breach by Chicago public schools– of private school students with special needs

UPDATE (3/8/17): Chicago parents -check out Cassie’s advice at the end to find out if your child’s information was breached.

The following post is by Cassie Creswell, a Chicago parent activist from Raise Your Hand Illinois and a key member of our Parent Coalition for Student Privacy.  In January, Cassie also testified on our behalf at the Chicago hearings of the Commission for Evidence-Based Policy against overturning the ban to enable the federal government to create a comprehensive student database of personally identifiable information.

More recently, upon examining expenditure files on the Chicago Public School website,  Cassie discovered the names of hundreds of students along with the disability services they received at numerous private and parochial schools. She immediately contacted  several reporters, and though an article in the Sun-Times subsequently briefly reported on this breach,  the reporter did not mention that it was primarily private and parochial students whose data was exposed.   In addition, legal claims for special education services that CPS had originally rejected were included along with student names.  Cassie’s fuller explanation of this troubling violation of student privacy is below — as well as the fact that at least some of these schools and families have still not been alerted to the breach by CPS.

Once again, Chicago Public Schools has improperly shared sensitive student data, the Chicago Sun-Times reported on February 25th.

Medical data about students used to administer outsourced nursing services was stored on an unsecured Google doc available to anyone with the link.  And personally-identifiable information (PII) about students with Individualized Education Programs (IEPs), including their name, student identification numbers and information about services and diagnoses related to their disabilities, were included in files of detailed vendor payments posted on the district’s public website.

I discovered this latter information in the vendor payment data, while in the course of searching for information about standardized testing expenditures. The files covered seven fiscal years, 2011-2016, but were only posted on the CPS website this past summer. Noticing what appeared to be a student name and ID number listed in the file struck me as surprising and likely a privacy violation. All in all, there were more than 4500 instances in the files where students’ names appeared along with the special education services they received.

Upon closer examination, it was clear to me that there was a great deal of highly sensitive student personal information that had been disclosed, with payments made from CPS to educational service providers assigned to hundreds of students with special needs attending private schools as well as public schools. Included were the name of the students, the schools in which they were enrolled, their ID numbers, the vendors who had been hired and the services they provided according to the students’ diagnoses. The funds for the payments came from public funds routed through the students’ home districts, CPS, to fulfill requirements of the federal Individuals with Disabilities Education Act (IDEA) for spending on special education students enrolled in private schools.

This breach has since been confirmed as violating federal and state privacy laws — at least in the case of the public school students whose personal information was disclosed and likely the private school students as well.

The records include descriptions of services along with the students’ names and schools that would clearly be considered highly confidential. Some descriptions related to academic services (e.g. “Direct Instruction – Reading, Writing and Math”) or speech and language therapy; others were even more sensitive, for example:

  • “direct therapeutic activities to address sensory processing and regulation emotional regulation [sic] fine motor”
  • “direct session once a week focusing on anxiety mood and social skills”
  • “direct services to develop strategies to work through anxiety other issues that interfere with her learning”
  • “Instruction by School Psychologist according to Special Education Service Plan”

In addition, the names and student id numbers of homeless CPS students were included in some of the earlier vendor payment files because of payments related to fee waivers.

The list of the 50 private and parochial schools and three school consortia whose student information was breached is below.

Or you can can click here to see a list of these schools with the number of instances for each one.

The vendor payment files also included instances of payments made to cover services mandated as the result of a due process hearing settlements. (Such a hearing is held when parents request a state-level resolution of a dispute over services for students with disabilities.) These included student names, case number and description of services (e.g. “[name redacted] – ISBE CASE NO. 20XX-00XX per order the district shall fund psychological evaluation services rendered [dates redacted]”)

Although the Sun-Times article quotes CPS officials saying that “affected families will be notified by CPS, ” I reached out to some of the schools, and they had not yet received notification as of Friday, March 3rd.

These are not the first student data breaches CPS has had this year. This past fall, a CPS employee was fired for unauthorized sharing of personal information of more than 28,000 students with a charter management organization, which then used the data for marketing.

Prior breaches (as documented here) in the last decade include:

Dozens of software and hardware vendors have products in use in the Chicago Public Schools. Payments to vendors of ed tech software alone have totaled at least $80 million in the last five years.  The data generated by ed tech software is almost always tied to a student’s personally identifiable information.

Regardless of the significance of the information shared about any individual student in this breach, the apparent negligence with which the district has treated confidential student data in these most recent breaches brings up significant questions:  What care is being taken to protect student privacy and comply with federal and state privacy laws? Who is looking out for our kids to ensure that these violations don’t recur repeatedly?

Parents and students should be justifiably concerned about how secure student data is. Taxpayers should be concerned about what legal liability the district is opening itself up to in an era of big data.


Advice for parents whose children’s data may have breached

If your child is/was enrolled at a Chicago private school and receiving services for a disability paid for by CPS to a private vendor of proportionate share services since fall of 2012, then your child’s  data may have been breached.

CPS says they will contact the family of every child whose data was exposed. We recommend calling the CPS Law Department to ask: 773-553-1700  Also, contact your school administrator; they may not have been notified yet of this breach.

You can also file complaints with the ACLU of IL, the IL Attorney General—including their civil rights bureau and disability rights bureau, and the CPS Inspector General.

If your child has only been enrolled in CPS, it is unlikely their information was part of this vendor payment data breach. One exception is if you had a due process settlement with CPS in which they agreed to cover services. In that case, it would be a good idea to contact your advocate or lawyer if you had one to notify them that this information may have been shared publicly. They should have advice for you. — Cassie Creswell

Creswell follow-up responses to Commission in opposition to a comprehensive federal student database

Following Cassie Creswell’s testimony on behalf of our Coalition on January 5, 2017 to the Commission on Evidence-Based Policy, the Commission sent her some follow-up questions.  Here are her responses.

10 February 2017

Commission on Evidence-Based Policymaking

Washington, DC


Dear Commission Members:

Thank you for requesting additional information about the Parent Coalition on Student Privacy’s position on unit record systems. Below we address all three of the Commission’s follow-up questions:

  • Can you please clarify whether your objection is to unit record systems for elementary and secondary school students or if you also object to unit record systems for postsecondary students?

See the discussion of this issue below.

  • You argue for local control of student data and specifically for parental and teacher data stewardship. At what point should adult students in postsecondary education become the stewards of their own data?

The control of their data should pass to post-secondary students when they become adults, as occurs currently in Federal law.

  • Would your concerns about the intrusiveness of a student-unit record system be mitigated if the data were only maintained without personal identifiers that could be used to track an individual student, and if there were statutory protections that guaranteed that the data could only be used for aggregate, statistical analysis?

No, because data can easily be re-identified. If only aggregate data is used, only aggregate data should be collected.

We have significant reservations about the creation of any universal unit record system for students, whether for elementary, secondary or post-secondary students.

Elementary and secondary student unit record systems present a particular set of risks because the majority of information in a child’s K12 educational record should not be made “permanent.” Childhood is a time of growth, experimentation and development; and mistakes and challenges should not be part of a record that could follow one into adulthood and hamper a child’s chance of future success.

A unit record system for post-secondary education does not present an identical set of concerns. Students in post-secondary institutions do expect that some aspects of their transcript, including grades and credits, will persist into adulthood with the expectation of being  shared with employers and other educational institutions—with their consent. Yet other contents of their education records should never be made public.

Records from these years may also contain sensitive information about immigration status, counseling records, mental and physical health and disabilities, etc. At the age of 18, control of the record is transferred from a parent or guardian to the students themselves, but, crucially, privacy controls are still maintained.

We have several concerns about the need for and use of any universal post-secondary unit record system:

  1. The efficacy of methods to de-identify or anonymize personally-identifiable data is questionable. De-identified data can often be re-identified and exposed.[1]
  2. The government should not have access to a comprehensive database for all post-secondary students as this information could be easily abused for political or immigration reasons.  This is especially of concern given the current political climate. The Home Office in Great Britain has now requested access to a similar government student database for the purposes of “immigration control” that was promised to only be used for research.[2]
  3. Once the federal government starts collecting post-secondary data, this could easily lead to a creeping expansion of data collection from K12 institutions and districts.
  4. The quality of research based on large-scale correlational studies is of greatly varying quality[3] and does not justify the risks of universal tracking.
  5. Large amounts of data used for the purposes of evaluating post-secondary institutions’ effectiveness are already available, including the Department of Education’s College Scorecard, the Mobility Report Card Project—a collaboration of the US Treasury and the Department of Education, and the privately-run National Student Clearinghouse.
  6. Extensive regulations have already been implemented to ensure that post-secondary institutions are protecting student’s long-term financial interests, e.g. Negotiated Rulemaking on Gainful Employment implemented in Fall 2014.

We acknowledge that given the investment of taxpayer funds that support institutions of higher education, the federal government has a strong practical interest to make certain that those funds are being used efficiently and effectively.

We do not, however, think that a universal student record system created and administered by the federal government is a necessary component of fulfilling that interest and duty.

The federal government spends billions of dollars in medical research and health care as well, and yet there has been no proposal that we know of for the federal government to collect the personal health data for every person in the United States.

We support only the use of aggregated student data for the evaluation of postsecondary institutions. The collection of such data must include asking for consent for participation from either a parent/guardian or the students themselves if over the age of 18. Clear, transparent information about how any data is to be used and who it may be shared with must be presented before asking for consent. And, there should be no financial benefit or loss contingent on granting the consent.

We continue to urge the Commission to recommend against the creation of any universal federal student unit record system.

On behalf of the Parent Coalition for Student Privacy,


Cassandre Creswell, PhD

Co-executive director

Raise Your Hand Action

Chicago IL


[1] See, for example, the research of Latanya Sweeney on identifiability.

[2]The Home Office are turning teachers into immigration officers” G. Bhattacharyya. Politics.co.uk.

[3] See discussion from a variety of fields (medicine, psychology and linguistics) in “Data dredging, bias, or confounding.” Smith, G.D. and S. Ebrahim. BMJ. 2002; “Why Most Published Research Findings Are False.” Ioannidis, J. P. A. PLOS Medicine. 2005; “False-Positive Psychology: Undisclosed Flexibility in Data Collection and Analysis Allows Presenting Anything as Significant.” Simmons, J.P., L.D. Nelson and U. Simonsohn. Psychological Science. 2011; and “Linguistic Diversity and Traffic Accidents: Lessons from Statistical Studies of Cultural Traits.” PLoS ONE. 2013. Roberts S. and J. Winters.