When I was a freshman in college (bear with me, it wasn’t that long ago) I had to take a required class called “Critical Thinking.” As the title suggests, it was a course designed to teach college freshmen how to discern fact from fiction. Our professor particularly focused on teaching us the skills to read articles and decide whether they presented enough evidence to be reliable sources. I am fairly certain my professor would have been disappointed at the first draft of this blog post. I jumped to a conclusion and did the opposite of what she taught us – I did not go to the sources for clarification. News came out that California will soon release the personal information of students to a non-profit community organization and I was alarmed and immediately assumed the worst. Thankfully, my wonderful privacy peeps pulled me back from the abyss and I applied my learnings to a rewrite of the original post.
According to reports, millions of public school student records are to be handed over to the Concerned Parents Association. This organization fought in court for the data to be released in spite of objections from the California Department of Education. The intent of the organization is admirable. The Concerned Parents Association aims to determine whether California schools are violating the Individuals with Disabilities Education Act (IDEA). In order to do so, they believe they need access to all information of children K-12 who are or at some point were students in the California school system since 2008. I am sure most of us that work with students with IEP’s (Individualized Education Plans) or 504 plans have more than one story to tell in which students rights under IDEA were violated. In order for this analysis to be done millions of records with student names, address, date of birth, behavior and mental information as well as health and expulsion records will be released. It’s easy to jump to conclusions regarding the safety and privacy of such sensitive information and be concerned that the information of students will be accessible and vulnerable to misuse.
But this is what I found in the court order (not everything is listed and the complete protocols can be found here) –
- Discussions were held between the plaintiffs and the CDE regarding safeguarding student data and the court approved the security process outlined in the plaintiff’s proposed discovery protocol
- Plaintiff’s counsel will carry a third party risk assessment of their IT infrastructure and protocol for storing and transmitting student data
- All sensitive data transmitted will be on fully encrypted external hard drives
- Plaintiffs are to confirm deletion of any copies of sensitive data once it has been uploaded from the external hard drives to a fully secure server
There are other protocols outlined in the court case such as maintaining a copy of all devices used to store or access the data, maintaining a list of all the names and positions of individuals who may access this information during discovery as well as the protocols to be used to notify the affected students of this undertaking as well as the opt-out form they can use if they choose to have their information removed.
While this process may not be ideal, at least there is the comfort that the court addressed some of the issues that would arise from the movement of such a massive database outside the CDE’s system. I still have concerns and I am not entirely comfortable with the idea of releasing such a big database in this format as I think it creates vulnerabilities for those records in which students could be identified. I would prefer if the data was de-identified and I don’t believe the court addressed this. The Future of Privacy Forum wrote an excellent paper on de-identification of student data (shameless plug but it’s a great paper!) There are many de-identification techniques that can be used depending on the disclosure and risk level of the data without compromising the integrity of such information.
Is the court approved protocol to safeguard the privacy of these students adequate? I am not so sure. There is a good outline on the security measures required in the transfer of files and storage but there is a difference between privacy and security. De-identifying data is not the only way to protect the privacy of students. There is also a dire need for individuals working with this information to be trained on how to maintain these databases securely to ensure the privacy of all students. Sometimes because of lack of understanding data is not handled properly and student data is exposed because it was uploaded to…..Dropbox……
Lesson learned, don’t jump to conclusions. The protocols for handling the data in this case may not be perfect but it is not the free for all scenario that is depicted in some news outlets. I am encouraged that organizations are looking to advocate for students, in particular those with disabilities, and I hope that this case brings more awareness to the need of adequate security protocols for data transfer as well as additional training for those involved in working with student data.
If you’d like to read the court order, you can find it here.
Next time I promise my college professors to apply what they so diligently taught me through my college career…..pinky promise…..