Sunday, September 14, 2014

Commissioner King and NYSED have failed to implement the new state law on student privacy



See below letter NYSAPE and Class Size Matters wrote to Commissioner King and the Regents about King's failure to implement the new privacy law, passed at the end of March as part of the budget.  

Not only has he missed the deadline for appointing a permanent Chief Privacy Officer, qualified for the job, but also for adopting a Parents bill of Rights, created through public input from parents among other stakeholders.  Instead the "interim" Parents Bill of Rights posted on the NYSED website mistates existing law by omitting key provisions in state and federal law, and provides an email address for parents complaining of breaches that goes unanswered.

Since we wrote this letter we have found additional federal privacy provisions  that are missing from the NYSED Parents Bill of Rights, including the right of parents whose children are using online programs at school to find out what personal student data is being collected, have that data deleted, and opt out of the online program if they so choose.  See this recent FTC guidance on COPPA, the Children's Online Privacy Protection Act.

Emailed Aug. 25, 2014, sent via snail mail September 12, 2014 

Dear Commissioner King and members of the New York State Board of Regents:

On behalf of New York State Allies for Public Education. a coalition of more than fifty parent and advocacy groups, and Class Size Matters, a parent advocacy group located in NYC, we write to you to state our concerns about the New York State Education Department’s failure to comply with key provisions of the 2014 state law regarding student data privacy and protection.

As you are aware, the budget bill that passed this spring contained many important provisions relating to student data privacy and security, including a halt to the State’s plan to share highly sensitive personally identifiable student data with inBloom, Inc.[i]  In addition, the new law required Commissioner King to appoint a Chief Privacy Officer (CPO).  According to this new law, it is the CPO who is charged with creating a Parents’ Bill of Rights for student data privacy and protection, as well as other important responsibilities.  

On April 29, 2014, a group of parent leaders and advocacy groups, including New York State Allies for Public Education, sent a letter to Commissioner King and the Board of Regents.[ii]  Among other things, this letter urged Commissioner King to appoint a well-qualified CPO, from outside the Department, well-versed in the issue of data privacy and security.  In addition, the letter urged that the CPO hold hearings throughout the State to hear stakeholder views on what the Parents’ Bill of Rights should include. 

Under the terms of the new law, the CPO appointed by NYSED must be qualified, through experience and/or training, in state and federal education privacy laws and regulations, civil liberties, information technology, and information security.  The law further requires that the CPO is to solicit feedback from parents and other stakeholder groups before putting forward a proposed Parents’ Bill of Rights.  That proposed Bill of Rights was then to be open for public comment before being adopted in its final form – all of this to occur no later than July 29, 2014.  In addition, the law requires every district to post the final Parents' Bill of Rights on its website, and to include it with every contract into which it enters with a third party vendor that receives student data.  That July deadline, however, has now long passed.

Shortly after posting an incomplete and deficient Parents’ Bill of Rights (as discussed below) on July 30, 2014, Commissioner King appointed Tina Sciocchetti, Esq., a former Assistant U.S. Attorney, to serve as interim Chief Privacy Officer.[iii]  Ms. Sciocchetti was already employed by NYSED as Director of Test Security and Educator Integrity, and there is nothing in her career or background to suggest that she meets the CPO qualifications and criteria specified in the law.  Moreover, given that Ms. Sciocchetti was appointed interim CPO after the current Parents’ Bill of Rights was posted, and the document reflects no input from parents and/or other stakeholders whatsoever, its legal validity is questionable.

As mentioned above, we are very concerned that the Parents’ Bill of Rights, as currently drafted and posted for school districts to use, is incomplete and has several serious mistakes in it.[iv]  For example, it fails to state that NYSED is under a legal obligation, both pursuant to 34 C.F.R. § 99.10(b) of the federal Family Educational Rights and Privacy Act (FERPA), and pursuant to section 95 of the New York Personal Privacy Protection Law (PPPL), to afford parents the right to review all personally identifiable data that the State holds for their children, and to afford them the opportunity to correct such data, if necessary.

Moreover, the new law delineates specific minimum security protocols that must be followed by any third party contractor that receives student, teacher, or principal data from an educational agency.  The law specifically states that third party contractors must use “encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the Secretary of the United States Department of Health And Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5, and that such protocols (as well as a host of additional information) must be incorporated into the Parents’ Bill of Rights.  

Instead, the current Parents’ Bill of Rights provides the far less rigorous requirement that third party contractors must merely “use encryption technology to protect data while in motion or in its custody from unauthorized disclosure.”  Finally, the Bill of Rights states that parent complaints about possible breaches should be sent to cpo@mail.nysed.gov, yet emails to this address go unanswered.

We respectfully request that NYSED correct these errors and omissions immediately, direct school districts and educational agencies to post the full provisions of law on their websites, and that NYSED and all educational agencies fully comply with the minimum security protocol requirements.   A recent audit from the NY State Comptroller found that employees in six districts had inappropriate access to sensitive student data.[v]  A report from the Attorney General’s office pointed out that reported data breaches in New York have more than tripled between 2006 and 2013, with an astounding 22 million personal records exposed.  A large number of breaches were reported by education institutions.[vi]  We can no longer risk this fate for our vulnerable children.   

We further urge Commissioner King to act with speed to appoint a well-qualified CPO who meets the criteria set forth in the legislation.   As clearly required by law, once a qualified individual is appointed, he or she must then solicit the input of parents and other stakeholders to help develop “additional elements of the parents bill of rights” before it is released for public comment and put into final form.  In addition, the CPO, along with Commissioner King, is required to promulgate regulations that establish standards to govern educational agencies’ data security and privacy policies, and to develop one or more model policies for them to use.  

We request that the CPO, once appointed, hold hearings throughout the State for the purpose of gaining input from parents, district officials, educators, and other stakeholders vis-à-vis the Parents’ Bill of Rights.  After this occurs, the proposed Bill of Rights should be drafted and made publicly available during a 45-day period of public comment, pursuant to proper notice, during which time interested parties would be allowed to submit comments online, to be posted by NYSED and answered by the CPO.

No doubt school districts, in preparation for the 2014-15 school year, have already engaged third-party contractors who will receive – or who have already received -- a wealth of personally identifiable student data.  Nevertheless, New York State continues to lack sufficient student data privacy and security protections for its millions of public school students, and has failed to provide timely proper and sufficient guidance to school districts that endeavor to do so.  This must change. 

Finally, we urge you to ensure that the State Longitudinal Student Database is developed with the utmost attention to student data privacy and security, and that an advisory body of stakeholders be appointed to oversee it. 

We thank you in advance for your attention to these matters and look forward to your response.

Very truly yours, 
Deborah Abramson Brooks,  Lisa Rudley, Anna Shah, & Allison White on behalf of New York State Allies for Public Education and Leonie Haimson, Executive Director, Class Size Matters



[i] The student privacy components of the legislation are at http://open.nysenate.gov/legislation/bill/A8556D-2013, beginning in Part AA, Subpart K Section 1, and thereafter throughout Subpart L. 

[ii] The letter is posted at  http://tinyurl.com/luq44mn

iii Gary Stern, “New York posts 'bill of rights' to protect student data,” Westchester County Jou­­­­­rnal News, July 30, 2014.
iv NYSED’s Parents’ Bill of Rights is posted at http://www.p12.nysed.gov/docs/parents-bill-of-rights.pdf
 
v Office of the New York State Comptroller, “Access Controls over Student Information Systems,” August, 2014.

vi Office of the New York State Attorney General, “Information Exposed: Historical Examination of Data Breaches in New York State,” July 14, 2014.
   

No comments: