Wednesday, November 6, 2024

Chancellors regulations A-820; revised yet again but would still risk NYC students' privacy, health and safety!

The DOE has again issued revisions to their earlier version of the Chancellor's A-820 regulations on student privacy for the third time.  These regs have not been updated since 2009,.  They have also delayed the PEP vote on them until Nov. 20, in response to our letter, and the more than 3,000 emails sent by students and parents in opposition. Yet the revisions are minor and are not nearly strong enough. 

Despite the fact that Ed Law 2D, passed by the State Legislature in 2014, requires much more rigorous protections for all student personal information disclosed outside schools and district walls, these regulations would significantly weaken existing student privacy.  They would do this by designating a broad and essentially unrestricted array of highly sensitive personal information as Directory Information, that DOE could share with any individual, corporation or organization they like, without parent consent, without a written contract, and without the full privacy protections of state law.

Instead, they would allow the following information to be disclosed to any third party they like, as long as they say this disclosure would "benefit" the district and students, and with only parent opt out to protect it:


We know that many parents will never be alerted to their opt out rights, and  as in the case of charter school disclosure, many parents may opt out and their children's information will still be shared with third parties anyway.  Disclosing this extensive, highly personal, and essentially unrestricted array of personal information could be dangerous to a child's safety, risking predatory marketing, identity theft, and even abduction. All the regs say about parent notification is that that the "Directory Information notice must be written and distributed in a manner reasonably likely to be seen by the Parent or Eligible Student."

This proposed dangerous policy is not aligned with the existing Chancellors regulations, which do not allow the district to disclose ANY personally identifiable student information without parent consent, nor is it consistent with what is currently written on the DOE's own website:

 

If DOE has properly considered home addresses, telephone numbers and dates of birth too "sensitive in nature" to be categorized as Directory Information, why are they changing their mind now? 

This proposal is also not aligned with how other districts in the state and the nation treat or designate  Directory Information, by excluding much of the personal information included in the Chancellors regulations:

  • ·       Fabius-Pompey school district in upstate NY includes only name, grade level, degrees and honors, sports participation, and team members’ weight and height as Directory Information. Moreover, the district says they will disclose this information only for the purposes of yearbooks, honor rolls, graduation programs and the like.
  • ·       Scarsdale designates only a student's name, address, and school as Directory Information, and says they provide this information only to PTAs and the Village of Scarsdale for the purpose of mailings and pool passes.

·       Elsewhere in the nation, Boston Public Schools, even without a strong privacy law, only includes a student’s name, age, grade level, and dates of enrollment as Directory Information, understanding that sharing other sorts of personal data without consent or privacy protections would be too risky and intrusive.

There are other serious problems with these proposed regs, including how the DOE has refused to give the protections of Ed Law 2D to medical and health records maintained by schools, if they were made by Dept of Health employees.  
 
We have already seen in the Teenspace controversy how the Department of Health's contract with Talkspace does not have the protections required by Ed Law 2D.  Instead,  we  discovered that when a NYC student visits the Teenspace website on their phone, their personally identifiable information is shared with 15 ad trackers and 34 cookies, as well as Facebook, Amazon, Meta, Google, and Microsoft among other companies. Our findings were later confirmed by a security company and they are particularly concerning, given how the city is suing many of these companies for undermining children’s mental health and designing their platforms to be addictive, to maximize their profits.

Our more detailed comments on the revised regs are below.  If you are concerned about this issue, please email Chancellor Melissa Aviles-Ramos at nycchancellor@schools.nyc.gov, and copy us at info@studentprivacymatters.org as soon as possible.  Thanks!