The DOE has issued revisions to their earlier version of the Chancellor's A-820 regulations on student privacy for the second time. They have also delayed the PEP vote on them until Nov. 20, in response to our letter, and the more than 3,000 emails sent by students and parents in opposition. Yet the revisions are minor and are not nearly strong enough.
Despite the fact that Ed Law 2D, passed by the State Legislature in 2014, requires much more rigorous protections for the disclosure of any and all student personal information outside schools and district walls, these regulations would significantly weaken existing student privacy. They would do this by allowing a broad and essentially unrestricted array of highly sensitive personal information to be designated as Directory Information, that DOE could share with any individual, corporation or organization they like, without parent consent, and without the full privacy protections of state law.
Instead, they would allow the following information to be disclosed to any third party they like, as long as they say this disclosure would "benefit" the district and students, and with only parent opt out as safeguards:
We know that many parents will never be alerted to their opt out rights, and, as in the case of charter school disclosure, many parents may opt out and their children's information will still be shared with third parties anyway.
Disclosing this extensive, highly personal, and essentially unrestricted array of personal information could be dangerous to a child's safety, risking predatory marketing, identity theft, and even abduction. The addresses of migrant children currently living in hotels or shelters could even be shared. with organizations claiming to have a positive purpose but actually with the intention of harassing or deporting them.
All the regs say about parent notification is that that the "Directory Information notice must be written and distributed in a manner reasonably likely to be seen by the Parent or Eligible Student."
This proposed dangerous policy is not aligned with the existing Chancellors regulations, which do not allow the district to disclose ANY personally identifiable student information without parent consent, nor is it consistent with what is currently written on the DOE's own website:
If DOE has properly considered home addresses, telephone numbers and dates of birth too "sensitive in nature" to be categorized as Directory Information, why are they changing their mind now?
This proposal is also not aligned with how other districts in the state and the nation treat or designate Directory Information, by excluding much of the personal information included in the Chancellors regulations:
- · BOCES Capital region DI policy excludes student birth dates, addresses, phone numbers and email addresses.
- · Nassau County BOCES DI policy does not include birth date, email, or phone number as Directory Information.
- · Fabius-Pompey school district in upstate NY includes only name, grade level, degrees and honors, sports participation, and team members’ weight and height as Directory Information. Moreover, the district says they will disclose this information only for the purposes of yearbooks, honor rolls, graduation programs and the like.
- · Scarsdale designates only a student's name, address, and school as Directory Information, and says they provide this information only to PTAs and the Village of Scarsdale for the purpose of mailings and pool passes.
· Elsewhere in the nation, Boston Public Schools, even without a strong privacy law, only includes a student’s name, age, grade level, and dates of enrollment as Directory Information, understanding that sharing other sorts of personal data without consent or privacy protections would be too risky and intrusive.
