Sunday, January 26, 2014

What privacy protections are there when states share data with the testing consortia or with the feds?

This year, the issue of student privacy and data sharing has become a huge issue throughout the nation, partly because of the uproar over inBloom Inc., but also as the US Department of Education has pushed states into adopting the Common Core standards and aligned exams, facilitated the widespread disclosure of children’s personal data to third parties without their parents’ consent through weakening FERPA, and required that states track kids from preK onwards via longitudinal data systems.

(Please check out this important story today – about questions surrounding NY state’s longitudinal data tracking system called P20.)

The danger that the federal government may be interested in collecting this data itself has aroused additional concern among parents and privacy advocates.  We noted in an earlier blog post how the agreement between the US Department of Education and the Common Core testing consortia, PARCC and Smarter Balanced, has the same exact clause: 

The Grantee [the testing consortium] must provide timely and complete access to any and all data collected at the State level to ED [the US Dept. of Ed] or its designated program monitors, technical assistance providers, or researcher partners, and to GAO, and the auditors conducting the audit required by 34 CFR section 60.26.

After Joy Pullman of the Heartland Institute and others drew attention to this clause, many parents became even more opposed to their state’s participation in the Common Core testing programs. In order to allay their fears, the Data Quality Campaign, which is funded primarily by the Gates Foundation, undertook a public campaign to convince parents that the feds have no intention of collecting personal student data. 

More recently, an EWA webinar featured Jim Shelton, among others, Deputy Secretary of the US Department of Education and formerly of the Gates Foundation, who appeared to pooh-pooh parent privacy concerns. In the article noted above about NY’s longitudinal student tracking system, Shelton re-affirmed how “valuable” this data is and implied that the risk to privacy is a “small price to pay for progress.” 

The PARCC consortium also produced a privacy policy for the first time, and last week, the education chiefs of 38 states wrote their own letter to Arne Duncan, pledging not to share personally identifiable student data with the feds.  (Why they would write to Duncan rather than their own stakeholders, can’t say.)

Why do I remain skeptical?  Many of these State Ed heads may be here today and gone tomorrow.  We’ve seen a lot of turnover in these jobs; in part because of their highly controversial policies, and many of them, including NY Commissioner John King, have little credibility with parents because of their refusal to disclose how they intend to use student data and their evident lack of respect for parental rights to have input into these decisions.

What the public should be demanding instead is strict controls in federal and state law and in their state’s agreements with these consortia to restrict the amount and type of personal data that they will collect, as well as controls on the access, disclosure and use of this data.

Instead, a careful look at the new PARCC privacy policy merely arouses more concerns than it allays. It appears to have contradictions in whether the organization will ever share its data with the feds. 

First it says: “PII will never be provided by PARCC to the federal government without written authority from a State, or unless legally required to do so by subpoena or court order.”

This seems to suggest that if the state so chooses, it may allow PARCC to provide personal student data to the feds. 

Yet in another section, it says: “These data shall not be used for commercial purposes, nor shall PARCC or PARCC contractors share personally identifiable information with the federal government, unless legally required to do so by subpoena or court order.

Which is it? The second statement leaves out the possibility of federal access of the data if the state permits. 

The mention of prohibiting “commercial purposes” also provides a convenient loophole.  Sharing personal student data for commercial purposes without consent already violates FERPA, but many districts and schools share this data with for-profit vendors, by simply claiming that this is for “instructional” purposes or for more efficient operation.  Clearly the definition of “commercial purposes” depends on the eye of the beholder.

At the same time that the PARCC policy says the data will not be used for commercial purposes, it does say that personal student data may be shared by states to PARCC and contractors for a variety of reasons, including “to validate, pilot and field test, and improve the assessments.” 

 We know that one of PARCC’s prime contractors is Pearson, which is of course a huge multi-national for-profit company; there are also many unnamed sub-contractors. Wireless Generation, a for-profit subsidiary of News Corporation and the prime subcontractor for inBloom, is one of the contractors of Smarter Balanced, the other testing consortium.
The PARCC privacy policy says personally identifiable information (PII) may be accessed and shared with them and their contractors for many other reasons: 

  •   to report assessment results back to states and their local education agencies in a form that is useful to them; 
  • to prepare reports on student performance for participating states, their LEAs and the public  (PII may not be included in public reports or in reports to states or local education agencies that were not the source of the PII): 
  •  to analyze test results to assist member states and their local education agencies for purposes of accountability, including promotion and graduation decisions for individual students; teacher and school leader evaluations; school accountability determinations; determinations of principal and teacher professional development and support needs; and teaching, learning, and program improvement; and 
  •  to carry out studies designed to improve instruction on behalf of participating states and their local education agencies, pursuant to separate agreements with the member states and/or their local education agencies. 

Only the last bullet point even seems to require a separate written agreement with states or districts, and none of them require parental notification or consent.  The clause highlighted is particularly open-ended and could lead to abuses in many ways.  Do we really want Pearson or other private corporations gaining access to personal student data to decide which students should be held back or denied graduation from high school; or to make assessments as to which teachers should be dismissed and which should keep their jobs? 

Smarter Balanced, the other testing consortium, does not even have a privacy policy as of yet, though it seems to have been working on a draft that its members could revise according to their individual preferences.

In short, none of this should provide much comfort to parents. In fact, these consortia may end up acting as surrogate inBloom’s, aggregating a huge amount of personal student data and handing it off to subcontractors and vendors for a variety of unregulated purposes, without notification to the public or parental consent. 

All parents should demand to see their state’s individual agreement with these testing organizations as soon as possible, to find out what additional personal student data is being provided to them and what are the restrictions concerning its further disclosure or use. If there is no agreement pertaining to these issues, there needs to be one before field testing begins this spring.

No comments: