The budget bill, due
to be voted on Monday, deals with
student privacy in an inept and confusing way; the privacy provisions read as
though they were written by a 3rd year law student at 1 AM in the morning, who understands
nothing about the issue. We saw the language late last week, and provided lots of suggested improvements, none of which were taken.
Though it seems to ban inBloom,
by preventing the state from sharing personal data with any “Shared Learning
infrastructure service provider” or “SLISP” –that is, a company which is storing
the information for the purpose of providing it to a data dashboard provider,
inBloom is not described as such in the state’s service agreement.
The state’s plan to share data with inBloom
could presumably survive as long as it purports to be a storage facility for
as yet unstated purposes, or to provide data for other specified uses, such as personalized
language of the bill is here
: just search “"SHARED LEARNING INFRASTRUCTURE
SERVICE PROVIDER” to find the privacy section.) The best part is around the strong encryption standards, which are taken
straight from the O'Donnell/Robach bill, and are the same as required by HIPAA in handling health care data.
On the other hand, as opposed to that bill, full indemnification for breaches is not required, and instead, the
penalties are absurdly weak – for example, the maximum fine for failing to
report breaches is $5000, which is pocket money for most vendors, including
inBloom, built with $100 million of Gates money.
In addition, much of the language appears
to be taken from the ALEC bill on privacy, including a privacy officer who
would be appointed by yes, the Commissioner.
This privacy officer would write a “parent bill of rights” under the
direction of the Commissioner, who as far as we can tell does not believe that
parents have any rights at all.
It includes lots of silly language designed to assuage fears in a
very deceptive way, for example, prohibiting the release of disability status
or student suspension data unless allowed under FERPA – when, of course, if this
was prohibited by FERPA it would already be illegal to disclose this information.
The only mention
of parental opt out or consent is for redisclosures from vendors to other
vendors, and even that is hedged because it says redisclosures without consent can
occur if the vendors call the other
vendors their “authorized representatives” for the purpose of carrying out
the contract. Thus a child’s personal
information could be handed off from one vendor to another, without consent,
notification, or restriction.
A very bad bill and one that gives parents too little rights to protect their children and too much discretion to NYSED with no oversight. In short, we shall have to fight even harder in the future to
protect student privacy, either by law or by regulations, as SED develops regs moving forward.
Below are the comments of our brilliant pro-bono privacy consultant,
Barmak Nassirian, reprinted here with his consent. Barmak is somewhat more optimistic than I am
that these provisions represent progress.
Then again, he doesn’t know the devious ways of the State Education
Department as I do, or their preference for complying with the priorities of their for-profit “partners”
over the public school parents and children, whose interests they were appointed to serve.
From: Barmak Nassirian: Leonie asked me for edits to strengthen and clarify the language, none
of which seem to have been taken.
The language is unnecessarily wordy, meandering, sloppy and
confused. Part K very narrowly targets inBloom-type arrangements, but seems
oblivious to the possibility that the same kind of data sharing, if simply
described differently and justified on other (equally as dubious) grounds,
would not be caught by this language. ("Authorized representative"
would be the most obvious way to evade this language.)
… I think the Chief Privacy Officer language and the
parents' bill of rights will prove pretty useless and create nothing but
evasive essays on how good a job the Department is doing. In creating
exemptions for disclosures that comply with FERPA, the bill essentially reverts
back to status quo, and really doesn't add any privacy protections beyond what
federal law already provides. It actually muddies the waters significantly by
referring to third-party "assignees" and to contractors' "authorized
representatives," which implicitly (and probably unknowingly) suggests
that cascading re-disclosures (from one contractor to sub-contractors) would be
For all of its faults, the bill's Subsection (5)(F) does
take all of our proposed contractor-qualification language and seems to apply
it to all third-parties. .... Our
language only mandated these requirements on contractors obtaining
Despite all of its numerous imperfections I would still see
this as a step in the right direction. Obviously, it would be great if we could
clean it up, but I assume that is no longer in the cards. This language, as is,
will throw a monkey wrench in SED's plans and give parents numerous new
arguments to throw sand in the machinery of Big Data.