Sunday, March 30, 2014

What does the state budget bill do in regards inBloom and student privacy? Not much.

The  budget bill, due to be voted on Monday, deals  with student privacy in an inept and confusing way; the privacy provisions read as though they were written by a 3rd year law student at 1 AM in the morning, who understands nothing about the issue.   We saw the language late last week, and provided lots of suggested improvements, none of which were taken.

Though it seems to ban inBloom, by preventing the state from sharing personal data with any “Shared Learning infrastructure service provider” or “SLISP” –that is, a company which is storing the information for the purpose of providing it to a data dashboard provider, inBloom is not described as such in the state’s service agreement.  The state’s plan to share data with inBloom could presumably survive as long as it purports to be a storage facility for as yet unstated purposes, or to provide data for other specified uses, such as personalized learning tools.  (The full language of the bill is here: just search “"SHARED LEARNING INFRASTRUCTURE SERVICE PROVIDER” to find the privacy section.) The best part is around the strong encryption standards, which are taken straight from the O'Donnell/Robach bill, and are the same as required by HIPAA in handling health care data.

On the other hand, as opposed to that bill, full indemnification for breaches is not required, and instead, the penalties are absurdly weak – for example, the maximum fine for failing to report breaches is $5000, which is pocket money for most vendors, including inBloom, built with $100 million of Gates money.

In addition, much of the language appears to be taken from the ALEC bill on privacy, including a privacy officer who would be appointed by yes, the Commissioner.   

This privacy officer would write a “parent bill of rights” under the direction of the Commissioner, who as far as we can tell does not believe that parents have any rights at all.  

It includes lots of silly language designed to assuage fears in a very deceptive way, for example, prohibiting the release of disability status or student suspension data unless allowed under FERPA – when, of course, if this was prohibited by FERPA it would already be illegal to disclose this information.

The only mention of parental opt out or consent is for redisclosures from vendors to other vendors, and even that is hedged because it says redisclosures without consent can occur if the vendors call the other vendors their “authorized representatives”  for the purpose of carrying out the contract.  Thus a child’s personal information could be handed off from one vendor to another, without consent, notification, or restriction. 

A very bad bill and one that gives parents too little rights to protect their children and too much discretion to NYSED with no oversight.  In short, we shall have to fight even harder in the future to protect student privacy, either by law or by regulations, as SED develops regs moving forward.  

Below are the comments of our brilliant pro-bono privacy consultant, Barmak Nassirian, reprinted here with his consent.  Barmak is somewhat more optimistic than I am that these provisions represent progress.  Then again, he doesn’t know the devious ways of the State Education Department as I do, or their preference for complying with the priorities of their for-profit “partners” over the public school parents and children, whose interests they were appointed to serve.

From: Barmak Nassirian:  Leonie asked me for edits to strengthen and clarify the language, none of which seem to have been taken.

The language is unnecessarily wordy, meandering, sloppy and confused. Part K very narrowly targets inBloom-type arrangements, but seems oblivious to the possibility that the same kind of data sharing, if simply described differently and justified on other (equally as dubious) grounds, would not be caught by this language. ("Authorized representative" would be the most obvious way to evade this language.)

… I think the Chief Privacy Officer language and the parents' bill of rights will prove pretty useless and create nothing but evasive essays on how good a job the Department is doing. In creating exemptions for disclosures that comply with FERPA, the bill essentially reverts back to status quo, and really doesn't add any privacy protections beyond what federal law already provides. It actually muddies the waters significantly by referring to third-party "assignees" and to contractors' "authorized representatives," which implicitly (and probably unknowingly) suggests that cascading re-disclosures (from one contractor to sub-contractors) would be acceptable. 

For all of its faults, the bill's Subsection (5)(F) does take all of our proposed contractor-qualification language and seems to apply it to all third-parties. .... Our language only mandated these requirements on contractors obtaining non-consensual disclosures.

Despite all of its numerous imperfections I would still see this as a step in the right direction. Obviously, it would be great if we could clean it up, but I assume that is no longer in the cards. This language, as is, will throw a monkey wrench in SED's plans and give parents numerous new arguments to throw sand in the machinery of Big Data.

No comments: