Wednesday, November 11, 2020

Questions raised by Sen. Hoylman and advocates about the privacy of student data

 Chalkbeat also reported on the lack of DOE compliance with the state law and Sen. Hoylman's letter today. 

NY State Senator Brad Hoylman sent a letter yesterday to the Chancellor, asking questions about whether the personal student data that is being collected and processed by the many online programs acquired by the DOE is sufficiently protected from breach or abuse.

According to the UFT, “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas” in order to implement remote learning. 

We have now amassed a list of about one hundred of these digital programs, many of which were hurriedly acquired by DOE, along with links to their privacy grades from Commonsense Media, if available, along with some clarifying comments. These grades are based upon their publicly available privacy policies, some of which do not appear to comply with the state law because they use data for commercial or marketing purposes and/or have weak security  provisions. We gathered the list from the DOE and UFT websites, as well as our parent/teacher survey. 

Here’s a summary of what the NY State student privacy law and regulations require; more information is available on the NYSED website here. Though the law was originally passed in March of 2014, it took nearly six years for the state to issue and adopt regulations that became fully enforceable last January. Among other things, the regulations require all districts to post a Parent Bill of Rights [PBOR] for every contract with a vendor that has access to personal student information. 

The PBOR is supposed to detail how the personal student data will be used, how it will be protected, how parents can access the data to challenge its accuracy if necessary, and when it will be deleted, among other provisions. Because of the COVID crisis, the DOE received an extension till October 1, 2020 to also post a new, legally compliant data privacy policy. 

Here’s the DOE data privacy page and another DOE page, which, after urging from parents and teachers, has posted ONLY the PBORs for the three COVID testing companies, along with their contracts. 

None of the PBORs or contracts of the 100 online programs acquired by DOE have been posted; nor has the DOE's legally compliant data privacy policy.

In addition, the three contracts with the COVID testing companies do not clearly state when the personal data of students will be deleted, though this is required by Ed Law 2D regulations which mandate that contractors “describe whether, how and when data will be returned to the educational agency, transitioned to a successor contractor, at the educational agency’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.”

If you haven't yet, please respond to our survey here, to let us know what online programs or apps your children have been assigned, so we can check out their grades and privacy policies as well.  You can also check out our spreadsheet to see what privacy grade was received by the programs and apps assigned to your kids.

Much thanks to Sen. Hoylman for sending a letter to DOE about this; his letter is embedded below. 


No comments: