Wednesday, November 6, 2024

DOE privacy regulations: revised yet again but still put student privacy, health and safety at unacceptable risk!

The DOE has issued revisions to their earlier version of the Chancellor's A-820 regulations on student privacy for the second time.  They have also delayed the PEP vote on them until Nov. 20, in response to our letter, and the more than 3,000 emails sent by students and parents in opposition. Yet the revisions are minor and are not nearly strong enough. 

Despite the fact that Ed Law 2D, passed by the State Legislature in 2014, requires much more rigorous protections for the disclosure of any and all student personal information  outside schools and district walls, these regulations would significantly weaken existing student privacy.  They would do this by allowing a broad and essentially unrestricted array of highly sensitive personal information to  be designated as Directory Information, that DOE could share with any individual, corporation or organization they like, without parent consent, and without the full privacy protections of state law.

Instead, they would allow the following information to be disclosed to any third party they like, as long as they say this disclosure would "benefit" the district and students, and with only parent opt out as safeguards:


We know that many parents will never be alerted to their opt out rights, and,  as in the case of charter school disclosure, many parents may opt out and their children's information will still be shared with third parties anyway.  

Disclosing this extensive, highly personal, and essentially unrestricted array of personal information could be dangerous to a child's safety, risking predatory marketing, identity theft, and even abduction. The addresses of migrant children currently living in hotels or shelters could even be shared. with organizations claiming to have a positive purpose but actually with the intention of harassing or deporting them.

All the regs say about parent notification is that that the "Directory Information notice must be written and distributed in a manner reasonably likely to be seen by the Parent or Eligible Student."

This proposed dangerous policy is not aligned with the existing Chancellors regulations, which do not allow the district to disclose ANY personally identifiable student information without parent consent, nor is it consistent with what is currently written on the DOE's own website:

 

If DOE has properly considered home addresses, telephone numbers and dates of birth too "sensitive in nature" to be categorized as Directory Information, why are they changing their mind now? 

This proposal is also not aligned with how other districts in the state and the nation treat or designate  Directory Information, by excluding much of the personal information included in the Chancellors regulations:

  • ·       Fabius-Pompey school district in upstate NY includes only name, grade level, degrees and honors, sports participation, and team members’ weight and height as Directory Information. Moreover, the district says they will disclose this information only for the purposes of yearbooks, honor rolls, graduation programs and the like.
  • ·       Scarsdale designates only a student's name, address, and school as Directory Information, and says they provide this information only to PTAs and the Village of Scarsdale for the purpose of mailings and pool passes.

·       Elsewhere in the nation, Boston Public Schools, even without a strong privacy law, only includes a student’s name, age, grade level, and dates of enrollment as Directory Information, understanding that sharing other sorts of personal data without consent or privacy protections would be too risky and intrusive.

There are other serious problems with these proposed regs, including how the DOE has refused to give the protections of Ed Law 2D to medical and health records maintained by schools, if they were made by Dept of Health employees.  
 
We have already seen in the Teenspace controversy how the Department of Health's contract with Talkspace does not have the protections required by Ed Law 2D.  Instead,  we  discovered that when a NYC student visits the Teenspace website on their phone, their personally identifiable information is shared with 15 ad trackers and 34 cookies, as well as Facebook, Amazon, Meta, Google, and Microsoft among other companies. Our findings were later confirmed by a security company and they are particularly concerning, given how the city is suing many of these companies for undermining children’s mental health and designing their platforms to be addictive, to maximize their profits. 
 
Please send yet another letter to the Chancellor, copied to the Chief Privacy officer and the members of the PEP, letting them know this is unacceptable, and that the regulations reveal a troubling lack of respect for students' privacy and safety. 

No comments: