See below letter NYSAPE and Class Size Matters wrote to Commissioner King and the Regents about King's failure to implement the new privacy law, passed at the end of March as part of the budget.
Not only has he missed the deadline for appointing a permanent Chief Privacy Officer, qualified for the job, but also for adopting a Parents bill of Rights, created through public input from parents among other stakeholders. Instead the "interim" Parents Bill of Rights posted on the NYSED website mistates existing law by omitting key provisions in state and federal law, and provides an email address for parents complaining of breaches that goes unanswered.
Since we wrote this letter we have found additional federal privacy provisions that are missing from the NYSED Parents Bill of Rights, including the right of parents whose children are using online programs at school to find out what personal student data is being collected, have that data deleted, and opt out of the online program if they so choose. See this recent FTC guidance on COPPA, the Children's Online Privacy Protection Act.
Emailed Aug. 25, 2014, sent via snail mail September 12, 2014
Dear Commissioner King and members of the New York
State Board of Regents:
On behalf of New York State Allies for Public
Education. a coalition of more than fifty parent and advocacy groups, and
Class Size Matters, a parent advocacy group located in NYC, we write to you to state our concerns about the New York
State Education Department’s failure to comply with key provisions of the 2014 state
law regarding student data privacy and protection.
As you are aware, the budget bill that passed this spring
contained many important provisions relating to student data privacy and security,
including a halt to the State’s plan to share highly sensitive personally
identifiable student data with inBloom, Inc.[i] In addition, the new law required Commissioner
King to appoint a Chief Privacy Officer (CPO).
According to this new law, it is the CPO who is charged with creating a
Parents’ Bill of Rights for student data privacy and protection, as well as
other important responsibilities.
On April 29, 2014, a group of parent leaders and
advocacy groups, including New York State Allies for Public Education, sent a
letter to Commissioner King and
the Board of Regents.[ii] Among other things, this letter urged
Commissioner King to appoint a well-qualified CPO, from outside the Department,
well-versed in the issue of data privacy and security. In addition, the letter urged that the CPO hold
hearings throughout the State to hear stakeholder views on what the Parents’
Bill of Rights should include.
Under the terms of the new law, the CPO appointed
by NYSED must be qualified, through experience and/or training, in state and
federal education privacy laws and regulations, civil liberties, information
technology, and information security. The
law further requires that the CPO is to solicit feedback from parents and other
stakeholder groups before putting
forward a proposed Parents’ Bill of Rights.
That proposed Bill of Rights was then to be open for public comment
before being adopted in its final form – all of this to occur no later than
July 29, 2014. In addition, the law
requires every district to post the final Parents' Bill of Rights on its
website, and to include it with every contract into which it enters with a third
party vendor that receives student data.
That July deadline, however, has now long passed.
Shortly after posting an incomplete and deficient
Parents’ Bill of Rights (as discussed below) on July 30, 2014, Commissioner
King appointed Tina Sciocchetti, Esq., a former Assistant U.S. Attorney, to
serve as interim Chief Privacy Officer.[iii]
Ms. Sciocchetti was already employed by NYSED
as Director of Test Security and Educator Integrity, and there is nothing in her
career or background to suggest that she meets the CPO qualifications and criteria
specified in the law. Moreover, given
that Ms. Sciocchetti was appointed interim CPO after the current Parents’ Bill
of Rights was posted, and the document reflects no input from parents and/or
other stakeholders whatsoever, its legal validity is questionable.
As mentioned above, we are very concerned that the
Parents’ Bill of Rights, as currently drafted and posted for school districts
to use, is incomplete and has several serious mistakes in it.[iv] For example, it fails to state that NYSED is
under a legal obligation, both pursuant to 34 C.F.R. §
99.10(b) of the federal Family Educational Rights and Privacy Act (FERPA), and
pursuant to section 95 of the New York Personal
Privacy Protection Law (PPPL), to afford parents the right to review all personally
identifiable data that the State holds for their children, and to afford them the
opportunity to correct such data, if necessary.
Moreover, the new law delineates specific minimum
security protocols that must be followed by any third party contractor that
receives student, teacher, or principal data from an educational agency. The law specifically states that third party contractors
must use “encryption technology to protect data while in
motion or in its custody from unauthorized disclosure using a technology or
methodology specified by the Secretary of the United States Department of
Health And Human Services in guidance issued under Section 13402(H)(2) of
Public Law 111-5,” and that such protocols (as well as a host of
additional information) must be incorporated into the Parents’ Bill of Rights.
Instead, the current Parents’ Bill of Rights provides
the far less rigorous requirement that third party contractor
s
must merely “use
encryption technology to protect data while in motion or in its custody from
unauthorized disclosure.”
Finally, the Bill of Rights states that parent complaints about possible
breaches should be sent to cpo@mail.nysed.gov,
yet emails to this address go unanswered.
We respectfully request that NYSED correct these
errors and omissions immediately, direct school districts and educational
agencies to post the full provisions of law on their websites, and that NYSED
and all educational agencies fully comply with the minimum security protocol requirements. A recent audit from the NY State Comptroller
found that employees in six districts had inappropriate access to sensitive student data.[v] A report from the Attorney General’s
office pointed out that reported data breaches in New York have more than
tripled between 2006 and 2013, with an astounding 22 million personal records
exposed. A large number of breaches were
reported by education institutions.[vi] We can no longer risk this fate for our
vulnerable children.
We further urge Commissioner King to act with speed
to appoint a well-qualified CPO who meets the criteria set forth in the
legislation. As clearly required by
law, once a qualified individual is appointed, he or she must then solicit the
input of parents and other stakeholders to help develop “additional elements of
the parents bill of rights” before it is released for public comment and put
into final form. In addition, the CPO,
along with Commissioner King, is required to promulgate regulations that
establish standards to govern educational agencies’ data security and privacy
policies, and to develop one or more model policies for them to use.
We request that the CPO, once appointed, hold
hearings throughout the State for the purpose of gaining input from parents,
district officials, educators, and other stakeholders vis-Ã -vis the Parents’
Bill of Rights. After this occurs, the
proposed Bill of Rights should be drafted and made publicly available during a
45-day period of public comment, pursuant to proper notice, during which time
interested parties would be allowed to submit comments online, to be posted by
NYSED and answered by the CPO.
No doubt school districts, in preparation for the
2014-15 school year, have already engaged third-party contractors who will receive
– or who have already received -- a wealth of personally identifiable student
data. Nevertheless, New York State
continues to lack sufficient student data privacy and security protections for
its millions of public school students, and has failed to provide timely proper
and sufficient guidance to school districts that endeavor to do so. This must change.
Finally, we urge you to ensure that the State
Longitudinal Student Database is developed with the utmost attention to student
data privacy and security, and that an advisory body of stakeholders be
appointed to oversee it.
We thank you in advance for your attention to these
matters and look forward to your response.
Very truly yours,
Deborah Abramson Brooks, Lisa Rudley, Anna Shah, &
Allison White on behalf of New York State Allies for Public Education and Leonie Haimson, Executive Director, Class Size Matters
iii Gary Stern, “New York posts 'bill of rights' to protect student data,”
Westchester County Journal News, July 30, 2014.
v Office of the New York State Comptroller, “Access Controls over Student Information Systems,” August, 2014.
vi Office of the New
York State Attorney General, “Information Exposed: Historical Examination of
Data Breaches in New York State,” July 14, 2014.
