State educational databases ignore key privacy protections for the nation’s K-12 children, according to a study by Fordham Law’s Center on Law and Information Privacy (CLIP).
This comes as Congress is considering legislation that would expand and integrate the 43 existing state databases without addressing their critical privacy failures.
CLIP found that sensitive, personal information related to matters such as teen pregnancies, mental health and juvenile crime is stored in a manner that violates federal privacy mandates.
Moreover, the center reports that:
• At least 32 percent of states store children’s social security numbers.
• At least 22 percent of states record student pregnancies.
• At least 46 percent of the states track mental health, illness and jail sentences as part of children’s educational records.
Also, almost all states with known programs collect family wealth indicators.
Some states outsource the data processing without any restrictions on use or confidentiality for K-12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into adulthood, according to the study.
“If these issues are not addressed, the results could be catastrophic from a privacy perspective,” said Joel Reidenberg, professor of law, and founding director of CLIP. “We don’t question the legitimacy of collecting data for school accountability, but we urge Congress and state officials to take rapid steps to ensure the data is collected and stored properly and used in compliance with established privacy laws and principles.”
CLIP launched the study in 2008 because state departments of education had recently established longitudinal databases to track all K-12 students’ progress. The trend has been accompanied by efforts to create uniform data collection systems so that states’ student data systems are compatible.
Often, the flow of information from the local educational agency to the state Department of Education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act.
One state, New Jersey, diverts special education Medicaid funding to pay for an out-of-state contractor to warehouse data, including medical test results. Many states do not have clear access and use rules regarding their databases. Further, more than 80 percent of states apparently fail to have data-retention policies and, thus, are likely to hold student information indefinitely.
Even so, House Bill 3221, or the Student Aid and Fiscal Responsibility Act, calls for the further integration of the databases without addressing these privacy concerns. A Senate version of the bill is expected to be released from committee shortly.
“The CLIP study meticulously documents the states’ disregard for safeguarding children’s most personal data,” said Barmak Nassirian, associate executive director of the American Association of Collegiate Registrars and Admissions Officers, “and yet Congress is poised to fund an ill-thought- through expansion of these systems to include data ranging from pre-birth medical information to education, employment, military and criminal records.”
The study makes several recommendations:
• Data at the state level should be made anonymous through the use of dual-database architectures.
• Third-party processors of educational records should have comprehensive agreements that explicitly address privacy obligations.
• The collection of information by states should be minimized and specifically tied to an articulated audit or evaluation purpose.
• Clear data-retention policies should be made mandatory.
• States should have a chief privacy officer in the Department of Education who assures that privacy protections are implemented for any educational record database.
