Rachael Stickland testifies to U.S. House Education & the Workforce Committee on Student Privacy

panel us house ed & workforce march 22 2016

On Tuesday, March 22, 2016, Parent Coalition for Student Privacy co-chair Rachael Stickland was invited to testify before the U.S. House Education & the Workforce Committee at a hearing entitled “Strengthening Education Research and Privacy Protections to Better Serve Students.”

The Committee’s media advisory can be viewed here along with the press release here. Rachael’s full testimony can be found here (and below).

Webcast of the hearing can be viewed here:

For articles about the hearing, please visit the following:

Education Data, Student Privacy Take Spotlight at Capitol Hill Hearing

Education Week by Andrew Ujifusa, March 22, 2016

Congress seeks to update student data privacy law

edscoop by Yizhu Wang, March 22, 2016

Congress Confronts a Balancing Act Between Education Research Data and Student Privacy Rights

The 74 by Mark Keierleber, March 22, 2016

Student Data Under the Microscope

POLITICO Morning Education by Caitlin Emma, March 23, 2016

Education Research Needs Data

U.S. News by Michael Hansen, March 25, 2016


 

Testimony of Rachael Stickland, Co-Founder, Co-Chair

Parent Coalition for Student Privacy

 Before the United States House of Representatives

House Committee on Education and the Workforce

 Hearing on Strengthening Education Research and Privacy Protections to Better Serve Students

March 22, 2016

Good morning Chairman Kline, Ranking Member Scott and distinguished members of the Committee. I would like to thank you for the opportunity to testify today on behalf of parents concerned about strengthening privacy protections to better serve students.

My name is Rachael Stickland. I am a parent of two public school children in Colorado, and I am co-founder and co-chair of the Parent Coalition for Student Privacy which represents a wide coalition of parents from across the nation, from Florida to Washington, California to New York, including Democrats, Republicans and Independents, public school parents and homeschoolers, professionals and stay-at-home mothers. We receive no funding from special interests, and are united in our effort to protect all children and their privacy. We came together in July 2014 after working together as individuals and groups to defeat the widely criticized inBloom project.[1]

The controversy surrounding this corporation that was designed to collect the personal information from students in nine states and districts sparked a new awareness among parents nationwide about how widely their children’s personal data was already being disclosed to third parties beyond the schoolhouse doors, and how few protections existed against its misuse. Though inBloom is now gone, parents continue to seek answers to exactly what information pertaining to their children is being collected, who has access to the information and for what purpose, and when that information will be destroyed.

I would like to focus my testimony today on the need to strengthen federal educational law to meet the challenges of our modern educational ecosystem and to address the current threats to student privacy. Specifically, I will place an emphasis on personal student information collected by schools and school districts that are then disclosed to state education departments and maintained in Statewide Longitudinal Data Systems or SLDS.

Currently, schools collect much more information on students than most parents realize. While some was required by No Child Left Behind and individual state mandates, much of the data now collected appears to transcend legal requirements. Beyond standard transcript-type data like student names, addresses, courses taken, grades earned and days absent, schools also collect hundreds of pieces of information like disabilities and interventions, medical information from 504 plans, disciplinary incident reports, scores on standardized exams, school readiness scores and recommendations for grade retention. Additionally, schools or commercial vendors used by schools collect highly personal information from students as they use online education tools such as Google Apps for Education or Khan Academy.

Once this information is collected at the local level, much of it is pushed up to the state to be maintained in the state unit record system called the SLDS or the P-20W (preschool through workforce). These unit record systems have been funded partly through federal grants awarded in five rounds of funding from 2005-2012. Forty seven of fifty states as well as the District of Columbia, Puerto Rico, and the Virgin Islands have received at least one SLDS grant.[2] These systems are intended to match students and teachers for the purpose of teacher evaluation, and to promote interoperability across multiple state agencies, as well as across state lines via multi-state consortia.

Rather than simply collecting standard administrative data, these SLDS systems have the capability to maintain upwards of 400 data elements on each individual child. According to the Colorado State Department of Education, our SLDS project is designed to link information from the education department to five other state agencies, including the Colorado Department of Higher Education (CDHE), Colorado Department of Labor and Employment (CDLE), Colorado Department of Corrections (CDOC), Colorado Department of Public Safety (CDPS) and the Colorado Department of Human Services (CDHS). [3] The individually identifiable life-information that is so neatly organized in these systems effectively become life-long dossiers and, if or when compromised, could give away the entire life history of every student in a state.

Interagency linkages like Colorado’s SLDS and even interstate linkages [4] would not have been permissible prior to the unilateral regulatory changes to the federal student privacy law known as FERPA by the Department of Education in 2011. [5] The parents we represent strongly urge Congress to strengthen FERPA and restore the robust protections it originally contained that prohibited the expansion of the SLDS program.

SLDS’s purported purpose is to help states, districts, schools, educators, and other stakeholders make data-informed decisions to improve student learning and outcomes; as well as to facilitate research to increase student achievement and close achievement gaps. Parents don’t disagree with the premise that data can and should be used for purposes to help advance their children’s education. However, parents are concerned about SLDS because of the lack of compelling governmental interest which would justify this level of tracking that serves as an open invitation to mission creep. The availability of a dataset as rich as SLDS quickly turns it into the go-to data mart for authorized or unauthorized use by other institutions, organizations, and state agencies.

For example, earlier this year a California organization filed a lawsuit alleging that the state is failing to ensure districts provide services to all children who need them. The federal judge ruled in favor of the plaintiff and ordered the release of records for 10 million California students dating back to 2008 maintained in the state SLDS known as CALPADS.[6] Highly sensitive information on every child in the state’s education system were to be made available to the plaintiff’s legal team including student “names, addresses, disciplinary records, grades, test scores, and even details such as pregnancy, addiction and criminal history.”[7] Since the initial ruling in February, thousands of parents including the California PTA vehemently protested this unprecedented release. Because of the backlash, the judge has since modified her order allowing the plaintiff’s legal team to access and query the CALPADS data system rather than receive a full copy of the system. It’s worth noting that this disclosure of student information is authorized under current federal law, and as a result of the controversy the judge has since suggested modernizing FERPA.[8]

Another example of the unintended yet currently allowable use of SLDS was the attempt by the New York State Education Department, without public input or comment, to declare that all data in the SLDS should be placed into the state archives for a hundred years or more with no clear restrictions on access. After parent advocates discovered this decision in an obscure memo and protested, the state is now reconsidering this decision, but such a reckless policy without strong citizen oversight should never be allowed.[9] Should children of uniformed parents be any less protected?

Examples of authorized uses of SLDSs such as the California and New York cases are threat enough in their own right, but the high probability of breach or abuse should give advocates of maximal data collection in SLDS considerable pause. There are currently no specific security protections required for the collection and storage of this data unlike those required in HIPPA, for example, even though education records maintained by the SLDS often contain equally sensitive health information.

As Congress weighs competing interests in the student privacy debate, parents in our coalition urge you to always first think of the individual child. Allowing or incentivizing the government to track autonomous individuals through most of their lives in the name of research has speculative benefits at best and can instead lead to profiling, stereotyping and discrimination that can hinder a child’s potential for growth and success. We agree with both the testimony provided by National PTA[10] and Microsoft[11] to the House Subcommittee on Early Childhood, Elementary and Secondary Education in February 2015 that an individual owns his or her own data. Parents believe this to mean the right to decide with whom it will be shared and under what conditions.

Recommendations

Should Congress continue supporting the development and expansion of SLDS through federal grants, and as you contemplate student privacy as a legislative matter, please consider our coalition’s recommendations for the SLDS program as well as the use of personal student information by schools and districts:

  1. Increased transparency: At minimum, SLDS unit record systems must be subject to the Privacy Act of 1974’s code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.[12] Optimally, parents must be told what student information is collected and by whom, how it is to be used and when it is to be destroyed, and to be notified in advance of any disclosure of personal student information to any persons, companies or organizations outside of the school or district.
  2. In addition to increased transparency, parents also advocate for state Institutional Review Boards or IRBs to vet all uses of personal data, to question whether de-identified, anonymized or aggregated data could not be used in its stead, and to ensure that there are strict security standards and requirements for data destruction. We also urge that citizen oversight of the SLDS be required.
  3. There should be no commercial uses of personal student information; or use for any marketing purposes should be banned.
  4. Security protections: At minimum, there must be encryption of ALL personal data at motion and at rest, required training for all individuals with access to personal student data, audit logs, and security audits by an independent auditor.
  5. Increased parent/student rights: Re-disclosures by vendors or any other third parties to additional individuals, sub-contractors, or organizations should be prohibited without parental notification and consent. Parents must be allowed to see any data collected directly from their child by a school or a vendor given access through the school, delete the data if it is in error or is nonessential to the child’s transcript, and opt out of further collection, unless that data is part of their child’s educational records at school. Any data-mining for purpose of creating student profiles, even for educational purposes, must be done with full parental knowledge. Parental consent must be required for disclosure for highly sensitive information such as their child’s disabilities, health and disciplinary information. We also urge that HIPPA be used as a model which requires individual notice and consent before personal health information can be used in research, with few exceptions.
  6. Enforcement: Any federal student privacy law should specify fines if the school, district or third party violates the law, their contracts and/or privacy policies; with parents able to seek redress on behalf of their children as well.

Thank you again for the opportunity to participate in this hearing and for your consideration of my testimony.

[1] See Benjamin Herold, inBloom to shut down amid growing privacy concerns, Education Week, Apr. 21, 2014 http://blogs.edweek.org/edweek/DigitalEducation/2014/04/inbloom_to_shut_down_amid_growing_data_privacy_concerns.html

[2] See U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics Statewide Longitudinal Data Systems Grant Program http://nces.ed.gov/programs/slds/stateinfo.asp

[3] See Colorado Department of Education’s Statewide Longitudinal Data System “RISE” project https://www.cde.state.co.us/rise/connect

[4] See Western Interstate Commission for Higher Education report Beyond Borders: Understanding the Development and Mobility of Human Capital in an Age of Data-Driven Accountability http://www.wiche.edu/info/longitudinalDataExchange/publications/MLDE_BeyondBorders.pdf

[5] See U.S. Department of Education Family Education Rights and Privacy Act, Final Rule Dec. 2, 2011 https://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf

[6] See Elizabeth Weise, Calif. judge allows data release on 10M students, USA Today, Feb. 17, 2016 http://www.usatoday.com/story/tech/news/2016/02/16/morgan-hill-kimberly-mueller-california-public-schools-information-disabled-release-10-million/80472900/

[7] See Sharon Noguchi, Judge backtracks on release of California student records, San Jose Mercury News, Mar. 4, 2016 http://www.mercurynews.com/bay-area-news/ci_29590794/judge-pulls-back-from-calif-student-records-release?source=infinite-up

[8] Ibid

[9] New York Archives, Records Disposition Request rec-3, dated 12/20/13

[10] See Ms. Shannon Servier, National PTA, testimony before the U.S. House of Representatives Subcommittee on Early Childhood, Elementary and Secondary Education, Feb. 12, 2015 http://edworkforce.house.gov/uploadedfiles/sevier_testimony_final.pdf

[11] See Ms. Allyson Knox, Microsoft, testimony before the U.S. House of Representatives Subcommittee on Early Childhood, Elementary and Secondary Education, Feb. 12, 2015 http://edworkforce.house.gov/uploadedfiles/knox_testimony_final.pdf

[12] The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. The Privacy Act of 1974 requires each federal agency that maintains a system of records shall publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include:

(A) the name and location of the system;

(B) the categories of individuals on whom records are maintained in the system;

(C) the categories of records maintained in the system;

(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use;

(E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;

(F) the title and business address of the agency official who is responsible for the system of records;

(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;

(H) the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records, and how he can contest its content; and;

(I) the categories of sources of records in the system.

 

 

 

Please send comments to US Dept of ED on new student database by Feb. 18!

The U.S. Department of Education intends to create a new student database to house the personally identifiable information of 12,000 students, 500 teachers and 104 principals from 104 unidentified schools in 12 school districts across the country.

The information collected on students will include vast amounts of sensitive data including, but not limited to, standardized test scores, race/ethnicity, individual education plan status, and discipline records in order to facilitate “a rigorous study of the effectiveness of providing data-driven instruction professional development to teachers and principals.” The Department of Education is accepting public comments about its data-collection plans until February 18, 2016.  There was an article about this plan in the Washington Post Answer Sheet last month, before the comment period was extended.

Please send in your comments and join the Parent Coalition for Student Privacy in telling the Department of Education that the federal government should never collect personally identifiable student information for any reason and that it should cease plans to develop this database at once. However, if the Department is intent on moving forward with this study, we believe it should be obligated to:

  • explain why aggregate information can’t be used instead of personally identifiable information;
  • specifically define the personally identifiable elements that will be collected and why each data element is needed;
  • notify parents of student who are involved in the study, or at least reveal which districts are participating, and report the names of any other third parties to whom the personally identifiable information will be disclosed;
  • demand that districts obtain informed consent from parents whose children are participating in the study;
  • demonstrate “significant improvement” in the four key areas identified as a result of a recent Congressional hearing on cybersecurity, or at least report what security protections will be used to safeguard the data;
  • disclose specifically when the data will be deleted or destroyed;
  • explain why the federal government has a need to collect or maintain any personally identifiable data when districts could provide it directly to the researchers for their analysis.

Feel free to simply copy our recommendations, add/subtract, or write your own, and submit them here by Thursday, February 18th.

To view our full comments to the U.S. Department of Education, please visit here; and see the official notice here.

Thank you for your continued support to protect student privacy! —

Rachael and Leonie

Parent Coalition for Student Privacy comments to the U.S. Dept. of Ed

Comments of the Parent Coalition for Student Privacy
to the
Institute of Education Sciences, U.S. Department of Education

Privacy Act of 1974; System of Records—“Impact Evaluation of Data-Driven Instruction
Professional Development for Teachers” (#18-13-39)

[FR Doc. 2015-30526]

February 13, 2016

In response to the Institute of Education Sciences of the Department of Education’s published notice, dated December, 2, 2015, to create a new system of records for the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” (#18-13-39) (“Study”), the Parent Coalition for Student Privacy (“PCSP”) respectfully submits the following comments objecting to the Department of Education’s (“Department”) proposed collection, use and disclosure of students’ personally identifiable information for purposes of this Study.

According to the System of Records Notice (“SORN”), the Study will facilitate the collection of “personally identifying information on approximately 12,000 students, 500 teachers, and 104 principals from 104 schools in 12 school districts…”

The SORN further states that records “[f]or students… will include, but will not necessarily be limited to, standardized math and English/Language Arts test scores, age, sex, race/ethnicity, grade, eligibility for free/reduced-price lunches, English Learner status, individualized education plan status, school enrollment dates, attendance records, and discipline records.”

We oppose the federal government collecting this highly sensitive personally identifying information from students, on the following grounds:

1. We agree with the Electronic Privacy Information Center that the Department could likely achieve its research goals by using aggregate data instead of students’ personally identifiable information.
This would also reduce the risk that the personal data of students might be misused or breached by the federal government or the private contractors to whom the agency proposes to share the data. If the Department or its contractors cannot achieve their goals by collecting and analyzing aggregate data, they should be obligated to explain why. The goal of data minimization is a requirement of the Fair Information Practice Principles as delineated by the National Institute of Standards and Technology (“NIST”).

2. The Department should be obligated to define specifically which student personally identifiable information (PII) it plans to collect and why.
The Department’s vague declaration that the student information it will collect “will include, but will not necessarily be limited to…” lacks the precision necessary to meet the Department’s own transparency guidance for local education agencies. According to the document entitled “Transparency Best Practices for Schools and Districts,” the Department’s Privacy Technical Assistance Center (“PTAC”) advises that schools and districts communicate the following information to parents:

What information are you collecting about students?
• Develop and publish a data inventory listing the information that you collect from or about your students. A best practice is to provide this information at the data element level.
Why are you collecting this information?
• Explain why you collect student information (e.g., for state or federal reporting, to provide educational services, to improve instruction, to administer cafeteria services, etc.). A best practice is to provide this information at the data element level.

Just as the PTAC advises local education agencies to develop and publish an inventory at the data element level, the federal government should be obligated to maintain at least the same level of transparency as it recommends that schools and districts display. Transparency is also one of the key Fair Information Practice Principles.

3. Notify the parents of children involved in this Study that their student’s personally identifiable information will be collected and disclosed to researchers.
While FERPA no longer requires parental notification and consent of student participation in a federal study, audit or evaluation since the regulations were re-written in 2011, best practices for transparency developed by the PTAC for local education agencies urge them to answer the following questions and communicate the answers to parents:

Do you share any personal information with third parties? If so, with whom, and for what purpose(s)?

The Department should adopt this practice for the unit record system developed for purposes of this Study. This is yet another Fair Information Practice Principle as articulated by NIST: “Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information.”

4. The Department should obtain informed consent from parents before children participate in the Study.
Approximately 50 million students are currently educated in the U.S. Of those 50 million, 12,000 children will be taking part in the Study, representing 0.024% of the entire student population. Obtaining consent from parents of this relatively small sampling of families would not be overly burdensome. The Department or participating districts should ask parents for their permission to participate before the Study begins, in accordance with the following Fair Information Practice Principle: “Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.”

5. Improve the Department’s data security protocols before developing yet another unit record system.
Troubling findings from the U.S. Department of Education: Information Security Review Hearing (“Hearing”) by the Full House Committee on Oversight and Government Reform on November 17, 2015, include:

1. The Department maintains 184 information systems.
• 120 are managed by outside contractors
• 29 are valued by the Office of Management and Budget (OMB) as “high asset”
2. The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication
3. The Department received an “F” on the FITARA scorecard
4. The IG penetrated DoEd systems completely undetected by both the CIO or contractor
5. The Department needs significant improvement in four key security areas:
• Continuous monitoring
• Configuration management
• Incident response and reporting
• Remote access management

Until the Department markedly improves its information security practices for the data systems it currently maintains it should not be in the business of creating additional unit record systems. Security is yet another principle of Fair Information Practices that the federal government should be obligated to respect: “Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.” At the very least, the Department should be obligated to reveal what security protections will be used to safeguard this data, as in this PTAC recommendation: “Explain your institutions information technology (IT) security and data protection policies.”

5. Reveal when the data will be deleted or destroyed.
Another Fair Information Practice Principle refers to data deletion: any organization, including the Department should “only retain PII for as long as is necessary to fulfill the specified purpose(s)” for which it has been collected. Yet nowhere in the SORN does the Department disclose exactly when the data will be deleted. To the contrary, according to the General Records Schedule 4.1 referred to in the SORN, an unsatisfactorily vague statement is made that the personal information collected for this Study will be “Destroy[ed] when no longer needed.”

6. Explain why the Department must collect any personally identifiable data for the purpose of a study that other researchers are conducting.
Finally, we are unable to discern why the Department needs to acquire this information at all. If a study of Data-Driven Instruction Professional Development by contractors must involve the analysis of personally identifiable student information, why cannot these researchers obtain the data directly from participating districts, without the data being collected or maintained by the federal government?

Conclusion

For the preceding reasons, the Department should cease development of the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” unit record system. The PCPS feels strongly that the Department should never collect personally identifiable student information for any reason.

However, if the Department is intent on moving forward with this study, it should be obligated to: (1) explain why aggregate information would not be sufficient for the purposes of the Study; (2) specifically define the personally identifiable data elements that will be collected and why each data element is needed; (3) notify parents of students who are involved in the Study, or at least reveal which districts are participating, and report the names of any other third parties to whom the personally identifiable information will be disclosed; (4) demand that districts obtain informed consent from parents whose children are participating in the Study; (5) demonstrate “significant improvement” in the four key security areas identified as a result of the Hearing, or at least report what security protections will be used to safeguard the data (6) disclose specifically when the data will be deleted; and (7) explain why the federal government has a need to collect or maintain any personally identifiable data when districts could provide it directly to the researchers for their analysis.

The PCSP awaits the Department’s responses to each of these questions and/or recommendations.

Respectfully submitted,

Rachael Stickland
Co-Chair

Leonie Haimson
Co-Chair

Parent Coalition for Student Privacy
124 Waverly Place
New York, New York 10011
[email protected]

Click here for a downloadable version of the comments with references.

Join our “Data Privacy Day” Twitter Chat 1/28 @ 9-10PM EST

We know you care about student privacy but are you aware this Thursday is Data Privacy Day? Data Privacy Day is an annual international effort held every January 28th to increase awareness and empower people to protect their personal information.

The Parent Coalition for Student Privacy will be celebrating Data Privacy Day this year by holding a Twitter chat on January 28th from 9:00-10:00 PM EST. We will be asking parents and teachers to weigh in on what questions they would like answered and resources they need to protect and advocate for student privacy in their own school communities. We will use feedback from the Twitter chat to help us design a student privacy toolkit which we will release in partnership with the Campaign for a Commercial-Free Childhood this fall when kids go back-to-school. Stay tuned!

Please join us this Thursday, January 28th from 9:00-10:00 PM EST on Twitter at @parents4privacy and @commercialfree and use the hashtag #StudentPrivacy.

Thank you!

Leonie Haimson and Rachael Stickland

Parent Coalition for Student Privacy, co-chairs

www.studentprivacymatters.org

@parents4privacy

What Your Child Really Needs To Know Before Taking the SAT (or ACT)

By Rachael Stickland and Leonie Haimson, co-chairs, Parent Coalition for Student Privacy

High schoolers hate waking up early on Saturday mornings, especially to take high-stakes tests like the College Board’s SAT or the ACT. Next Saturday, January 23, 2016 marks the last time that U.S. students are able to take the current SAT before the new test comes online on March 5.

Anxiety over the “new” test has left many families scrambling to get their kids registered for the older, well-established version to be administered in just a few days. Now that the day is almost near – training courses and practice tests completed – there’s one last thing parents must do to help their children prepare for Saturday: advise them not to answer the optional pre-test questions.

Just moments before administration of the exam officially begins, or upon registering online, students may be asked to answer questions on a student questionnaire and to check off a box agreeing to participate in the Student Search Service ™ program if they want to receive information from colleges or scholarship organizations. See below or here for more information:
add this screenshot in case it goes away

According to POLITICO, “Depending on the exam, at least 65 percent — and as many as 85 percent — of test takers check that box, according to the College Board and ACT. Parents do not have to give their consent, as this is only required by federal law while collecting personal data from children under 13.”

Students will be asked their Social Security number; other questions may include their grade point average, religious affiliation, ethnicity, family income, interests, citizenship, disabilities, and more. Under immense pressure to perform well on the test, and often not aware that answering these questions is fully voluntary, students may be enticed to offer up this information, especially if they believe it will increase their opportunity to be recruited by elite colleges or offered scholarships. They may not even realize that this information may be used to help colleges decide who not to recruit or admit as well. As the College Board puts it,

As part of taking a College Board exam, students are asked to fill out a student data questionnaire…. Participating, eligible organizations can then search for groups of students who may be a good fit for their communities and programs, but only among those students who opt to participate in Student Search.

The search criteria can include any attribute you provide, except the following: disability, self-reported parental income, social security number, phone numbers and actual test scores. The most searched items are expected high school graduation date, cumulative GPA and intended college major.

And: By opting in, they give the College Board permission to share their names and limited information with colleges and scholarship programs looking for students like them.

In other words, colleges are looking not just for students to recruit but who to admit and/or reject; or as the College Board softly frames it, those “who may be a good fit for their communities and programs.”

What your weary-eyed, college-bound children may not also realize is that when they provide the College Board or ACT personal details, their “profiles” are not simply “sent” to interested parties, rather they are sold for as much as 40 cents apiece in the shadowy data market.

According to the College Board website: “During the registration process, we ask students for: name, address, date of birth, gender, Social Security Number or student ID, and address. We may also ask for phone numbers and email addresses, school name, grade level or expected graduation date, ethnicity, and a parent’s name, email address, and education level.”

And: “…we ask students for personal information to help them make choices about their future. To help students receive the most relevant and accurate information about their college options and scholarship opportunities through Student Search Service®, we also ask optional questions about academic and extracurricular interests, career and field of study interests, family income, and religious preferences. Students must opt in to participate in this service; the College Board does not include students without their consent. Students may also opt out at any time.

Note that link above, in case you or your child have already opted in upon registration that you still have the right now to opt out. The information requested varies by the exam they are taking, with the most intrusive data being asked of students when taking the SAT and PSAT, including religion, ethnicity and grades and citizenship, while less intrusive information is asked of students taking AP exams. See here for the differences.

Some parents may find this practice acceptable, especially if they perceive that their children “may” benefit when their information is passed along – or they may not. But what is also objectionable is that the College Board and ACT refuse to tell students (or parents for that matter) that they SELL the information. According to POLITICO, ACT’s profits generated from selling student profiles were approximately $15 million in 2012; the College Board wouldn’t disclose its revenue from its trademarked Student Search        Services ™ program but it surely was many millions as well.

At one place on its website, College Board falsely claims it doesn’t sell student data. On its “privacy policy” page, many parents will read the following: “The College Board does not sell student information. Students can voluntarily opt in to our Student Search Service. Qualified colleges, universities, nonprofit scholarship services, and educational organizations pay a license fee to use this information to recruit students and manage enrollment in connection with educational or scholarship programs.”

What the difference is between selling student data or selling “a license fee” to colleges and organizations to receive the data is a difference without a difference.

On another page, the company adjusts this claim by saying only that it doesn’t sell student data to test prep companies – not mentioning colleges or other organizations: “It is the College Board’s strict policy NOT to sell student information to test-preparation companies, nor are such companies affiliated with the College Board.”

On a yet a different page, meant for its institutional clients, the College Board makes clear that it does indeed sell student data, at 40 cents per name, and offers high priced subscription services for “enrollment planning”:

See the Pricing and Payment Policies here:

pricing

The Enrollment Planning Service, according to the College Board “precisely locates students — both within the United States and abroad — who meet admission criteria and are likely to succeed at a particular institution. Enrollment Planning Service also informs better and more-strategic recruitment activities based on a wide range of criteria including geography, demographics, academic preparation and educational aspirations.”

Its Segment Analysis Service™ (formerly Descriptor PLUS™) is a powerful data enrichment service that allows admission professionals to identify promising prospective students by learning more about where they live and where they go to high school. Segment Analysis’ Educational Neighborhood and High School Cluster tags leverage data on millions of students and thousands of high schools to provide a more complete picture of various student segments and help you align your recruitment efforts to the characteristics of these segments.”

College Board adds that the Segment Analysis Service allows institutions to “achieve better yields from admission through graduation,” presumably in the effort to boost their four year graduation rates.

This is not to let off the ACT off the hook. ACT subjects parents and students to an even more detailed and intrusive survey on their website, with detailed questions about a student’s disabilities, preferences, religious practices, hobbies and more.

According to POLITICO, the ACT also lets customers filter student profiles by family income, parents’ education levels and student disabilities.

As first reported by an independent educational consultant Nancy Griesemer, the ACT even sells an algorithm to colleges based upon a student’s personal data points to help them decide whom to admit – without informing parents or students how this information may be used:

“… assessments [are] provided to approximately 450 institutional participants in ACT Research Services of “Overall GPA Chances of Success” in various general categories of majors including education, business administration, liberal arts, and engineering, as well as “Specific Course Chances of Success” in broad areas such as freshman English, college algebra, history, chemistry, psychology etc.

Chances of success are made in terms of those students likely to receive a “B” or better in these areas or those students likely to receive a “C” or better. And they are nowhere to be found on the ACT report provided to students and families.”

Why the secrecy? Why the deception? If you find this outrageous, you’re not alone. As far back as 2011, the data collection and storage practices, as well as the commercialization of student information, by College Board/ACT spurred Congressional inquiry.

A lawsuit was filed against the College Board and ACT in 2013 (Spector v. ACT, Inc. et al) and another in 2015 (Silha v. ACT, Inc. and the College Board), for deceptive practices, in that they never disclosed to students that their data was being sold as opposed to freely “shared.”

Unfortunately, the first lawsuit was voluntarily dismissed by the plaintiff in 2014, and the second lawsuit was recently dismissed when the Judge ruled that the plaintiffs failed to make their case showing any harm to the students from the sale of their data.

A Parent Coalition for Student Privacy researcher, Cheri Kiesecker, recently wrote the College Board to ask if students chose to NOT complete the survey, would their college admission chances be affected. See the reply from SAT / College Board here. Their representative responded that if a student does not opt in to Student Search Service ™, ”it will not impact their chances at being accepted into colleges or scholarship programs in any way.” What the representative did not say that if they opt in, it may negatively affect their application or scholarship opportunities.

So what should you say to your children if you’re a parent concerned with their privacy?

On its website, the College Board offers a “Test Day Checklist,” including what to bring (i.e. photo ID) and what to leave at home (i.e. cell phone) on test day. The same website links to the College Board’s Student Search Services ™ data-selling program where it reminds test takers to check the box to opt in when you take the SAT. (See the screenshot below.)

Use this information to educate your children. Explain to them why it’s important to never share personal information that is not absolutely necessary to register for or take the test. Advise them not to share their Social Security number or any other information that is not required. Show them the screenshot to see what the search consent checkbox may look like and how to answer. Then use our handy checklist to get yourself ready for the big test on Saturday.

And remember … once the test is complete, encourage your children to research colleges and scholarships on their own that might be a good fit for them. Their personal information doesn’t have to be sold– and should never be offered unknowingly in a manner that could limit their opportunities.

Parent Coalition for Student Privacy’s SAT Pre- Test Day Checklist:
1. On Thursday or Friday, talk to your children about the importance of providing only the personal information necessary to take the test, and show them the SAT’s Student Search Service ™ screenshot below so they know what it might look like and which box to select (No, thanks.);
2. Encourage them to go to bed early Friday night, get plenty of rest, and set the alarm (AM, not PM!);
3. Serve a nutritious breakfast Saturday morning to your children and remind them to bring a photo ID, the “admission ticket,” NO. 2 pencils and an acceptable calculator from the College Board’s Test Day checklist;
4. Remind them NOT to volunteer any personal information other than what is required like name, address, school, date of birth, etc., and that there is no reason to offer up their Social Security number, religious affiliation, family income, or other extraneous information. They should also CHECK the “No, thanks” box if there is one in the Student Search Service ™ section.
5. Reassure them to relax and just do their best on the exam itself.

checkbox