Tag Archives: FERPA

PCSP urges the US Dept. of Education to strengthen enforcement of federal student privacy laws

On February 17, the Student Privacy Policy Office (SPPO) and the Privacy Technical Assistance Center (PTAC) of the US Department of Education held a “listening session” with representatives from a few privacy advocacy groups as well as some organizations funded by the ed tech industry.  The most vocal participants urging stronger enforcement of federal student privacy laws were Cassie Creswell and I, co-chairs of the Parent Coalition for Student Privacy, and Joel Schwarz and Andrew Liddell of the Student Data Privacy Project.

Kevin Herms, Chief Privacy Officer and Director of SPPO, and Ross Lemke, Manager of PTAC, encouraged the participants to send  follow-up letters to summarize their concerns.  Our letter detailing some of them is below.  Joel Schwarz’s follow-up letter is posted on his LinkedIn page.

Hopefully the strong discontent expressed by several participants of this “listening session” will lead to stronger and more effective action by the US Department of Education, which is in charge of enforcing our critical federal student privacy laws including FERPA, PPRA, and COPPA, but too often seems to be sleeping at the wheel.

Parents: Two ways to find out what ed tech companies are collecting your child’s personal data

Parents, help fill in this FERPA Project Map for the folks at The Student Data Privacy Project.

https://www.studentdataprivacyproject.com/ferpa-project-map

1. This FERPA Map project

is sponsored by our friends at the The Student Data Privacy ProjectTheir goal is to highlight the need for parents to know how the data for their children is being collected and protected by ed tech apps. Under FERPA, parents have that right but it is rarely being exercised or enforced. They are asking parents in all 50 states to send a letter to their District or school requesting their child’s data that is held by these private companies.  You can click on their website here to request their  FERPA template  letter.  When you send your letter to your district or school, please copy us at info@studentprivacymatters.org  on your request.

2. It’s time we KNOW what data these edtech apps are collecting and how they are being used. 

We at the Parent Coalition for Student Privacy launched our own App Survey in January, for Data Privacy Day 2021. We are researching which edtech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.  You can take our App Survey here.  

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies.  Your name and district will be kept confidential. Thank you to the MANY parents and educators who have already completed this App Survey.  Please continue to share and we will let you know the results soon.  If you have any questions or concerns, please feel free to email us at info@studentprivacymatters.org  

 

 

For Data Privacy Day — take our Survey: online apps used by districts and their privacy provisions

Today, January 28th is Data Privacy Day, the international annual day of action and awareness to promote the privacy of our personal data.

The Parent Coalition for Student Privacy is researching which ed tech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.

Since the pandemic hit, school districts across the nation have purchased many commercially-produced online apps and programs to implement remote learning. Even before last spring, districts had been using a large number of programs, many of which have access to personal student information. Many of these apps collect and use personal student data in ways that are not transparent and we do not understand.

More recently, this past December, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned aboutmalicious cyber actors … targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services.” This follows another warning the FBI put out in 2018 that the use of ed tech apps in schools posed a serious threat to children’s privacy and safety.

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies. Your name and district will be kept confidential.

Click here to take the survey.

On Data Privacy Day and every day, it is important to protect children’s information. Below are a few resources to help.

The 2019 State Student Privacy Report Card lists and rates state laws based on Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations. https://studentprivacymatters.org/map/map.html

Federal Laws enabling parents to protect their Children’s Privacy: FERPA, PPRA and COPPA https://studentprivacymatters.org/ferpa_ppra_coppa/ . Read how FERPA was weakened here and how to request to inspect your child’s education record maintained by your school or the state here.

Parent Toolkit for Student Privacy https://www.studentprivacymatters.org/wp-content/uploads/2017/05/Parent-Toolkit-for-Student-Privacy.pdf

Top 10 back to school privacy tips and resources https://studentprivacymatters.org/top-10-back-to-school-student-privacy-tips-and-resources-for-parents/

Parents of Disabled Students: Do NOT Grant College Board Unlimited Access to Your Child’s Sensitive Information

We recently received a query from a Chicago parent whose child has a disability, and was seeking an accommodation when taking a College Board test. Her child’s high school asked her to sign a SSD Accommodation Consent form allowing her school to disclose her child’s disability records, as well as any other information in the school’s custody that the College Board requests for the purpose of determining my eligibility for testing accommodations on College Board tests“.  The form also grants the “College Board permission “to discuss my disability and needs with school personnel and other professionals.” 

The Chicago parent was concerned with these overly broad permissions and crossed out portions that she disagreed with. Unfortunately for this parent, she subsequently discovered that her child’s previous high school had apparently already released confidential information to the College Board without asking for her consent.  

We wonder if this has happened to other parents. Have parents been asked to sign this form authorizing the school to release their children’s highly sensitive disability information, or worse, have their schools disclosed this personal information without obtaining parent consent?  If so, please email us at info@studentprivacymatters.org  .

We would like all parents to know that you do NOT have to consent to the school providing College Board unlimited access to your child’s sensitive disability information for the purpose of accommodations. College Board says this is only a sample SSD consent form.

I recently emailed the College Board Services for Students with Disabilities (via their general SSD email) to ask if parents cross out the overly board permissions they don’t agree with, would the form still be valid? The College Board SSD  replied and verified that this is the current SSD Parent Consent Form, reiterated that the College Board does require schools to obtain written consent from the parent before sharing student disability data, and that schools must keep this signed form on file. However,  the College Board SSD email (erroneously) said parents cannot modify the consent form; I knew this to be incorrect because in 2018, I had previously questioned the Colorado Department of Education and College Board about the broad permissions and was told that parents could modify the form.

So, I again reached out to the Colorado Department of Education this past week and asked for their help in contacting the College Board privacy department to verify that parents can in fact modify the form. The complete response from the Colorado Department of Education and College Board can be seen here; relevant excerpts are posted below.  First, the College Board apologized for their earlier, incorrect response: 

“Thank you for sharing the inquiry you received. I apologize that the parent received some misleading information. The Accommodations Consent form shared by the parent is the standard template College Board makes available on the SSD website to all schools. As you know, in Colorado, we have developed an alternate template which is shared through trainings with SSD Coordinators…

The purpose of the consent form is to give schools a sample consent form in order to request testing accommodations on behalf of a student and share relevant information with College Board about their disability and requested accommodation(s). College Board requires schools to agree that they have a “signed consent form or equivalent signed consent on file.” Schools are instructed to keep the parent consent on file for their records. It is not submitted to College Board. Once a student is approved for an accommodation, this accommodation may be used for all College Board assessments throughout the student’s high school career.”–College Board

Then the Colorado Department of Education confirmed that parents could delete the overly broad language in the consent form:

“…if there are any parts to the form to which you do not want to provide your consent, you can cross those portions off, or you can add additional language to meet your needs.  Note that the required information needed by College Board to process any accommodations request is listed at the top of p.2 of the enclosed form. “

(See Required Data listed on page 2 of Colorado Accommodations Consent form but applicable to all requests.) 

We thank the the Colorado Department of Education for their clarification and for confirming that if a parent crosses out the overly intrusive portions (labeled A and B below), this signed consent form would still be valid; one would hope that the right to privacy afforded Colorado students with disabilities would be afforded to all disabled students. We encourage parents to ask your school and the College Board ( privacy@collegeboard.org ) if you can cross out this overly broad language and only provide the minimum required information for accommodations. 

2019: College Board says it changed its disability accommodation review procedures

The College Board said that it had changed its policies and now relies on schools to verify student disabilities and accommodations, according to a May 2019 Wall Street Journal article:

“The College Board said it has to balance the large number of students who really need a special accommodation against a small number who are exploiting the system.

The College Board used to do more checking, the organization said, but found that responding to special-accommodation requests was taking more than a month. The College Board said it relies on schools because they are closer to the medical professionals and teachers who know the students.”

If it is true that since 2019, the College Board is no longer checking into and reviewing accommodation requests and is instead relying on schools to verify these requests,  why are schools still asking parents to sign consent forms from 2017 which give College Board access to any information in the school’s custody? (You can see this form sent to Chicago parents, still posted on the internet, which is dated 2017 on the bottom right.)

Time to Update Consent Form.

Since the College Board confirmed this consent form is just a template and can be modified, we urge the College Board to update the template and remove the overly broad request for any information in the school’s custody and remove consent to discuss with other professionals. 

Additional concerns with how the College Board and ACT share data

We know that the testing company ACT was sued and recently had to pay a $16 million dollar settlement for allegedly disclosing student disability information to colleges. We also know the College Board has been sued for selling licenses to a range of personal student data to colleges and other companies including score ranges — though they insist that a student’s disability status is not included. The company admits sharing access to student disability data with the third parties listed at the end of the consent form.  By requiring that parents give their consent for the release of this data to these companies as well as others unspecified in the consent form, in granting this unlimited access, disabled students are singled out and discriminated against, while their non-accommodated peers do not face this medical scrutiny and do not have to provide College Board access to any other information in the school’s custody.  Concerns about sharing this sensitive information are echoed in this 2016 Education Week article,  regarding the U.S. Department of Justice Civil Rights Division scrutiny of College Board and ACT refusals to allow accommodations in college admission tests. 

Schools must also record disclosures and obtain written parent consent

Schools should never disclose student disability records or evaluations unless specifically required by the College Board and schools must obtain prior written parent consent. Per federal IDEA law part B, in addition to written consent, schools must keep a record of disclosures. They must tell a parent: what information was disclosed, the purpose of for the disclosure, to whom it was revealed, and when this occurred.

Finally, many states are now requiring students take a College Board exam as their federally-mandated high school assessment.  If so, schools must ensure that College Board adheres to specific federal privacy restrictions as specified in both FERPA and IDEA.  See this May 2018 guidance from the US Department of Education regarding privacy and College Entrance exams:

IDEA is a Federal law that protects the rights of students with disabilities…These IDEA provisions also prohibit the unauthorized disclosure and use of PII from the education records of students with disabilities, consistent with FERPA. Thus, if parent consent is required under FERPA to disclose PII from students’ education records, and if a student is covered under IDEA, parent consent would also be required under IDEA to disclose PII in education records collected, maintained, or used under Part B of the IDEA.

Please let us know if you have privacy questions about College Board or ACT admissions tests, or the optional surveys associated with these tests. Also reach out to us if your school asks you to consent to providing College Board unlimited access to any information in the school’s custody to verify your child’s disability accommodations for College Board tests.  If your school did NOT get your written consent before sharing your child’s disability information with the College Board or ACT, let us know that as well. 

In general, parents should be cautious before sharing their children’s personal and sensitive information with companies; only share what is absolutely necessary. For College Board privacy related questions, parents can email the College Board at privacy@collegeboard.org .  Parents can also email us at info@studentprivacymatters.org .

 

 

A Privacy Blueprint for Biden

Privacy And Digital Rights For All

The weakening of The Family Educational Rights and Privacy Act (FERPA) and the Covid19 rush to usher in virtual learning and edtech in place of in-person learning, have created a perfect storm for student data collection and tracking. Students are increasingly subjected to edtech data collection, profiling, and surveillance as a condition of attending a public school. We call on the next administration to protect children and begin implementing these important recommendations within the first 100 days of office.

Leading privacy and civil rights advocates recently called on the next U.S. administration to make protecting digital privacy a top priority. The press release signed by Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Color of Change, Consumer Action, Consumer Federation of America, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Parent Coalition for Student Privacy, Public Citizen, and U.S. PIRG states:

“The Biden administration and the next Congress should make protecting digital privacy a top priority, and 10 leading privacy, civil rights and consumer organizations today released a memo of recommendations for executive actions on Day One, actions during the first 100 days and legislation.

“The United States is facing an unprecedented privacy and data justice crisis,” the blueprint memo reads. “We live in a world of constant data collection where companies track our every movement, monitor our most intimate and personal relationships, and create detailed, granular profiles on us. Those profiles are shared widely and used to predict and influence our future behaviors, including what we buy and how we vote. We urgently need a new approach to privacy and data protection. The time is now.”

“The U.S. urgently needs a comprehensive baseline federal privacy law. The Biden administration and Congress should not delay in setting out strong rights for internet users, meaningful obligations on businesses, and establishing a U.S. Data Protection Agency with strong enforcement powers,” said Caitriona Fitzgerald, policy director, Electronic Privacy Information Center.

“Privacy is a basic human right, and children’s personal information should not be profiled, licensed, sold, commercialized or shared with third parties as a condition of attending a public school. We hope policymakers will move to prohibit the use of student data for marketing purposes and require all public schools and education agencies to adopt strict security and privacy standards,” said Leonie Haimson, co-chair, Parent Coalition for Student Privacy.

“For far too long, companies have deceptively tracked kids and used their sensitive data to exploit their vulnerabilities and target them with marketing. Families are counting on the Biden administration and the next Congress to recognize that children and teens are vulnerable, and to put protections in place which will allow young people to use the internet more safely,” said David Monahan, campaign manager, Campaign for a Commercial-Free Childhood.

The recommendation memo, Privacy and Digital Rights for All, specifically calls for protection of children, teen, and student data, including parent consent before sharing student data:

Action item within the first year: Protect children and teens.

Action 8: Protect Children and Teens from Corporate Surveillance and Exploitative Marketing Practices Recommendations for First 100 Days
•Urge the FTC to begin 6(b) studies on ad tech and ed tech companies’ data practices and their impacts on children and teens before undertaking any rulemaking under the Children’s Online Privacy Protection Act (COPPA).
•Protect students through an executive order that requires the Department of Education (DoE) to:
o Prohibit the selling or licensing of student data;
o Issue recommendations on transparency and governance of algorithms used in education;and
o Minimize data collection on students,ensure parental consent is affirmatively obtained before disclosing student data, and issue rules enabling parents to access and also govern data on their child.
Recommendations for Legislative Action
•Ensure children and teen privacy is legislatively protected as part of a comprehensive baseline federal privacy bill that:
o Establishes the special status of children and teens as vulnerable online users; provides strong limits on collection, use, and disclosure of data, and narrowly defines permissible uses;
o Requires employing privacy policies specific to children’s data on all sites and platforms used by children; and
o Prohibits targeted marketing to children and teens under the age of 18 and profiling them for commercial purposes.
•Strengthen COPPA by raising the covered age to 17 years and under, banning behavioral and targeted ads, banning the use of student data for advertising, and requiring manufacturers and operators of connected devices and software to prominently display a privacy dashboard detailing how information on children and teens is collected, transmitted, retained, used, and protected.
See more recommended principles for protection of children and teens here.

It’s time for the U.S. to take data privacy seriously.  Citizens should have consent and control over collection and use of their data; “pay-for-privacy provisions” and “take-it-or leave it” terms of service should be prohibited.  Finally,  our most vulnerable, our children should be protected, not exploited and surveilled as a condition of attending public school.