Ohio’s “Student Data Accountability Act” Provides Cold Comfort to Student Data Privacy ConcernsApr 09, 2014
By Nathaniel Stewart
Opponents of the federal government’s Common Core Standards rightly worry that the Obama Administration has found a backdoor into a “national, student-level” database that will house sensitive information about our students. The State Longitudinal Database System (SLDS) is a state-led record-keeping system that will enable educators, researchers, and government agencies to track individual students over time and requires maintaining student education records and “personally identifiable information” or “PII”—and Ohio has one.
Concern regarding such a system extends to the potential for misuse of sensitive student data by federal agencies, researchers, and data mining companies that may access such information through data sharing and research agreements. Accordingly, Ohio’s House of Representatives passed the “Student Data Accountability Act” (H.B. 181) in December 2013. The House deserves credit for taking measured steps to protect Ohio student data and PII against improper data mining or federal data collection, but several broad exceptions and caveats may ultimately undermine the House’s effort.
First, H.B. 181 tries to protect student privacy by prohibiting release of PII for any research requests and limiting any student data release to “aggregate data,” which is data collected at the group or institutional level rather than the individual or student level. Unfortunately, both provisions may be overcome by a simple vote of the state board of education. States and their agencies have proven to be all-too-susceptible to federal and other financial incentives, and board approval may be only another federal grant away.
Second, concerned that the SLDS will provide researchers and outside vendors working on behalf of the state with access to PII-filled databases, H.B. 181 requires the department of education to ensure that any vendor contracts include express security provisions and penalties for noncompliance. It is likely, however, that the department already takes these precautions in order to comply with federal privacy laws, so this particular (and hopefully redundant) safeguard does little to advance the ball.
Finally, H.B. 181’s attempts to keep Ohio student PII from going to Washington bureaucrats will inevitably fall short of the goal. The bill is consistent with federal law in allowing the state to release student data and PII to the “authorized representatives” of federal agencies “in connection with” an audit, evaluation, or compliance review conducted by Uncle Sam. Furthermore, schools may agree to exchange student PII for federal grant dollars if their governing school board approves. Such exceptions and caveats are far too broad to provide more than cold comfort to those concerned with student data privacy.
The U.S. Department of Education is not authorized to create or maintain a “national, student-level” database of student data and personal information. It readily admits this limitation.
Opponents of the federal government’s Common Core Standards initiative, however, rightly worry that the Obama Administration has found a backdoor into just such a “de facto” database—the State Longitudinal Database System or “SLDS,” a record-keeping system that even the government’s own National Center for Education Statistics acknowledges will enable educators, researchers, and government agencies “to follow the progress of individual students over time [and] requires maintaining student education records that include information that identifies individual students.” The SLDS is ostensibly a state-led enterprise—federally-funded, but not maintained by Uncle Sam—circumventing the need for congressional authorization.
Although the Common Core initiative may have drawn much-needed attention to this issue, Common Core itself is not directly responsible for many of the present and potential risks associated with the SLDS or student data privacy in general. Denied statutory authority to create or maintain the sort of national database envisioned by some in Washington, federal stimulus money was offered to states willing to expand their fledgling SLDS programs. The American Recovery and Restoration Act of 2009 (ARRA), for example, appropriated $250,000,000 to the Institute of Education Sciences to provide grants to states for developing their SLDS. Similarly, the Obama Administration’s “Race to the Top” program provides that in order to receive funds under the State Fiscal Stabilization Fund, states were required to pledge that they would establish an SLDS that includes the elements described in section 6401(e)(2)(D) of the America COMPETES Act.
As expected, many states—including Ohio—could not resist such lucrative offers and set to work developing or expanding a growing SLDS “consortium” among themselves—allowing the Department of Education to note blithely that “[c]onsistent with congressional intent, these activities are only being carried out at the [s]tate level, not through the creation of a [f]ederal database.”
Concern regarding “these activities,” of course, extends to the potential for misuse and abuse of student data and “personally identifiable information” (PII) by federal agencies, researchers, and so-called data mining companies that may gain access to sensitive student information through information sharing, consulting, and research agreements carved out with state and federal bureaucrats. Responding to these concerns, Ohio’s House of Representatives passed the “Student Data Accountability Act” (H.B. 181) in December 2013. The House bill deserves credit for taking measured steps to protect Ohio student data and PII against improper data mining or federal data collection, but several broad exceptions and caveats may ultimately undermine the House’s effort.
First, there is some concern that other state agencies and education researchers may receive and misuse sensitive student data. Accordingly, H.B. 181 takes two steps to protect student privacy and provides: “(1) Unless approved by the state board of education, student data maintained by the department shall remain confidential[;] (2) Unless otherwise approved by the state board, the department shall use only aggregate data when compiling public reports and in response to research, data, or records requests.” Together, these provisions seem to prohibit release of student-level data or PII for any research requests, limiting any release to aggregate data, which is data collected at the group or institutional level rather than the individual or student level. These are positive strides. For reasons discussed below, however, it is unclear whether this “aggregate data” requirement also applies to a “records request” submitted by the federal government—it likely does not. Additionally, the requirement that “student data . . . shall remain confidential” does not expressly include PII—an odd omission considering that a subsequent provision states that “the department shall not release personally identifiable information or student data [except under certain circumstances].” And, finally, both of these provisions are substantially weakened by the lead-in, “[u]nless otherwise approved by the state board of education . . . .” States and their agencies have proven to be all-too-susceptible to federal and other financial incentives. State board approval may be only another federal grant or Gates Foundation donation away, a discomforting prospect.
Second, regarding the related concern that Ohio and its participation in any SLDS consortium will necessarily provide “researchers working on behalf of the department” as well as outside vendors with access to databases filled with sensitive student data and PII, H.B. 181 requires only that “[t]he department [of education] shall ensure that any contracts with private vendors that govern the vendors’ use of databases, assessments, or instructional supports that include student or redacted data include express provisions that safeguard privacy and security and penalties for noncompliance.” Of course, the legislation does not specify the “penalties for noncompliance,” nor the precise terms that will “safeguard privacy”—those details are for the department’s lawyers to iron out, so any real progress on this front remains unclear. That the department would not already be taking these very precautions in order to comply with federal law assumes more malfeasance than is fair or warranted, so this particular (and hopefully redundant) safeguard presumably does little to advance the ball.
Third, sponsors of H.B. 181 have trumpeted the bill’s assurances that student data and PII would not be disclosed to the federal government—except under certain circumstances. Co-sponsors explained that under the bill, “neither state law nor any regulation from the Ohio Department may require a public school from giving a student’s personally identifiable information to the federal government” and announced that “[w]ith this legislation, such information will be prohibited from being released to any federal, state or local entity, except in specific and limited circumstances.” Unfortunately, those “specific and limited circumstances are exceptions that swallow the rule.
H.B. 181 does in fact provide that “the department shall not release personally identifiable information or student data to any federal, state, or local agency, or other organization, except [under certain circumstances].” But that provision also specifies “[u]nless otherwise approved by the state board, and to the extent it does not conflict with all relevant state and federal privacy laws and policies, including the ‘Family Educational Rights and Privacy Act of 1974’. . . .” As already noted, Ohio is not immune from the lure of Uncle Sam’s grant money, making board approval available, at least in principle, for the right price. Furthermore, as the bill states, this limitation is subject to the Family Educational Rights and Privacy Act or “FERPA,” and H.B. 181’s exception allows for PII to be released if “[a] federal agency is performing a compliance review.” FERPA and its implementing regulations apply to any educational agency, institution, or program receiving federal funds; and set out federal “requirements for the protection of privacy of parents and students.” The general rule under FERPA states that PII from education records cannot be disclosed without written consent, but one of the many exceptions to that rule is the “audit or evaluation” exception. This exception allows for the disclosure of PII from education records without consent to authorized representatives of the Comptroller General of the United States, the U.S. Attorney General, the U.S. Secretary of Education, and state or local educational authorities. Under this exception, student PII must be used “in connection with”—a broadening modifier—an audit or evaluation of a federal- or state-supported education program, or to enforce or comply with federal legal requirements related to those education programs.
Accordingly, FERPA allows the U.S. Department of Education to ask the state or any of its federally-supported schools for their education records (i.e., student data and PII), which the Department may then disclose—without consent—to a university or other research institute designated as the Department’s “authorized representative” to evaluate how effectively the school is preparing its students. Ohio’s H.B. 181 does not prevent this sort of federal disclosure—it expressly allows it.
But the Ohio House wasn’t quite done trying to claim that student PII wouldn’t reach Washington. Two other provisions in H.B. 181 state:
(A) No public school shall be required by [any state law or regulation] to submit personally identifiable information of a student to any office, agency, or department of the federal government.
(B) To the extent that it complies with [FERPA], no public school, without consent, shall submit personally identifiable information of a student, including any information that may be required to receive a grant pursuant to the federal race to the top program, to an office, agency, or department of the federal government unless the school’s governing board has adopted a resolution approving submission of the same.
Subsection (A) seems to anticipate and prevent the state’s board of education from requiring schools against their will to release PII—though not “student data”—to federal authorities, perhaps in exchange for federal grant funds directed to the board. Subsection (B), however, allows schools to relinquish the information in exchange for federal grants if the school’s governing board approves. Thus, even if not required by state law or board regulation, schools may submit PII—without parental consent—to a federal agency so long as their school boards sign off on the data-for-dollars exchange. Here, any assurance that the bill prevents or protects schools or school districts from releasing their student PII to the federal government is hollow, and must be discounted by the likelihood that schools and school boards will be able to justify releasing that information in exchange for large checks signed by Uncle Sam.
Finally, the fact that public schools collect sensitive and personally identifying information on our children or that federal law allows bureaucrats, researchers, and statisticians to access that information, should not be terribly surprising—they’ve been doing it for decades.
It may be more surprising, however, that federal law already recognizes that states, via their public schools, collect psychological and psychiatric information about their students through individual and group activity or testing “that is not directly related to academic instruction and that is designed to elicit information about attitudes, habits, traits, opinions, beliefs, or feelings.” Federal law allows this data collection, so long as the school first receives parental consent. Such testing may reveal—and the school may legally collect—information concerning political affiliations [of the student or parent]; mental and psychological problems that could be potentially embarrassing to the student or his or her family; sexual behavior and attitudes; illegal, anti-social, self-incriminating, and demeaning behavior; critical appraisals of other individuals with whom the student has close family relationships; legally-recognized, privileged, and analogous relationships, such as those of lawyers, physicians, and ministers; or income, other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under a program.
Perhaps the parental consent requirement assuages data privacy concerns, perhaps it does not. Unfortunately, nothing in H.B. 181 addresses the gathering of this kind of information from our students, and a recent report issued by the U.S. Department of Education suggests that education officials have a growing, Orwellian appetite for it and other types of highly personal information.
Ohio’s House of Representatives has taken at least a few small steps toward addressing data privacy concerns in Ohio schools, but more robust measures are needed, along with a political will to resist the siren song of federal funds.
1. Family Educational Rights and Privacy, 76 Fed. Reg. 232, 75610 (Dec. 2, 2011) (to be codified at 34 C.F.R. § 99) (“[T]he Department [of Education] is not legally authorized to create a national, student-level database, and the Department has no desire or intention to create a student record data system at the national level.”).
2. Id. (“Several commenters indicated that the proposed changes reflected in the [Notice of Proposed Rule Making] [to amend FERPA] would permit data sharing and linking of SLDS across state lines, allowing for the creation of a ‘de facto’ national database of student [personally identifiable information] PII.”). See also Mallory Sauer, Data Mining Students Through Common Core, The New American, Apr. 25, 2013, available at http://www.thenewamerican.com/culture/education/item/15213-data-mining-students-through-common-core; Amy Kronenberger, Common Core Data Collection Hailed by Some, Feared by Others, Daily Std., Feb. 15, 2014.
3. National Center for Education Statistics, SLDS Technical Brief: Guidance for Statewide Longitudinal Data Systems, 1 (Nov. 2010).
4. As the U.S. Department of Education contends: States are not prohibited from establishing their own SLDS or linking SLDS across State lines provided that they do so in compliance with all applicable laws . . . . [I]f a consortium of States choose to link their individual SLDS across State lines, such a system of interconnected SLDS would not be ‘national’ because the Federal Government would not play a role in its operation. Rather, responsibility for operating such a system would lie entirely with the consortium of States. Family Educational Rights and Privacy, 76 Fed. Reg. 232, 75611 (Dec. 2, 2011) (to be codified at 34 C.F.R. § 99).
5. Neither the Elementary and Secondary Education Act (ESEA) nor the Higher Education Act of 1965 (HEA) provides the Department with the authority to establish a federal database of PII from education records. Specifically, “nothing in [ESEA] . . . shall be construed to authorize the development of a nationwide database” of PII from education records. 20 U.S.C. § 7911. Likewise, “nothing in [HEA] shall be construed to authorize the development, implementation, or maintenance of a Federal database” of PII from education records. 20 U.S.C. § 1015c(a).
6. American Recovery and Restoration Act of 2009, 20 U.S.C. § 9607.
7. American Recovery and Restoration Act of 2009, Title XIV, §§ 14005-6, Pub. L. No. 111-5.
8. Family Educational Rights and Privacy, 76 Fed. Reg. 232, 75611 (Dec. 2, 2011) (to be codified at 34 C.F.R. § 99).
9. Defined by the Ohio House of Representatives as “personally identifiable information” includes: “a student’s name, the name of the student’s parent or other family member, the address of the student or student’s family, a personal identifier, such as the student’s social security number or student number, a list of personal characteristics that would make the student’s identity easily traceable, or other information that would make the student’s identity easily traceable.” H.B. 181, § 3301.942(D), 130th Gen. Assem., Reg. Sess. (Ohio 2013-14) (hereinafter H.B. 181).
10. H.B. 181, § 3301.944(A)(1)(2).
11. Id. at § 3301.944(A)(3).
12. Id. at § 2201.944(D).
13. See 34 C.F.R. § 99.31(a)(6) (addressing security requirements for organizations conducting studies for, or on behalf of educational agencies); 34 C.F.R. § 99.67 (discussing penalties for violations of FERPA’s security requirements).
14. Press release, from Ohio Rep. Jim Buchy, Three House Bills Address Common Core (Nov. 20, 2013), available at http://www.ohiohouse.gov/jim-buchy/press/three-house-bills-address-common-core. Press release, from Ohio Rep. Bill Hayes, Rep. Hayes Applauds Passage of Student Data Accountability Act (Dec. 11, 2013), available at http://www.ohiohouse.gov/bill-hayes/press/rep-hayes-applauds-passage-of-student-data-accountabili-ty-act
15. H.B. 181, § 3301.944(A)(3).
17. 20 U.S.C. § 1232g.
18. H.B. 181, § 3301.944(A)(3)(f).
19. 34 C.F.R. § 99.2.
20. 34 C.F.R. § 99.30.
21. 34 C.F.R. § 99.31.
22. 34 C.F.R. § 99.35.
23. H.B. 181, § 3301.945(A) and (B).
24. 34 C.F.R. § 98(c)(1).
25. 34 C.F.R. § 98.4(a).
26. See U.S. Department of Education, Promoting Grit, Tenacity, and Perseverance: Critical Factors for Success in the 21st Century (Feb. 2013). Another source of data about students’ perseverance is school records about grades, standardized test scores, attendance, dropping out, discipline problems, social services used, and so on . . . . Data at the institutional level is becoming increasingly streamlined and cross-referenced, improving the capacity to link student data within and across systems.
Data from school records provides new possibilities for rich longitudinal analyses of educational impacts, as well as for informing early warning systems that can be used to identify students who are not managing to persevere in the face of all of the challenges of schooling. These records, however, are only broad indicators of perseverance and do not tell the richer story of an individual’s characteristics or how an individual’s interactions with features of the learning environment contribute to these outcomes.
Educational data mining (EDM) and learning analytics within digital learning environments allow for “micro-level” analyses of moment-by-moment learning processes.
Student data collected in online learning systems can be used to develop models about processes associated with grit, which then can be used, for example, to design interventions or adaptations to a learning system to promote desirable behaviors.
Id. at 40-41.