Privacy advocates say the increased collection, storage, and sharing of educational data pose real threats to children and families, from identify theft to nuisance advertising, misguided profiling to increased surveillance of everyday activities.
There is even the potential for physical harm to students, alleges one Arizona legislator who authored a recently passed privacy law in response to complaints that low-income children had been subjected to unnecessary dental work by corporate-affiliated 鈥渕obile dentists鈥 relying on easy access to school records.
But while some parents, advocates, and academics are raising alarms that sensitive student data are being poorly safeguarded and improperly shared, it remains difficult to document the scope of the harm caused by the misuse of such information.
For a decade, proponents have called for more and better use of data in K-12 schools, arguing that good information is critical to personalizing student learning, providing teachers with real-time feedback, and helping policymakers make smarter decisions. All states now have longitudinal data systems that track students鈥 performance over time, and much of the technology that has flooded classrooms now records even children鈥檚 smallest digital actions.
In recent months alone, however, districts and their vendors have lost laptops and flash drives containing student information, accidentally posted children鈥檚 health information and Social Security numbers online, and improperly released individual student test scores.
An increasingly widespread business model is also cause for concern, privacy advocates say. In December, the Electronic Privacy Information Center, a Washington-based nonprofit, filed a complaint with the Federal Trade Commission accusing the popular financial-aid website Scholarships.com of selling sensitive student information to third-party marketers without adequate disclosures.
Experts say it鈥檚 difficult to know exactly how frequently school systems have their data compromised. Such instances can happen without anyone knowing, and they鈥檙e not always reported. But a review of recent news reports found some troubling incidents:
Loudoun County, Va.
The 71,000-student Loudoun County public schools was thrust into damage-control mode last month after an outside vendor, New York City-based Risk Solutions International, inadvertently uploaded and left unprotected some schools鈥 emergency evacuation plans, as well as 鈥渄irectory information鈥 that included students鈥 names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories, according to the Washington Post.
Rich Contartesi, the Loudoun County district鈥檚 assistant superintendent of technology services, told 澳门跑狗论坛 that the biggest lesson learned is that districts must be vigilant in overseeing third-party contractors.
鈥淵ou want to make sure that you know something about the business practices, processes, and physical plant of the companies that have your most sensitive information,鈥 he said.
Chicago
Last November, the district reported that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online.
Florida
In June, the Tallahassee Democrat reported that roughly 47,000 participants in state teacher-preparation programs had their personal information鈥攊ncluding names and in some cases Social Security numbers鈥攑osted on the Internet for two weeks last spring. The information was being stored by Florida State University.
Long Island, N.Y.
The 12,000-student Sachem Central School District suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online, according to a Newsday report.
A 17-year-old student from Sachem North High School was arrested and accused of illegally downloading and posting the information last November, and pleaded not guilty to the charges, according to reports.
SOURCES: 澳门跑狗论坛 and news reports
鈥淲e don鈥檛 have good data on how often this is happening in schools,鈥 said Joel R. Reidenberg, a professor of law and technology policy at Princeton and Fordham universities. 鈥淏ut essentially every adult American has had their financial information compromised. There鈥檚 no reason to think the educational world is any better.鈥
Inappropriate Access
In 2012, the Gagnon family of Camp Verde, Ariz., became the face of public outrage over reports that some corporate-affiliated mobile dentists were performing unnecessary鈥攁nd often traumatic鈥攄ental work on children from poor families in order to maximize reimbursements from the federal Medicaid program.
The Gagnon family sued Phoenix-based ReachOut Healthcare America, a company that provides administrative support to mobile dentists, after their medically fragile 4-year-old son, Isaac, was given two unauthorized and unnecessary 鈥渂aby root canals鈥 while being forcibly held down inside his school. The suit has since been settled, according to the family鈥檚 attorney, who declined to comment on the specifics of the case.
In June of last year, the U.S. Senate Judiciary Committee concluded an investigation into complaints involving ReachOut Healthcare and four other corporate dental chains operating across 23 states. The committee found that the traumatic treatment endured by the Gagnon family was 鈥渘ot necessarily widespread鈥 among ReachOut Healthcare鈥檚 affiliated dentists, but criticized the company for failing to provide adequate oversight.
The committee also recommended that Nashville, Tenn.-based Church Street Health Management be excluded from the Medicaid program after a review of treatment records found that two-thirds of the baby root canals, or pulpotomies, performed at a Phoenix clinic operated by the company were likely unnecessary. The company, now known as CSHM, has since gone through bankruptcy proceedings and taken on new management, allowing for continued participation in the Medicaid program, said Perry Hall, a senior strategist for the public relations firm Lovell Communications.
Arizona state Sen. Kimberly Yee, a Republican, said inappropriate access to student records helped fuel the abuses by mobile dentists in her state and elsewhere.
ReachOut Healthcare鈥檚 practice is to 鈥渕ake friends with employees on [school] campuses, particularly those in administrative or nursing offices, take them to lunch, and thereafter ask for student information databases,鈥 Ms. Yee maintained.
In response, she sponsored a bill, signed into law last year, strengthening the procedures for reporting violations related to the release of student directory information鈥攚hich typically includes name, address, and phone number鈥攖o third-party vendors. Under the federal Family Educational Rights and Privacy Act, or FERPA, schools may disclose such information so long as parents are provided the opportunity to opt out of any such releases.
Ms. Yee said her goal was to maintain 鈥渢he privacy of students on campuses from outside vendors who want to obtain [directory] lists to increase their client bases.鈥
In an email, company spokesman Eric Tolkin wrote that 鈥渟tudent directories are only used in approximately 2 percent of schools served by dentists affiliated with ReachOut Healthcare.鈥
That would still involve thousands of students: In Arizona alone, dental teams affiliated with the company provided services to more than 100,000 children in 2010 and 2011, according to Mr. Tolkin.
In part because of parent complaints about unwanted solicitations made using student directory information, a number of districts, including the 37,000-student Peoria Unified School District outside Phoenix, have severed ties with the company.
鈥淲e let them know we wouldn鈥檛 be able to continue the relationship given what seemed to be an abuse of that information,鈥 said Danielle Airey, the Peoria district鈥檚 director of public relations.
Security Breakdown
Privacy advocates, though, offer few such specific examples of children being harmed as the direct result of having their personal information compromised.
The fallout from identity theft, for example, might not be known for years, especially when it involves children, said Mr. Reidenberg, the Fordham professor.
That鈥檚 cause for concern, he said, given the volume and scope of accidental data breaches in K-12 systems. In 2009, for example, the Philadelphia-based Public Consulting Group, a private contractor of the Tennessee Department of Education, inadvertently left the names, addresses, dates of birth, and full Social Security numbers of more than 18,000 Nashville Public Schools students available online for more than two months. Affected families were notified of the breach and given free identity-theft and online-credit monitoring, according to Nashville school officials.
Just as alarming, advocates say, is that many businesses now encourage children, families, educators, and district officials to pay for online content and services with personal information.
Unfair Practices
In its FTC complaint over the 鈥渄eceptive and unfair鈥 business practices of Highland Park, Ill.-based Scholarships.com, the Electronic Privacy Information Center, or EPIC, accused the website of encouraging its 14 million users to provide sensitive information, then using an affiliated entity of the company known as American Student Marketing, or ASM, to sell that data to third-party marketers without adequate disclosures.
The site invites users to indicate their sexual orientation, if they are clinically depressed, if they have a drug addiction, and if they have parents who are illegal immigrants, among other pieces of information. According to the complaint, ASM then sells that information to marketers.
In an email, Scholarships.com said users have the option to provide the sensitive information referenced in EPIC鈥檚 complaint, that such information is collected primarily to direct users to relevant scholarship opportunities, and that most third-party marketing comes from postsecondary institutions.
In a telephone interview, company vice president Kevin N. Ladd also suggested that using individuals鈥 personal information to support targeted advertising is hardly unique to Scholarships.com.
Data proponents acknowledge the growing furor around privacy concerns, but say better security practices, clearer consent procedures, and improved contracting protocols can mitigate risks without dampening data鈥檚 educational benefits.
Ms. Barnes of EPIC, though, stressed the need for a wide perspective on what those risks actually are.
鈥淔rom our standpoint, the initial harm comes when the law is violated and when student consumers lose control over their data,鈥 she said.
