Data Practices and Security, House Education Policy Committee Hearing Testimony, 2.25.2016 – Chris Daniels

Many thanks to Chris Daniels who testified about intrusive data collection in our schools and the need for administering Tennessen Warnings prior to the administration of surveys, screeners, questionnaires, testings and other data collection tools.

Chris Daniels:

Thank you madam chair and members of the committee.  I am here to discuss a troubling and dangerous practice that is occurring in our education system regarding the lack of parental notification for 3^rd party surveys as data collection tools utilized by our school systems.

Many years ago, when I was in school, there was no question that if I was reprimanded in school, and my parents found out about it, they would ask what I did wrong and side with the teacher.  My parents trusted that the teacher and the school had my best interest in mind, and respected the teacher’s authority to punish my poor behavior.

These many years later, we hear about a lot of cases where the teachers are now blamed by the parents when a student gets reprimanded for poor behavior.  Yet, the teachers are still trusted to inform and shape those children’s lives through education.  That trust extends to curriculum and testing, and another areas that parents may or may not know about, including 3^rd party surveys.  Many 3^rd party surveys have been given with implied consent, which does not following Minnesota law.

Through this trust, many less than savory liberties have been taken to access intricate and private information from the students and their families.  Unless the parent, parents or guardian are directly informed, or are knowledgeable about their rights, these intrusions can and have come on a daily or weekly basis in Minnesota.

MACC realizes that the family structure, and assigning of responsibility for misbehavior, may have changed over the years.  However, we ask that this this should not result in a view of contempt for the parents or guardians responsible for children in the school system, especially considering these are minors being affected.

The Tennesson warning states:

The government must give individuals notice when collecting private or confidential information from them. This is referred to as a “Tennessen warning notice.” Government may also call it a “privacy notice,” a “notice of collection of private/confidential data,” or something similar. The purpose of the notice is to enable people to make informed decisions about whether to give information about themselves to the government. (See Minnesota Statutes, for 3^rd .)

Search for Tennesson on Bing or Google and you receive 28,700 results.  Yet, according to data privacy experts in Minnesota, it is said that the legal representation for our school districts have told them to ignore it.   So parents, by putting implicit trust in our education system, are having simple and essential parental rights circumvented and voided.

Star Wars, and other movies, warn parents of the appropriate age of children should be that should attend movies.  Parental Advisory labels warn us of music not appropriate for young listeners.  Yet, our children are subject to intrusive surveys and school apps, like Class Dojo, that in effect steal specifically targeted personal and personally identifiable information on a daily basis.  And unfortunately this is viewed simply as part of the daily operation in the current education system.

Were any in this chamber worried about your personal information being utilized by someone looking to profit from your identity when Target was hacked?  When Home Depot was hacked?  Did you know that UPS, SuperValu/Cub, Starbucks, CVS and Neiman Marcus, Hilton Hotels, and many, many others have been hacked?  Yet, we are consistently put our children’s data at risk, many times without knowing where it goes or what it is used for.  Why are we more concerned about our data than our children’s?  Most parents are not aware of the violation of trust, and the data consumption by the schools, and by default the State, and by default the Federal Government?  According to the Tennesson warning notice, they should be.  The question is, why is the basic right of privacy for underage child being blatantly ignored?

This is why we feel that the Survey and Parental Disclosure bill, that MACC is helping to support, is a necessity for passage in the committees and in the omnibus bill for this session.  It is essential we don’t further undermine the value and rights of the parents and guardians that have already been strained.

 

Education Committee on Data Practices and Security                                    

Linda Bell Testimony – February 25^th, 2016 @ 1PM

Yesterday I shared my concerns over data security.  While many of us are indeed concerned and interested in how these behemoth data systems are protected against hackers, I wanted to point out that teachers, staffs and administrators are not being annually training in best practices concerning data security.

When you see two organizations like the ACLU and the Tenth Amendment Center coming forward with model legislation, it’s clear that this is an important issues for constituents across the U.S. as well as in Minnesota.  We hope a data bill would add protection for our state’s children and families! However, until schools are training staffs how to use data, it will not matter if our data systems are protected, for the people closest to the children may be the ones unknowingly leaking student data.

Linda Bell:

Good afternoon Madam Chair and Committee Members.   My name is Linda Bell and I am a career public school teacher and parent.

As a former public school teacher, the issue of data security is very important to me and my family.  I am thrilled that such a hearing is occurring and I thank you for allowing my testimony.

Long gone are the days when I kept my little red grade book in my desk at school.  I closed the desk drawer without even a lock.  Those grades were seen by no one except my students who received paper report cards, the school office and myself.  Today, student grades and other sensitive information are held in student databases within districts, outside districts as well as parent and student portals by organizations like TIES, Infinite Campus, and JMC.  Technology is a great benefit.   However all of this information is now at high risk.  Schools and their data are a target!

Districts such as Wayzata and Minnetonka have had data breaches within the last ten years.  Some breaches are suppressed within districts, with notification only to specific parents.  Rarely are these breaches reported in local or state media.  The public is generally unaware.

Each week we hear from parents who have received no notice regarding surveys, questionnaires, screeners, and testing.  Many of these are violations of the PPRA law.   Do the school districts understand their duty to protect student data?  Do they truly understand FERPA and PPRA?  Our members wonder.

Discussing data issues with my teaching colleagues, I find they know very little about the two big laws that cover student data, namely FERPA and PPRA.  How and when will they learn how to keep their student’s data protected?  Many teachers from multiple districts tell me they have not received such training.

The 40 year old law, FERPA (Family Education Rights and Privacy Act), was initially focused on paper records.  Now that schools use multiple resources online, times have changed.   PPRA (Pupil Privacy and Protection Amendment) protects students from invasive data collection including political and religious beliefs, invasive questions about familial status, sexual attitudes and mental health.

Our own Minnesota Department of Education and US Department of Education have many wonderful resources to help train school staff and administrators.   I want to bring up three items of Best Practice.

I. Best Practices stated for FERPA:

• Annual IT training on security
• FERPA training for entire staff (some states already do this)
• Statewide secure transcripts in encrypted format
• Training is crucial, ongoing staff in-service
• Information should NOT be on laptop; free wifi outlets are a no-no
• Continually manage, assess risk
• Understanding the difference with mobile apps

**Often staff training only occurs when something BAD happens.**

II.  Best Practices for the PPRA:

• Are school’s aware of what teachers are using for online resources?
• Have online resources been vetted by IT/Technology Department?
• ASK: “DOES THIS SERVICE PROTECT MY STUDENTS’ PRIVACY?”

III. Best practices for data notification by a school district include:

1. Annual notification of FERPA
2. Annual notification of PPRA
3. Directory Information notice on opt out

This notification should be prominently featured on each school website.

Do all of our districts have this notification readily available for parents?  No!

Comparing federal and state law, there are several differences governing access to student records, according to Legislative Analyst, Lisa Larson, in 12.2015 document,  Federal and State Government Access to Student Records.  http://www.house.leg.state.mn.us/hrd/pubs/studrec.pdf

“A school must give notice when asking students for information about themselves.  Minnesota law, unlike federal law, contains a notice requirement that is often called the Tennessen warning after the author of the legislation.   A school must give students a Tennessen warning any time it collects  private or confidential data about students.  When a school asks students for such data, it must tell them how and for what purpose it intends to use the data, whether the students may refuse to supply the data and the consequences of providing or not providing the data, and identify those who are allowed to receive the data under federal or state law.”

There are federal and state sanctions for violating data practices law. Under federal law, a school that fails to comply with FERPA can lose all federal education funding.   A harmed individual may file a civil lawsuit alleging tortious wrongdoing, including invasion of privacy, defamation, or libel, or may file a section 1983 (civil rights) action.

So, it would seem that we have state laws, like the Tennessen warning, as well as federal and/or state laws, regarding FERPA and PPRA, that would protect a student’s data.   What we do not have is the training occurring at the local level!

How do we make this happen?  How do we make sure that student data is protected when teachers and administrators have never been trained?  The FERPA Training bill would go far in helping teachers and administrators to safeguard student data by requiring annual training in FERPA and PPRA.

A  teacher’s job now requires managing online resources.  Teachers and schools must have best practices in place to manage risks and liabilities of the students and families they serve.

Thank you.

 

 

 

 

 

Education Committee on Data Practices and Security                                                           Anne Taylor Testimony – February 25^th, 2016 @ 1PM

Thank you to Anne Taylor for offering her testimony and personal story of data breaches in her own Minnetonka school district!  This is one of three testimonies given by citizens before the Education House Policy Committee yesterday.

Anne Taylor:

Thank you madam chair and members of the committee.  I am here to bring awareness and concern surrounding data security in education.  Data security in school is important this day and age.

I am a mom who experienced several data breaches in my child’s school district.  In 2011 through a data breach at the Minnetonka school district I had access to 2 other children’s personal information – children whom I did not know, nor were related to.  I was able to view their names, birthdates, projected graduation date, vaccination records and emergency contacts, as well as email addresses I did not provided to the district.

The second breach, again at the Minnetonka school district, occurred in the fall of 2014 during what’s called a ‘parse process’ when the district upgraded their on-line parent portal system.  My email address and over 2000 parent email addresses – which the district considers to be private information – was shared district wide.

I have worked tirelessly to bring these matters to my districts attention.  While there are prescribed procedures and processes in place, it is evident some districts – including my district, Minnetonka – are not following guidelines leaving many parents frustrated, angry and concerned.  Often parents, because of time constraints and many, who may not know, are left with no other recourse than to file a written complaint with the Federal Department of Education.

Another glaring and scary concern with data privacy has to do with surveys administered through school issued technology devices.  While I am speaking for myself in my district, increasingly there are growing numbers of parents in both our state and nationwide who share concerns about their children’s lack of privacy.  This increase is caused by technology use in the classrooms.

Often it is not made clear to a parent who is vetting apps and websites for on-line supplementary classroom use.  Many parents, including myself and teachers, are not informed on FERPA, PPRA, the right to opt-out as well as a clear explanation where our children’s data is going, how it is stored and how long it is used.

Through surveys children as early as Kindergarten, thru age 18, are being asked information not just on themselves, but their parent’s information without notification or permission.  Many of these surveys violate PPRA.   While some surveys are connected to the school’s curriculum portal site, others are not disclosed at all and without explanation for its use in the classroom.  These surveys ask things from political affiliation and mental health to identifying students who have the worst road rage in a school parking lot.  For elementary students, “Class Dojo” app is being used to track student behaviors which many parents statewide have expressed concerns over lack of privacy and data sharing to a 3^rd party company.

Cumulatively, these surveys take up valuable classroom time, violate student and parent privacy, and are frequently accessed by use of logging into their school issued iPad or chrome book with their student ID number.

This metadata over time creates a picture of a child without ever looking at the individual – similar to creating someone’s health profile without ever looking at patient records.  We question how legal, ethical and accurate this is.  What are the damages of that child and their family if inaccurately profiled, without their knowledge or consent?  What are the damages of that information being shared in multiple data bases hundreds of times over.

These bills we are proposing are to help provide staff with necessary tools in order to abide by current law while keeping transparency and informing parents and/or a child’s legal guardian.

 

Why a Parental Rights Resolution?  Thoughtful reasons to read the Parental Rights Resolution at your party caucus.

Why do we need a Parental Rights Resolution in Minnesota?

1. Public and Private (federal and corporate) hands continue to diminish the role of the family, diminish parental authority in raising and guiding their children’s education, and replace and/or over-write good law with bad.  

Just a few initiatives which remove parental authority in public, charter, private schools, and homeschools in Minnesota are:

• Full-Service Community School model where students receive education as well as full health and medical services, with or without parental knowledge or consent.
• Passive Consent, as encouraged by the MN Department of Education and the 2011 amendment of FERPA, which removes parental consent in many cases.
• The Minnesota World’s Best Workforce -mandated curriculum committee, no longer comprised of a small group of parents and teachers, but increased to nearly 30 members including business and community members, thereby diminishing a parent’s voice.  MWBW supplants academic education with skills-based and emotional/social learning while considering our students, Human Capital.
• US Department of Education grants, like No Child Left Behind (NCLB) and the new Every Student Succeeds Act (ESSA) which supplants a general takeover of state and local district, removing parental voice as well as teacher, administrative and school board.  The ESSA contains policies, comprising over a thousand pages, which very quickly become state law.   Just a few initiatives of the ESSA are intrusive Home Visits, the newly-created Family Engagement Centers, as well as the takeover of private schools and appointment of an Ombudsman to regulate compliance and equity with public school and regulation of secular worldview (even in religious private schools).
•  Lengthening the school day, week and year as proposed by the US DOE and currently being incrementally implemented in some districts here in Minnesota.

2. We have no parental rights statute in Minnesota.

Let’s look at the parental “responsibility” subdivision found in our statutes, which might be our best “parental right” available in statute.  There is no other foundational parental right found in statute other than this “responsibility”.

“120A.22 COMPULSORY INSTRUCTION.

“V. STATEMENT OF RIGHTS

A. Rights of Parents and Eligible Student’s Parents and Eligible Students have the following rights under this policy:

1. the right to inspect and review the student’s education records;

2. the right to request the amendment of the student’s education records to ensure that they are not inaccurate, misleading or otherwise in violation of the student’s privacy or other rights;

3. the right to consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that such consent is not required for disclosure pursuant to this policy, state or federal law, or the regulations promulgated thereunder;

4. the right to refuse release of secondary students’ names, addresses, and home telephone numbers to military recruiting officers and post-secondary educational institutions;

5. the right to file a complaint with the U.S. Department of Education concerning alleged failures by the school district to comply with the federal law and the regulations promulgated thereunder;

6. the right to be informed about rights under the federal law; and  

7. the right to obtain a copy of this policy at the location set forth in Section XXI. of this policy.”

Here again, this language affords parents no authority with the exception of reading some school district paperwork.  The only rights afforded are those which place the school district in complete authority over the child and remove a parent’s right to guide their own child’s education.

Under the Common Core and especially federal grants, “the state” is now accountable to measure each child’s progress from prenatal on…  cradle to grave.  As the aforementioned initiatives take greater hold in Minnesota, parents will find that not only are their rights to guide and direct their child’s education being infringed, but also that most basic right to raise up their child as they best see fit.

Let’s work together to move Parental Rights forward in Minnesota!

READ THE RESOLUTION AT YOUR PARTY PRECINCT CAUCUS, TUESDAY, MARCH 1st!!!!

Republican Party Resolution Form and Whereas

REPUBLICAN PARTY OF MINNESOTA Resolution

Democrat-Farm-Labor Resolution Form and Whereas

MN DFL Resolution