Education Committee on Data Practices and Security                                    

Linda Bell Testimony – February 25^th, 2016 @ 1PM

Yesterday I shared my concerns over data security.  While many of us are indeed concerned and interested in how these behemoth data systems are protected against hackers, I wanted to point out that teachers, staffs and administrators are not being annually training in best practices concerning data security.

When you see two organizations like the ACLU and the Tenth Amendment Center coming forward with model legislation, it’s clear that this is an important issues for constituents across the U.S. as well as in Minnesota.  We hope a data bill would add protection for our state’s children and families! However, until schools are training staffs how to use data, it will not matter if our data systems are protected, for the people closest to the children may be the ones unknowingly leaking student data.

Linda Bell:

Good afternoon Madam Chair and Committee Members.   My name is Linda Bell and I am a career public school teacher and parent.

As a former public school teacher, the issue of data security is very important to me and my family.  I am thrilled that such a hearing is occurring and I thank you for allowing my testimony.

Long gone are the days when I kept my little red grade book in my desk at school.  I closed the desk drawer without even a lock.  Those grades were seen by no one except my students who received paper report cards, the school office and myself.  Today, student grades and other sensitive information are held in student databases within districts, outside districts as well as parent and student portals by organizations like TIES, Infinite Campus, and JMC.  Technology is a great benefit.   However all of this information is now at high risk.  Schools and their data are a target!

Districts such as Wayzata and Minnetonka have had data breaches within the last ten years.  Some breaches are suppressed within districts, with notification only to specific parents.  Rarely are these breaches reported in local or state media.  The public is generally unaware.

Each week we hear from parents who have received no notice regarding surveys, questionnaires, screeners, and testing.  Many of these are violations of the PPRA law.   Do the school districts understand their duty to protect student data?  Do they truly understand FERPA and PPRA?  Our members wonder.

Discussing data issues with my teaching colleagues, I find they know very little about the two big laws that cover student data, namely FERPA and PPRA.  How and when will they learn how to keep their student’s data protected?  Many teachers from multiple districts tell me they have not received such training.

The 40 year old law, FERPA (Family Education Rights and Privacy Act), was initially focused on paper records.  Now that schools use multiple resources online, times have changed.   PPRA (Pupil Privacy and Protection Amendment) protects students from invasive data collection including political and religious beliefs, invasive questions about familial status, sexual attitudes and mental health.

Our own Minnesota Department of Education and US Department of Education have many wonderful resources to help train school staff and administrators.   I want to bring up three items of Best Practice.

I. Best Practices stated for FERPA:

• Annual IT training on security
• FERPA training for entire staff (some states already do this)
• Statewide secure transcripts in encrypted format
• Training is crucial, ongoing staff in-service
• Information should NOT be on laptop; free wifi outlets are a no-no
• Continually manage, assess risk
• Understanding the difference with mobile apps

**Often staff training only occurs when something BAD happens.**

II.  Best Practices for the PPRA:

• Are school’s aware of what teachers are using for online resources?
• Have online resources been vetted by IT/Technology Department?
• ASK: “DOES THIS SERVICE PROTECT MY STUDENTS’ PRIVACY?”

III. Best practices for data notification by a school district include:

1. Annual notification of FERPA
2. Annual notification of PPRA
3. Directory Information notice on opt out

This notification should be prominently featured on each school website.

Do all of our districts have this notification readily available for parents?  No!

Comparing federal and state law, there are several differences governing access to student records, according to Legislative Analyst, Lisa Larson, in 12.2015 document,  Federal and State Government Access to Student Records.  http://www.house.leg.state.mn.us/hrd/pubs/studrec.pdf

“A school must give notice when asking students for information about themselves.  Minnesota law, unlike federal law, contains a notice requirement that is often called the Tennessen warning after the author of the legislation.   A school must give students a Tennessen warning any time it collects  private or confidential data about students.  When a school asks students for such data, it must tell them how and for what purpose it intends to use the data, whether the students may refuse to supply the data and the consequences of providing or not providing the data, and identify those who are allowed to receive the data under federal or state law.”

There are federal and state sanctions for violating data practices law. Under federal law, a school that fails to comply with FERPA can lose all federal education funding.   A harmed individual may file a civil lawsuit alleging tortious wrongdoing, including invasion of privacy, defamation, or libel, or may file a section 1983 (civil rights) action.

So, it would seem that we have state laws, like the Tennessen warning, as well as federal and/or state laws, regarding FERPA and PPRA, that would protect a student’s data.   What we do not have is the training occurring at the local level!

How do we make this happen?  How do we make sure that student data is protected when teachers and administrators have never been trained?  The FERPA Training bill would go far in helping teachers and administrators to safeguard student data by requiring annual training in FERPA and PPRA.

A  teacher’s job now requires managing online resources.  Teachers and schools must have best practices in place to manage risks and liabilities of the students and families they serve.

Thank you.

 

 

 

 

 

Education Committee on Data Practices and Security                                                           Anne Taylor Testimony – February 25^th, 2016 @ 1PM

Thank you to Anne Taylor for offering her testimony and personal story of data breaches in her own Minnetonka school district!  This is one of three testimonies given by citizens before the Education House Policy Committee yesterday.

Anne Taylor:

Thank you madam chair and members of the committee.  I am here to bring awareness and concern surrounding data security in education.  Data security in school is important this day and age.

I am a mom who experienced several data breaches in my child’s school district.  In 2011 through a data breach at the Minnetonka school district I had access to 2 other children’s personal information – children whom I did not know, nor were related to.  I was able to view their names, birthdates, projected graduation date, vaccination records and emergency contacts, as well as email addresses I did not provided to the district.

The second breach, again at the Minnetonka school district, occurred in the fall of 2014 during what’s called a ‘parse process’ when the district upgraded their on-line parent portal system.  My email address and over 2000 parent email addresses – which the district considers to be private information – was shared district wide.

I have worked tirelessly to bring these matters to my districts attention.  While there are prescribed procedures and processes in place, it is evident some districts – including my district, Minnetonka – are not following guidelines leaving many parents frustrated, angry and concerned.  Often parents, because of time constraints and many, who may not know, are left with no other recourse than to file a written complaint with the Federal Department of Education.

Another glaring and scary concern with data privacy has to do with surveys administered through school issued technology devices.  While I am speaking for myself in my district, increasingly there are growing numbers of parents in both our state and nationwide who share concerns about their children’s lack of privacy.  This increase is caused by technology use in the classrooms.

Often it is not made clear to a parent who is vetting apps and websites for on-line supplementary classroom use.  Many parents, including myself and teachers, are not informed on FERPA, PPRA, the right to opt-out as well as a clear explanation where our children’s data is going, how it is stored and how long it is used.

Through surveys children as early as Kindergarten, thru age 18, are being asked information not just on themselves, but their parent’s information without notification or permission.  Many of these surveys violate PPRA.   While some surveys are connected to the school’s curriculum portal site, others are not disclosed at all and without explanation for its use in the classroom.  These surveys ask things from political affiliation and mental health to identifying students who have the worst road rage in a school parking lot.  For elementary students, “Class Dojo” app is being used to track student behaviors which many parents statewide have expressed concerns over lack of privacy and data sharing to a 3^rd party company.

Cumulatively, these surveys take up valuable classroom time, violate student and parent privacy, and are frequently accessed by use of logging into their school issued iPad or chrome book with their student ID number.

This metadata over time creates a picture of a child without ever looking at the individual – similar to creating someone’s health profile without ever looking at patient records.  We question how legal, ethical and accurate this is.  What are the damages of that child and their family if inaccurately profiled, without their knowledge or consent?  What are the damages of that information being shared in multiple data bases hundreds of times over.

These bills we are proposing are to help provide staff with necessary tools in order to abide by current law while keeping transparency and informing parents and/or a child’s legal guardian.