Minnesota Student Data: Hearing Reveals MDE Behemoth Database and Data System Without Audit for 10+ Years! Has your Family’s Information Been Hacked?
HEARING on Data Practices and Security
Minnesota House Education Policy Committee
February 25, 2016
by: Linda Bell
Today’s hearing uncovered some very important information provided by the Minnesota Department of Education (MDE) regarding the security of our children’s and family’s data. The mission was fact gathering of MDE data-sharing contracts and system security.
Data has been collected on Minnesota children and families for many years much to the chagrin of parents who are now just finding out! Transparent information should have been made readily available to parents, who are the authorities over their own children, not the state. Data has been taken without the permission of the parents for years.
When was your school district going to tell you? Did you have to read the information buried on the back page of the school board policy manual, if you can find it? Now the MDE wishes to help parents access the data that they’ve been taking, collecting, storing and analyzing for years… all without your consent.
MDE Assistant Commissioner, Kevin McHenry, and Data Compliance Officer, Kathryn Olson, gave a mind-bending presentation, including the revelation that no audit on the MDE data system, including 3rd party contracts, has occurred in at least 10 years, the length of Ms. Olson’s term of employment. If that wasn’t enough, under legislative committee questioning, we heard that the MDE has 40 to 45 contract sharing agreements with 3rd parties. Thanks to numerous questions from the Education Committee, it was divulged that at least one contract shares PII (personally identifiable information) with the University of Minnesota. This is “raw” data, not summary. Two other universities named among the forty or so were University Michigan and Stanford. The public has every right to know who the MDE is contracting out private student information and why?
Minn-Link Integrated Data System stores PII (personally identifiable information)! Data Compliance Officer, Olson, stated that the MDE has maintained data contracts, like this contract with U of MN, with third parties for at least ten years.
The MDE presently maintains 40 to 45 contracts where they share our children’s data with universities and organizations, in and out of Minnesota. Olson said she felt comfortable with the integrated data contract with the University of Minnesota, despite it containing PII. Ms. Olson did not answer regarding data contract agreements prior to 2006, which is the same year she began her position.
In fact, we learned that the Minn-Link Integrated Data System is linking individual databases across several state agencies. For what purpose are these databases linked? Who was granted authorization? And by what means? How was this data system authorized to take our children’s data?
Minn-Link Integrated Data System includes the following databases.
MDE: MARSS Student Academic Records
MDE: Academic Disciplinary Records
MDE: Standardized Test Records (MCA)
MDE: General Education Testing Records (GED)
MHS: Child Protection Records
MHS: Children’s Mental Health Records
MHS: Medicaid Claims
MDJ: Records of Incarcerated Adults
MDJ: Juvenile Court Records
Ms. Olson described the FERPA (Family Education Rights and Privacy Act) as a permissive law and indeed FERPA is most permissible for university research institutions, of which the University of Minnesota, Michigan and Stanford are among. From the ed.gov website, http://familypolicy.ed.gov/faq-page/ferpa-parents-and-eligible-students#t41n222
FERPA contains an exception to its general consent rule under which an educational agency or institution may disclose personally identifiable information from education records without consent to organizations conducting studies for, or on its behalf. Studies must be only for the purpose of: developing, validating, or administering predictive tests; administering student aid programs; or improving instruction. A written agreement with the organization is required specifying the purposes of the study and the use and destruction of the information. 34 CFR § 99.31(a)(6)
Consent = Parental Consent
In addition, a research institution is given great leverage to re-disclose information. Minn-Link may be an open portal of student, family and teacher/school data free flowing, but to whom? If the University of Minnesota is redisclosing data, how do we know that the train of 3rd parties are not redisclosing also? Has the “U” received “prior consent of the parent or eligible student”? According to the Family Education Rights and Privacy Act,
- 99.33 What limitations apply to the redisclosure of information?
(a)(1) An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.
(2) The officers, employees, and agents of a party that receives information under paragraph (a)(1) of this section may use the information, but only for the purposes for which the disclosure was made.
(b)(1) Paragraph (a) of this section does not prevent an educational agency or institution from disclosing personally identifiable information with the understanding that the party receiving the information may make further disclosures of the information on behalf of the educational agency or institution if—
(i) The disclosures meet the requirements of §99.31; and
(ii)(A) The educational agency or institution has complied with the requirements of §99.32(b); or
(B) A State or local educational authority or Federal official or agency listed in §99.31(a)(3) has complied with the requirements of §99.32(b)(2).
(2) A party that receives a court order or lawfully issued subpoena and rediscloses personally identifiable information from education records on behalf of an educational agency or institution in response to that order or subpoena under §99.31(a)(9) must provide the notification required under §99.31(a)(9)(ii).
(c) Paragraph (a) of this section does not apply to disclosures under §§99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 U.S.C. 1092(f) (Clery Act), to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.
(d) An educational agency or institution must inform a party to whom disclosure is made of the requirements of paragraph (a) of this section except for disclosures made under §§99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.
(Authority: 20 U.S.C. 1232g(b)(4)(B))
[53 FR 11943, Apr. 11, 1988, as amended at 61 FR 59297, Nov. 21, 1996; 65 FR 41853, July 6, 2000; 73 FR 74853, Dec. 9, 2008; 76 FR 75642, Dec. 2, 2011]
It was very encouraging to witness the House Education Committee gather information from the Minnesota Department of Education on this fact-finding mission. It is hoped that the committee will have other such hearings to dig into what 3rd party contracts are held by the University of Minnesota as well as entertaining a hearing with the University of Minnesota and some of their 3rd party contractors.