The Data Quality Campaign is again lobbying Congress to further weaken the student privacy law FERPA, for even more access to students’ data.  They are suggesting recommendations to Representative Todd Rokita’s (R- IN), H.R.3157 - Student Privacy Protection Act.  

• In line with the group’s mission to track and share individual data of teachers and students, create education/workforce governance systems ensuring data can follow the individual across systems, sectors, and states, (starting in preschool all the way through college),  the Data Quality Campaign’s proposed changes would give researchers, workforce programs, and community programs beyond school more access to personal student data.  Tell Rep. Rokita and other members of Congress NO on HR 3157. Do not further weaken FERPA. (202) 225-5037   @ToddRokita       

Speaker Paul Ryan (R-WI) and Senator Patty Murray (D-WA) have companion bills (HR4174 and S2046: Foundations for Evidence-Based Policymaking Act) is a result of the CEP commission and will create a national student data warehouse. Parents will not be able to opt their child out of this national database that will expand access to researchers, private companies, nonprofits and government agencies.

• Tell Speaker Ryan and Senator Murray and members of Congress NO National Student Database. NO to HR4174 and S2046: Foundations for Evidence-Based Policymaking Act.  Parents should have consent before their child’s personal information is shared. This open access to information should exclude personal student information. 202-225-3031 @SpeakerRyan ; (202) 224-2621  @PattyMurray       
• HR4174 / S2046 (FEPA) is complex, has loopholes for sharing personally identifiable information (pii) to authorized agencies, which can be any contractor, subcontractor, private entity, business, researcher. The purpose of the bill is "Increasing access to data for evidence".
• Quoted excerpts from the bill: http://tinyurl.com/HR1471excerpts
• "Increasing access to data for evidence."
• "The head of an agency shall, to the extent practicable, make any data asset maintained by the agency available, upon request, to any statistical agency or unit for purposes of developing evidence."
• "The head of any agency shall make any data asset maintained by the agency available, upon request, to *any statistical agency or unit* for purposes of developing evidence"
• "The term ‘business data’ means operating and financial data and information about businesses, tax-exempt organizations, and government entities." [SCHOOLS ARE TAX EXEMPT, GOVT ENTITIES]
• "A Designated Statistical Agency may provide business data * IN AN IDENTIFIABLE FORM* to another Designated Statistical Agency under the terms of a written agreement among the agencies sharing the business data that specifies— "
• Agent means an individual—
• “who is an employee of a private organization or a researcher affiliated with an institution of higher learning (including a person granted special sworn status by the Bureau of the Census"..or ..."who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor"

Instead, Congress should restore FERPA to its pre-2011 status and restore parental consent before sharing students’ personal data. Researchers would still have open access to aggregate data; if they need personal information, they would have to get parent consent and approval. Ask your legislator: Whose data is it-the student’s, the corporations’, or the government’s? Data should belong to the student who generated it. Parents should have consent before data is shared. School databases are already being hacked by cyber terrorists.  The safest way to protect data is to not collect it in the first place. Imagine the cost and security risks of a national database.

Rep Jared Polis (D-CO) and  Rep Paul Mitchell’s (R-MI), bill, -with Senate Sponsors Elizabeth Warren (D-MA), Orrin Hatch (R-UT),  Bill Cassidy (R-LA), Sheldon Whitehouse (D-RI)  H.R.2434 - College Transparency Act removes the current ban on a national student tracking database. The Parent Coalition for Student Privacy, a watchdog group, opposes this bill, stating that, “ a national student database would create an unacceptable and unaccountable surveillance system that would place our citizens at risk.” HSLDA also opposes the College Transparency Act.

• Tell Reps. Mitchell, Polis and Senators Hatch, Warren, Whitehouse and Cassidy and all Members of Congress: NO on the College Transparency Act. NO National Student Database.   202-225-2106  @RepPaulMitchell   ;   202-225-2161   @jaredpolis ;  202-224-5824   @BillCassidy        
• This bill lifts the ban on a unit record system and creates a federal database for post- secondary students:

“SEC. 3. HR2434  Repeal of prohibition on student data system. Section 134 of the Higher Education Act of 1965 (20 U.S.C. 1015c) is repealed.  

Background on the bills.

Astonishing amounts of student and family data are already being collected and stored online by schools and this data is also shared and analyzed. Sharing a child’s personal information outside of the school should be a parent’s decision, but it’s not.  As the National Education Policy Center, NEPC,  reported in their latest annual reports, students are Learning to Be Watched: it’s a  Surveillance Culture at School and Asleep at the Switch: Schoolhouse Commercialism, Student Privacy, and the Failure of Policymaking.

Anything in a child’s school record, including medical information, disability and income status can currently be shared without parents even being told.  Anyone who is  “authorized” can access your child’s personally identifiable information and you cannot stop them.  Corporations, researchers at Universities, and nonprofits like the College Board, Pearson, CREDO,  Bill Gates funded-Education Trust,  American Institutes for Research, Amplify and many others have access to a child’s personal information --and parents don’t have to be told about it, nor can parents or students opt out. To see some of the types of personally identifiable information given to these organizations, click here and scroll down and click on the contracts.  This type of data sharing is happening in every school, with every child. It has been happening since lobbyists successfully got the Department of Education to weaken the federal student privacy law, FERPA in 2011.

The 2011 changes to FERPA removed parental consent before a child’s personal student records are shared outside of the school. Many organizations opposed this 2011 weakening of FERPA; see this letter of opposition from the American Association of Collegiate Registrars and Admissions Officers (AACRAO),  and also see here for many more letters opposing the 2011 FERPA change.

An excerpt from one of these letters found on Page 3 of 244 is still relevant today:

“On behalf of our collective memberships of more than 25,000 student affairs administrators employed at colleges and universities throughout the nation, the Consortium on Government Relations for Student Affairs would like to offer our comments and recommendations on the proposed rules section 444 of the General Education Provisions Act, which is also known as the Family Educational Rights and Privacy Act of 1974, as amended (FERPA).

The Consortium for Government Relations for Student Affairs consists of five higher education associations: ACPA – College Student Educators International; the Association of College and University Housing Officers-International (ACUHO-I); the Association for Student Conduct Administration (ASCA); NASPA – Student Affairs Administrators in Higher Education; and the National Intramural-Recreational Sports Association (NIRSA). Together, our members play a key role in educating and working directly with our nation’s students and the varied support networks of family members and other university colleagues.

Concerns and Requests for Clarifications:

1. It appears that these proposed rules would change the ethics of research and the nature of maintaining privacy.  There are guidelines that are followed for human subject research and it appears this would violate those standards by institutional research services losing the ability to control where the data is being released. IRB Research drills home responsible research, addressing clearly research with human subjects, ethical principles, informed consent, working with at-risk populations that need additional protections, HIPPA, beneficence, and the history of why this these practices are important

2. In the section of the proposed rules defining who is an authorized representative, the list of officials is expanded to include not only Department of Education officials but any other public or private entities.  Do public or private entities include commercial entities or those with private marketing interests in the data?  Our institutions have protected our students’ data from these types of requests that lead to studies and marketing opportunities that follow from private entities.  We strongly disagree with the efforts to open the ability for data to be released to those entities outside of state regulated agencies.  

3. The proposed rules appear to require institutions to release data by agreements.  Is there an opportunity for the institution to refuse data to be re-disclosed to a third party by a primary contracting entity?   If not, is there notification to the institution (and/or students) that the data released to a primary contracting entity are being sent to a third party?   In the sections regarding research studies, the rule states if the institution objects to the redisclosure of the data (personally identifiable information) it has provided can rely on the independent authority it has to further disclose the information on behalf of the agency or institution.  The Department is recognizing that this authority may be implied and not explicitly granted.  How then is this allowing an institution to protect the privacy of its students’ data (personally identifiable information)?

4. If the educational institution has a system in place that allows students to limit the release of their directory information (or prohibit the release) would this limit/prohibition also apply to information requests from federal/state/local agencies or contracting entities, public or private as listed in your authorized representative provision? Is there a student “opt out” option?  Where and how does it allow for a student to track and request information from the higher education authority on where their data has been used and for what studies?

5. Most educational institutions try to limit the amount of surveying/evaluation done with their students so as to avoid survey fatigue, coordinate timing, etc.  With this mandated release for research and evaluation purposes (to not only federal/state/local entities but third party entities contracted by the federal/state/local officials), institutions would have no control over the timing and type of surveys/evaluations done with students.

6. The proposed rules expand the definition of educational programs by including, but not limited to, a list of educational options along with job training programs regardless if they are affiliated with the Department of Education.  Please clarify, with this change in the definition, could private entities such as bank or corporate training programs access this data for their own purposes not affiliated with the SEA or LEA?

We respect the immense effort to meet a broader goal of research and studies; however, we question the rules being expanded at the risk of our students’ privacy.   Again, our goals have been to protect student data, allowing them to opt out of their personally identifiable information being included in studies and surveys.  This proposed change of FERPA seems to open the flow of information beyond the control of the institution therefore violating a student’s privacy.”

- The Consortium for Government Relations for Student Affairs on FERPA changes, May 2011

In advocating for the weakening of FERPA in 2011, Steve Winnick, the attorney representing the Data Quality Campaign said they needed to change FERPA because,  “we don’t want parents to get in the way.”

The Data Quality Campaign is funded by Bill Gates, owner of Microsoft and LinkedIn.  

The Data Quality Campaign was launched in 2005, along with 14 organizations, and is instrumental in developing State Longitudinal Data Systems (SLDS) to house student data in every state and they helped create commonly tagged data standards, promoted transferring of student-level data across states and sectors.

Today, the Data Quality Campaign, the same group that lobbied for the 2011 FERPA change that took away parent consent, is now lobbying Congress-- asking Congress to make it even easier to get and share student information.  Now, they want to give researchers more access to students’ personal data. They held meetings all year: The Commission for Evidenced-based Policy (CEP).  CEP was lobbied by special interest groups who want access to student’s personal data.  You can watch one of their hearings here, listen to Feb 9 hearing here (scroll down to AUDIO- listen at the 58 min mark through the 1hour,11 min mark...to hear how they want to use Census data, IRS data, student SLDS data.)  HR4174 is the resultant bill from the CEP commission. The Data Quality Campaign and many other groups who profit from student data lobbied the CEP and want to make a national warehouse for students’ personal information. One data expert called the proposed national database “a pinterest for student data”.   Currently, a national student database is prohibited. Tech funded groups have unsuccessfully tried to lift this ban in previous years. Today, they are again using their money and power to lobby legislators and influence votes. Tell your legislators we don’t want a national database. It’s costly, unconstitutional and unsafe.

• Parents, urge your schools, your boards of education, your friends and family to write letters to the editor, tell state and federal legislators to protect students from predictive profiling and data collection. Stop sharing students’ personal data without consent. Stop the hidden data profiling and algorithms.  
• Ask legislators why existing guidelines and laws are not being followed.

EXISTING LAWS AND GUIDELINES:

1. Conducting experiments on children without express, informed parental consent violates conditions outlined in the The Belmont Report:  Ethical Principles and Guidelines for the Protection of Human Subjects of Research The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research.  https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/index.html

“Informed consent. Respect for persons requires that subjects, to the degree that they are capable, be given the opportunity to choose what shall or shall not happen

to them. This opportunity is provided when adequate standards for informed

consent are satisfied. While the importance of informed consent is unquestioned, controversy prevails over the nature and possibility of an informed consent . Nonetheless, there is widespread agreement that the consent process can be analyzed as containing three elements : information, comprehension and voluntariness...

Voluntariness. An agreement to participate in research constitutes

a valid consent only if voluntarily given. This element of informed con-

sent requires conditions free of coercion and undue influence. Coercion

occurs when an overt threat of harm is intentionally presented by one

person to another in order to obtain compliance. Undue influence, by

contrast, occurs through an offer of an excessive, unwarranted, inappro-

priate or improper reward or other overture in order to obtain compliance.

Also, inducements that would ordinarily be acceptable may become undue

influences if the subject is especially vulnerable.

Unjustifiable pressures usually occur when persons in positions of

authority or commanding influence -- especially where possible sanctions

are involved -- urge a course of action for a subject. A continuum of

such influencing factors exists, however, and it is impossible to state

precisely where justifiable persuasion ends and undue influence begins.

But undue influence would include actions such as manipulating a person's

choice through the controlling influence of a close relative and threat-

ening to withdraw health services to which an individual would otherwise

be entitled.”

2. Hidden predictive data collection and analysis about a student, (including keystroke data, meta data), without the ability for the student and parent or guardian to inspect for accuracy or know how that data is being used, is in violation of The Code of Fair Information Practices.

The Code of Fair Information Practices was the central contribution of the HEW (Health, Education, Welfare) Advisory Committee on Automated Data Systems. The Advisory Committee was established in 1972, and the report released in July. The citation for the report is as follows: U.S. Dep't. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, computers, and the Rights of Citizens viii (1973).

The Code of Fair Information Practices is based on five principles:

1. There must be no personal data record-keeping systems whose very existence is secret.
2. There must be a way for a person to find out what information about the person is in a record and how it is used.
3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
4. There must be a way for a person to correct or amend a record of identifiable information about the person.
5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.  https://epic.org/privacy/consumer/code_fair_info.html

3. Data ownership: Whose data is it? Data is an extension of an individual’s identity. Data defines an individual. Data is an intellectual property right. When one’s personal data is breached and stolen, (such as Equifax), this is identity theft. Student data, generated by the student, belongs to the student. Data is money (bitcoin, blockchain, data brokers).  Taking a student’s data without consent is a violation of a student’s rights listed in the fourth amendment to the US Constitution.

Fourth amendment. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” https://www.archives.gov/founding-docs

4. Keystroke data (hidden metadata) about a student is being collected and analyzed without parent knowledge or consent. Online programs have the ability to identify or re-identify students’ data.    Online personalized or adaptive learning, also called Competency Based Learning collects and analyzes metadata about a student, with no way for parents or students to see the data collected or how it is analyzed or shared with third parties and for what purpose.  There are no regulations or laws governing how algorithms (and artificial intelligence) are used, whether these algorithms are fair, biased, or even accurate. Millions of  hidden data points are collected on students, eg:  

DreamBox math collects 50,000 data points / per student hour http://www.philanthropyroundtable.org/file_uploads/Blended_Learning_Guidebook.pdf

Knewton collects up to 5-10 million data points about a child, per day.

https://www.youtube.com/watch?v=Lr7Z7ysDluQ&feature=youtu.be

The End of the Big Test: Moving to Competency-Based Policy http://www.gettingsmart.com/2015/05/the-end-of-the-big-test-moving-to-competency-based-policy/

“Initiated in the dark ages of data poverty, state tests were asked to do all these jobs. As political stakes grew, psychometricians and lawyers pushed for validity and reliability and the tests got longer in an attempt to fulfill all four roles. ...But it is no longer necessary or wise to ask one test to do so many jobs when better, faster, cheaper data is available from other sources. ...Without going through the trouble of tagging data or putting up with the limitations of a closed system, it is increasingly possible to subject to correlate data sequences from different digital learning applications after the fact by analyzing thousands of data points. IMS’s Caliper Analytics standards support both post hoc and real-time data feeds for millions of students daily. Next steps. The first step for a state, according to the The iNACOL State Policy Frameworks is for the state board and/or legislature to, “Redefine Carnegie Units or credits as competencies aligned to state academic standards.”

LearnSphere has the ability to track and connect every interaction a student does online.

“For instance, DataShop stores data from student interactions with online course materials, intelligent tutoring systems, virtual labs, and simulations, and DataStage stores data derived from online courses offered by Stanford University. Click-data stored in these repositories include thousands and even millions of data points per student, much of which is made publicly available to registered users who meet data privacy assurance criteria. ...By integrating data held or processed through these different components, LearnSphere will create a large set of interconnected data that reflects most of a student’s experience in online learning.” http://www.sr.ithaka.org/publications/student-data-in-the-digital-era/

Facebook has teamed up with the Digital Promise, a nonprofit launched by the US Department of Education, to put student data on portable, shareable digital badges.  Let that sink in. http://www.gettingsmart.com/2017/10/digital-promise-and-facebook-developing-new-micro-credentials-program/

Artificial Intelligence—With Very Real Biases 

“Artificial intelligence is quickly becoming part of the information infrastructure we rely on every day. Early-stage AI technologies are filtering into everything from driving directions to job and loan applications. But unlike our water systems, there are no established methods to test AI for safety, fairness or effectiveness. Error-prone or biased artificial-intelligence systems have the potential to taint our social ecosystem in ways that are initially hard to detect, harmful in the long term and expensive—or even impossible—to reverse. And unlike public infrastructure, AI systems are largely developed by private companies and governed by proprietary, black-box algorithms.” https://www.wsj.com/amp/articles/artificial-intelligencewith-very-real-biases-1508252717

Why the State of Surveillance in Schools Might Lead to the Next Equifax Disaster  “These days, fingerprint scanners and cameras are regular parts of school life—on the ceilings watching students walk, and on their laptops analyzing their facial expressions. The tools could yield benefits for safety, performance development and security, but they also raise thorny security and privacy issues.

“Imagine a breach like the Equifax one we just had, but occurring with students’ browsing history, the search strings of the school counselor or geolocation of all students in the school,” says privacy blogger Bill Fitzgerald, noting the risks companies are taking while gathering sensitive information on students. ...Doug Levin, an industry expert who has been carefully tracking data breaches in the K-12 school districts, echoes Fitzgerald’s concern, saying, “It is incredibly hard for even the most tech-savvy companies to secure potentially valuable information. It’s not a question of if a breach will happen, it is sort of like when and how do I respond.” Since 2016 he has identified more than 200 cybersecurity related incidents in schools.” https://www.edsurge.com/news/2017-09-19-why-the-state-of-surveillance-in-schools-might-lead-to-the-next-equifax-disaster

5. Schools and researchers are collecting emotional data about students without parents’ consent. Students’ social emotional states are being assessed by personnel who are not certified, not licensed psychologists; in some cases, emotional states are being determined and predicted by keystroke data. There is no peer-reviewed, independent research that shows this SEL assessment and analysis is valid and reliable.

NWEA MAP SEL pilot uses keystroke data to determine a child’s social emotional engagement by how fast their keystrokes are, and this is applied to other "deep rooted problems" in a student's life.  https://www.edweek.org/ew/articles/2017/09/06/new-tool-alerts-teachers-when-students-give.html

Gathering student brainwaves, using EEG in the classroom to determine SEL

“The headband raises questions from neuroscientists and psychologists, who say little evidence exists to support what the device-and-dashboard combination aims to do. It also raises legal questions, like what BrainCo will do with students’ biometric data.” https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement

6. Federal ESSA law, states that assessments may not collect attitudes or beliefs about a student or his/her family.  

ESSA, page 24-25:

(B) REQUIREMENTS.—The assessments under subparagraph (A) shall— (iii) be used for purposes for which such assessments are valid and reliable, consistent with relevant, nationally recognized professional and technical testing standards, objectively measure academic achievement, knowledge, and skills, and be tests that do not evaluate or assess personal or family beliefs and attitudes, or publicly disclose personally identifiable information;

7. Student data is not safe or secure. Schools are being hacked by cyber terrorists, demanding ransom, and threatening harm to students. The best way to keep data safe is minimize data collection.

8. Europe has a very strong data protection law, the GDPR, which requires even the big companies like Google, Microsoft, Facebook to get user consent before collecting or sharing their personal data; there is also a large penalty for data misuse: 4% of the company’s gross annual revenue.  If technology companies can respect privacy and be transparent about European citizens’ data, they could readily transfer those practices to the US.