In early 2016 the legislature passed HB 301, a bill that created a study committee to take a closer look at the state’s educational database called the Statewide Longitudinal Data System (SLDS) and other databases that have student information.
The first meeting was held on Wednesday, September 14th and the committee members are Rep. Glenn Cordelli, Rep. Elizabeth Ferreira, Rep. Barbara Shaw, and Sen. Kevin Avard. A quorum was not present so only the scope and preliminary information was discussed. A second meeting was not set, but is expected before the end of September.
What information is collected?
Proponents of the bill suspect the state Department of Education is collecting more information for the database than has been previously stated. The state DOE says they collect roughly 30 to 40 data points on public school students; however, the US DOE gathers massive amounts and types of data re students and faculty across the country, some of which are not related to simple demographics or academic areas: family income (not just whether they qualify for programs like Free and Reduced Lunch); dental, hearing, and vision screening information; disciplinary incidents; the parents’ educational achievement; participation in sports and fraternity/sorority; participation in scheduled well-child screenings, as well as the student’s weight at birth and weeks of gestation. These go far beyond basic demographics and academic records.
The NH DOE states that the creation of the SLDS came about through federal grants and is closely tied to another data-collection project called the Initiative for School Empowerment and Excellence (i4see) program. The state openly says it is student and school level data centralized in a massive database. What exactly do these grants require? This is one of the critical questions the study committee wants to address.
The “Data Dictionary” page on the NH DOE’s website lists several categories of data they collect. Click on each to see what information each category contains; it is an extensive list of data elements. Districts compile these data points on every single student in public schools and the database contains personal info such as address, grade level, etc, as well as the individual classes students take, their grades in each course, and GPA. All of this information goes to the state and is not limited to in-district use.
Homeschool students that participate in high-school classes or co-curriculars are also included in the SLDS database.
The NH DOE also received a grant to offer the 21st Century Community Learning Center program to students in high poverty schools. For these students, the state also tracks 21st Century elements that include “getting along well with others”, “behaving well with others”, and “volunteering” to name a few. While these are good habits and may be correlated with academic success, it is concerning that these subjective behaviors are tracked in a statewide database. This program is used in 24 communities and districts across the state. Do parents know this information is collected and shared with the state and possibly third-party organizations?
Although the state DOE claims they anonymize data through the Unique Pupil Identifier (UPI), it is an inadequate protection of student privacy. As far back as 2000 it was considered relatively easy to reconstruct individual identities with as few as three data points. Even if data is “scrubbed,” a term that means removing personally identifiable information, it is not considered protected. With advancements in technology, integration of databases, and masses of information now collected, it is nearly impossible to truly make data anonymous.
It is possible that the NH DOE is not yet collecting all 400 data points of the US DOE’s system, but they are building the SLDS each year. What limits which information is collected and shared?
Who has access to the data?
Federal law, particularly the Family Educational and Privacy Rights Act (FERPA), provides little protection. The US DOE made dramatic changes in 2008 and 2011 that removed restrictions prohibiting educational institutions and agencies from disclosing students’ personally identifiable information without first obtaining student or parental consent. Now the state has the power to share student information with third-party corporations, not just educational institutions, and not only for academic purposes. Key terms including “school officials”, “educational programs”, and “authorized representatives” are redefined so broadly that third-party administrators of any program offered through an educational institution may have access to student information.
In early 2015 President Obama called for another federal student privacy bill, called the Student Digital Privacy and Parental Rights Act of 2015, but it, too is deficient. So far it has only been introduced in the US House. The bill allows private ed tech companies to gather vast amounts of private student data including attitudes, beliefs, and values, and then sell the data to other companies. This data is not protected as it does not consist of specific academic information such as test scores and final grades, leaving a great amount of other information vulnerable to poachers.
Additionally the US DOE is perpetually creating incentives for states to collect and share more and more student data with them. Grants bring in more money to states for various programs and waivers allow states to avoid some less desirable aspects of federal laws. The White House and US DOE have pushed for more public-private partnerships and the centralization of student data. For example, the NH DOE submits some student information as part of their Every Student Succeeds Act (ESSA) waiver requirements. So what other student information will be negotiated to comply with federal demands or to bring in money for the NH DOE’s budget?
There are several sections of state law that regard the State Longitudinal Data System (SLDS).
RSA 193-E outlines several data elements to monitor if NH students are receiving an “adequate education” as required by the state Constitution and includes attendance rates, number and percentage of graduating students, drop-outs, suspension rates, and more. There is a safeguard that the UPI cannot be required of an individual for doing business or providing a service. In RSA 193-E:5 (o) it states conditions when the DOE may provide student-specific data, such as when a student is applying to another school. However, the statute does not prohibit release of anonymized data or specify that it must be aggregated. And as previously mentioned, it is not possible to make data truly anonymous given today’s technology.
There are two additional state laws — RSA 193-C:10 and 11 — often cited for student privacy; however, they only reference the statewide assessment. Neither applies to all the other bits of information collected on students. Both statutes include statements that they are consistent with FERPA rights, but that is a low bar for protecting NH students’ information.
Incidentally, some NH school districts are using biometric data for such services as lunch program. SAU 16 (Brentwood, East Kingston, Exeter, Kensington, Newfields, Stratham, and Exeter Regional Cooperative School Districts) contract with SL-Tech to use finger scans for the schools’ food services. Although participation is optional, the security risks are obvious.
What are the risks?
There have been incidents of students hacking the system for pranks or to change grades, but there are more serious lapses in security. In 2013 a Long Island district had records hacked and placed online that included medical and disciplinary records. In 2009 an educational service provider accidentally put 18,000+ Nashville students’ sensitive information online for more than two months. The data included names, addresses, birth dates, and social security numbers. In a 2015 Tewksbury, MA incident, it was an apparent administrative accident, but the information was online for a week before it was removed. Like NH’s UPI system, the student names were replaced with numbers, but the data could easily be reconstructed to identify individual students.
And, of course, there are the occasional accidents of lost computers and flash drives by administrators and vendors.
There are also occasions when student information was outright sold to third-party corporations for non-academic purposes. Several states are participating in an inBloom operated database called CompassLearning. The feds have said the database project is consistent with privacy laws and parental consent is not needed for student information to be shared. InBloom has a track record of sharing private student information with for-profit companies without notifying families. In another example, when an ed technology company, ConnectEDU, filed for bankruptcy in 2014, they sold millions of student records as part of the settlement agreement. Some of that information included test scores, GPAs, birth dates, and additional student-level information. In another incident, a CA school sold student data to fund a visit by then US DOE Secretary, Arne Duncan. Although these incidents did not happen in New Hampshire, what will prevent it here? FERPA did nothing to protect the students’ information. These numerous incidents should give NH parents pause.
There is even more concern about students’ private information as the legislature and districts consider offering in-school healthcare services. The education and medical databases become linked and HIPPA privacy rules to do not apply to elementary or secondary schools.
Can parents and adult students opt out?
Presently parents, matriculated and adult students, and former public school students do not have any way of removing their information from the Statewide Longitudinal Data System (SLDS). The bill that created this study committee, HB 301 (2015), originally intended to provide an opt-out, but it had to be diluted to take steps towards improved disclosure and transparency of NH’s SLDS.
Hopefully this study committee will initiate improved transparency regarding the what data is collected, who has access to it, as well as provide better privacy protections and initiate an opt-out.