The Unique Pupil Identification (UPI) system is a privacy risk to every student, and an opt-out must be available. HB 301 (2015) would allow parents to exclude their child from the UPI and other state Department of Education databases.
The state Department of Education and local districts claim it will jeopardize their Average Daily Membership in Attendance records and funding. However, these databases do not need to be the same; attendance does not require extensive personal information or ties with other state databases, as is the case for the UPI and Statewide Longitudinal Data System (SLDS) currently in use.
Computer experts widely agree that it is impossible to anonymize data; it can be reconstructed with almost 90% accuracy with as few as three data points. This makes the NH DOE’s use of the Unique Pupil Identifier (UPI) inadequate as a protection of our students’ privacy. In 2010 the NH legislature passed SB 503 creating the Unique Pupil Identifier. It was part of the Statewide Longitudinal Data System grant application. The information amassed on students now includes over 400 data points. This database goes far beyond attendance information, ordinary demographics, or contact information that might be helpful to the local school district. This database includes information regarding the “family income range” and “voting status.”
The risk to our students’ private information is not just hypothetical, but reality. In a recent interview, Mr. Richard Innes of the Bluegrass Institute discussed 1999 research by Mr. Lauress Wise that sought to explain a sharp gain in Kentucky’s National Assessment of Educational Progress (NAEP) scores. Mr. Wise used NAEP information to piece together individual students’ identity and corresponding scores with a 86% positive match using only seven student data points. Computer security is at even greater risk than it was fifteen years ago as these databases are connected with other agencies and more information is collected.
NH statute RSA 193-E:5 refers to the Unique Pupil Identifier (UPI) as a way to safeguard students’ personally identifiable information. As outlined above, it is no protection for anonymizing our children’s private data.
Another state statute refers to student privacy. RSA 193-C:10 states “These rules shall provide parents and legal guardians with no fewer rights accorded to them under the Family Educational and Privacy Rights Act (FERPA), 20 USC 1232g. Unfortunately, the protections provided in FERPA have been severely eroded in recent years, allowing student information to be shared with third-party corporations, not just educational institutions, and not only for academic purposes.
The US Department of Education’s dramatic changes to FERPA in 2008 and 2011 no longer provides protection for our students’ private information. These FERPA changes removed restrictions that prohibit educational institutions and agencies from disclosing students’ personally identifiable information without first obtaining student or parental consent. Now the state has the power to share student information with third-party corporations, not just educational institutions, and not only for academic purposes. Key terms including “school officials”, “educational programs”, and “authorized representatives” are redefined so broadly that third-party administrators of any program offered through an educational institution may have access to student information.
Another NH statute references student data and assessment results. RSA 193-C:11 only addresses the state DOE’s option of deleting records periodically for database management. It also gives parents the option to access their child’s assessment results. It does not allow a parent or adult student to opt-out of the database or remove their records upon request.
Further, the US Department of Education initiated a program in 2012 called the Education Data Initiative. This has greatly expanded the data collected about our students and the access to this information. It is an unprecedented compilation of student data and, given the eroded protections of FERPA, exposes our children to unparalleled privacy risks.
In January 2015 President Obama spoke of a draft federal law called the “Student Privacy and Innovative Act.” Unfortunately, this would still allow vendors to use student information for non-educational uses.
There was a massive breach of private student information in November 2013. Long Island, NY students’ private information was hijacked and posted to a public forum faster than the moderator could shut it down. The leak included students’ health information, disciplinary records, and academic grades. Sadly, this is not an isolated situation. Instances of student database breaches and misuse of database access are becoming more commonplace.
President Obama talked about the importance of cyber security in his 2015 State of the Union address. The potential harm is enormous and extensive.
Just as adults are concerned about protecting their private information, New Hampshire must take greater steps to protect our students’ information. Part of that protection is allowing an opt-out from the databases and the UPI. It does not need to pose any disruption to the attendance reporting requirements.
Please contact the House Education Committee urging them to support HB 301 and issue an Ought to Pass (OTP) recommendation. They are expected to vote on February 10, 2015. The entire committee can be emailed at HouseEducationCommittee@leg.state.nh.us.