Student Privacy at Risk

New Hampshire is one of 24 states that are participating in the Smarter Balanced Assessment Consortium as part of our 2010 Race to the Top grant application. By making this agreement, the NH Department of Education is exposing our children’s private data to greater risk without adequate privacy protections.

The Cooperative Agreement is a legal contract between the US Department of Education (US DOE), the Smarter Balanced Assessment Consortium (SBAC), and the State of Washington which serves as the fiscal agent, representing all states using the Smarter Balanced Assessment, including New Hampshire.  This document is available at a US DOE website.

The New Hampshire Department of Education mandates that all public schools, including charters, will “fully implement the Smarter Balanced Assessment by spring 2015,” and has been piloting the assessment in several schools across the state as of winter 2013. This is per the NH DOE’s FAQ.

This universal assessment requirement places all public school students’ private information at risk and allows the US DOE, the SBAC, and third-party organizations to access our children’s information. There are several references to student data in the agreement. On page three, item #5 of the agreement refers to “student-level (individual) data.” This is repeated on page 11 in items #3 and #5b. Nothing in the agreement says the data is aggregated. This must be emphasized. There is absolutely nothing in this legal contract that indicates that student information is aggregated before providing access to the federal government, its agencies, the Smarter Balanced Assessment Consortium, or other third-parties. This is made clear on page 10 in item #6 where it states that participants in the Smarter Balanced Assessment Consortium are required to “provide timely and complete access to any and all data collected at the state level to the Department of Education, its designated program monitors, technical assistance providers, or research partners, and to the General Accountability Office.” This is a broad list of agencies and non-government organizations that are empowered to access our children’s information. Even if New Hampshire isn’t giving data to the federal government, this Cooperative Agreement authorizes access to whatever data they want, whenever they want it. Further, note that absolutely nothing in this document allows for parental consent prior to the release of student information.

Buried in the footnotes on page 11, the agreement states everything must comply with the Family Educational Rights and Privacy Act (FERPA) as well as state and local privacy policies. Unfortunately, the protections provided in FERPA have been severely eroded in recent years, allowing student information to be shared with third-party corporations, not just educational institutions, and not only for academic purposes.

In 2008 changes were made to FERPA rules that expanded “school officials” to include “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”

In 2011 other key terms were redefined. “Educational programs” were those programs only focused on “improving academic outcomes.” However, now these programs also include those related to “bullying prevention, cyber-security education, and substance abuse and violence prevention” even if the program is not administered by an education agency or institution. The other critical term that changed is “authorized representatives.” It was previously limited to entities over which educational authorities had “direct control, such as an employee or a contractor with the authority for the purposes of auditing or evaluating federally supported education programs” then limited to the US Comptroller General, the Secretary of Education, and state educational authorities. Now “authorized personnel” may include any individual or entity that educational authorities select as an authorized representative. In other words, just about anyone can have access to student data.

There are additional risks to student privacy. Computer experts widely agree that it is impossible to anonymize data; it can be reconstructed with almost 90% accuracy with as few as three data points. This makes the NH DOE’s use of the Unique Pupil Identifier (UPI) completely worthless as a protection of our students’ privacy. In 2010 the NH legislature passed SB 503 creating the Unique Pupil Identifier in hopes of protecting student privacy.  As this state-wide database continues to expand, it cannot protect New Hampshire students’ information. It can readily be accessed with the reduced FERPA protections and can be hacked by nefarious individuals. Further, given that the information amassed on students now includes over 400 data points, this should be very alarming.

The risk to our students’ private information is not just hypothetical, but reality. In a recent interview, Mr. Richard Innes of the Bluegrass Institute discussed 1999 research by Mr. Lauress Wise that sought to explain a sharp gain in Kentucky’s National Assessment of Educational Progress (NAEP) scores. Mr. Wise used NAEP information to piece together individual student’s identity and corresponding scores with a 86% positive match using only seven student data points.

There was a more recent hack of private student information this past November. Long Island, NY students’ private information was hijacked and posted to a public forum faster than the moderator could shut it down. The leak included students’ health information, disciplinary records, and academic grades. Sadly, this is not an isolated situation. Instances of student database breaches and misuse of database access are becoming more commonplace.

Also, it is inaccurate to state that the Smarter Balanced Assessment Consortium does not have access to individual student information. The SBAC is given each student’s assessments to score and would therefore possess each child’s raw data.

So what can a parent do to protect their student’s privacy?

In early 2012 the legislature enacted HB 542 (2011), the parental opt-out law. Although the NH DOE insists it is not applicable, many believe it may be appropriately applied to these assessments. HB 542 allows parents to opt-out their student from controversial material in the classroom, at their own expense, and work with their child’s school to use an alternative that accomplishes the same learning objective. It is written into local school district policies as Policy IGE.

Parents should be able to use alternative tests, such as the California Achievement Test (CAT-5 or CAT-6), the Iowa Test of Basic Skills, the Stanford Test, or other established standardized tests. These exams have been used for decades across the country. Many are easy and inexpensive to administer, and accomplish the same function as a year-end assessment. The NH DOE has accepted these for years from homeschoolers, so a parent has a very valid argument to suggest these as an alternative. A thorough list of tests and providers is available at a NH homeschool website.

Superintendents, school boards, and parents may not fully realize the risk that the Cooperative Agreement and Smarter Balanced Assessment pose to our students’ privacy. Please share this with your administrators and ask them what they are doing to ensure your child’s information is safe. And if you are not satisfied, opt your child out of the SBA and insist on an alternative.

1 thought on “Student Privacy at Risk”

Comments are closed.