Keyonna Summers reports:
Names, addresses, phone numbers and birth dates of Brevard’s nearly 73,000 public school students are available to virtually anyone who asks through a simple public records request.
So far, only the military, colleges and research institutions have asked, but school board members worry about who else might request the data.
They want to revisit the district’s “directory information” policy to ensure that it strikes the right balance between protecting a student’s privacy and supporting a citizen’s right to public information. The district has received nine requests for data already this school year.
Read more on FloridaToday.com.
Such “directory” information has routinely been available under the federal privacy law concerning educational records known as FERPA. Parents can send their child’s school district a notice that they do not want the data shared with military recruiters and others, but most parents either do not seem to know this, do not recognize the importance of it, or just never seem to get around to sending in the opt-out notice.
In light of those who are using children’s identities for identity theft and fraud purposes, I think it’s a good idea to revisit the issue — and not just in Broward. The public interest could be satisfied by aggregated statistics about students in a district or state based on demographics such as numbers of each race, SES, religion, disability classification, etc. Where reporters are working on investigations such as whether children are being illegally enrolled in districts, then the more specific data does come into play, but for the most part, I think the default state should be not to provide “directory” information. Yes, I realize this will make it harder for military recruiters, but the school can have a careers day where military recruiters participate like colleges and employers do.
Not so shocking. Years ago I worked for an educational software company. Our main product had children playing learning games and teachers and parents could track progress on the web. We won a big contract with the Miami-Dade County school district. I was in charge of creating the database tools to import the some 300,000+ student records into our software. In order to do this well and make certain that the fields lined up, I asked for a representative sample of the file I’d be importing. I got the real file in total. The student IDs that the district was using was the student’s social security number. In my possession were names, social security numbers, addresses, and phone numbers. I raised a red flag about this with the school district and was immediately shot down. After all, it was on the school’s servers and they were locked down tight, right? Except that they had sent this file to me in email and it was a text file and it was not encrypted.
Thanks, bd. I am not shocked by any of this, as it’s been the norm since the 70’s as far as I can remember. And I suspect that there are thousands of public school district data breaches each year involving SSN and sensitive student data (such as disability-related info, parental info) that are neither detected nor reported. It does not surprise me that people cannot figure out how their identity info got stolen when huge repositories of such info are probably compromised frequently but no one’s picking up on it or reporting it.
The federal law needs to be updated in light of today’s threats so that it truly protects the privacy of educational records and personal information. And public school districts should have the same obligations to secure data, audit their systems, and report breaches as entities in other sectors. FERPA’s requirements are simply not stringent enough.