NYS legislature considers two student data privacy bills

Sheila Kaplan has been advocating for an “opt-out” law to protect student privacy for a decade now. Could NYS finally be on the brink of passing one?

There are two bills currently in the New York legislature that will be of interest to student privacy advocates in New York. And in other student-privacy related news, NYS is poised to appoint a Chief Privacy Officer. What many readers may not know is that two of these three developments are the result of dedicated privacy advocacy by Sheila Kaplan of EducationNY (@SheilaLKaplan).

One bill to note is A-2628 and its Senate version, S-3119, the “K12 Student Privacy and Cloud Computing Act.” The bill prohibits service providers who offer cloud computing services to primary and secondary educational services from processing student data for commercial purposes. In the context of the bill, “processing” means “to use, access, manipulate, scan, modify, transform, disclose, store, transmit, transfer, retain, aggregate, or dispose of student data.” Importantly, “student data” means “any information or materials in any  media or format created or provided by: (i) a student in the course of the student’s use of the cloud computing service; or (ii) an employee or agent of the educational institution that is related to a student.”

The second bill of note is A-10487 and its Senate version, S-7626, which relate to the unauthorized release of personally identifiable information relating to students. It is an opt-out bill for “directory information,” as “directory information” is defined under FERPA.

The bill text has some important provisions, e.g.:

Within the first month of each school year, each educational agency shall publicly issue a notice, include in the student handbook if applicable, and send home with every student, information stipulating the disclosure procedures for personally identifiable information.  (1) The notice required under this paragraph shall include:

(i) a description of any personally identifiable information that the educational agency expects to disclose during the school year;

(ii) the procedure that a parent of a student or an eligible student can follow to prohibit the educational agency from disseminating disclosable directory information; and

(iii) the procedure that a parent of a student or an eligible student can follow to prohibit the educational agency from disseminating personally identifiable information.

That may seem like something that’s already being done, but it’s not in all districts, as Sheila’s review of NYC’s procedures have highlighted.

The bill permits the school to disclose directory information if the parent does not opt-out within 30 days of the dissemination of the notice.

One critical provision of the bill is that “personally identifiable information maintained by educational agencies, including data provided to third-party contractors and their assignees, shall not be sold or used for marketing purposes, including but not limited to marketing products or services; selling or renting personally identifiable information for use in marketing products or services; creating, correcting, or updating an individual or household profile; compilation of a list of students; or any other purpose considered by the school as likely to be a commercial, for-profit activity.”

That one provision is HUGE in terms of protecting student privacy.

The bill does permit disclosure of directory information “to a non-profit organization that: (i) seeks the information for a specific purpose determined by the school to be beneficial to the student; (ii) states in writing that it has not used or disclosed personally identifiable information from any school in a manner inconsistent with the terms of disclosure within the past five years; and (iii) agrees in writing to use the information only for that  purpose and to return or destroy the information when the purpose has been fulfilled or within one year after receipt, whichever comes first;”

What I find interesting in the above is the “beneficial to the student” language. Does the school have to determine that the disclosure will result in benefit to each and every student for whom disclosure is made or can the school determine that disclosure to “Non-Profit ABC” will provide benefit to students at some point, although not necessarily the student whose information was disclosed? From the language of the bill, I’d argue that the school needs to consider whether each and every student for whom directory info would be disclosed stands to benefit from the disclosure.  If they don’t, then the individual student’s information should not be disclosed. But that’s just my interpretation of the language.

A Determined Warrior

The fact that the opt-out bill is in the legislature and is already advancing in the Senate is due to the tireless advocacy of Sheila Kaplan, who also deserves credit for the state finally getting a Chief Privacy Officer. Because many people do not seem to either know or appreciate what Sheila’s done over the past decade.  PogoWasRight.org asked her to describe her long history of trying to protect NYS students’ privacy, and the state’s responses over time.

As Sheila tells it, her interest in protecting “directory information” began with an errant phone call that disclosed a child’s information to her:

I received a phone call from the New York City Department of Education in the fall of 2006 informing me that my child was absent from a public school. Given my children were in college and had previously attended schools in upstate New York, I became very concerned. After all, if this child they were erroneously calling me about wasn’t in school, and I now knew his name, it would not be difficult to find and possibly harm this child. Given my recent graduate work in information policy and records management at the University at Albany, my interest in the topic was piqued. I was sure there would be a law against this – outsourcing attendance – but there was not.

This incident led me to learn more about “directory information” as defined under the federal Family Educational Rights and Privacy Act (FERPA). One of the first people I called was Joel Reidenberg, an expert in privacy law at Fordham Law School. He was not looking at children’s privacy, but he encouraged me to keep examining this issue. I then spent another year trying to find a state with a law that prohibited disclosing students’ contact information, date and place of birth, and other personally identifiable information. Only a confidentially law in Ohio touched on this – no other state had a law prohibiting disclosure.

I spent many hours on the phone with U.S. Department of Education in the years before they had a Chief Privacy Officer. The best advice they gave me was to make sure I referred to the children as “students,” because I had to use the language of the law, FERPA, which addresses the privacy of students’ educational records and not the privacy rights of the children themselves. Existing consumer protection laws were not applicable to directory information.

At the time, Professor Reidenberg was conducting a study of the Statewide Longitudinal Data Systems for all 50 states, but he was not covering directory information in his study. He encouraged me to continue looking at directory information and to highlight the risks of disclosure of contact information in domestic violence situations. So I followed up with then-State Senator Eric Schneiderman (currently the New York State Attorney General)  to inform him his domestic violence brochure didn’t mention anything about opting out of school directory information. I never received a response from his office.

I started blogging about directory information in 2007.

I also learned from then-New York State Attorney General Andrew Cuomo that there was no state law that prohibits or restricts the disclosure of students’ contact information, date and place of birth when categorized as ‘directory information’ unless parents or guardians “opt out” – telling the school not to disclose the information.

In 2008, I worked with Steve Powers, the counsel to the late state Senator Thomas Morahan, to write the outline of a bill that would prohibit these disclosures. Senator Morahan was very concerned that special education students were at risk and wanted to protect them. Unfortunately, he passed away before the bill was fully developed.

Going forward, I also spoke with education leaders, including then-New York City Schools Chancellor Joel Klein, Mayor Michael Bloomberg, and New York State Regents Chancellor Meryl Tisch. Tisch was extremely helpful putting me in touch with officials at the State Education Department, who again confirmed there was no law protecting these data. I called experts across the country who wrote about directory information, including the Electronic Privacy Information Center and Pam Dixon, founder of the World Privacy Forum.

Finally, when State Senator Suzi Oppenheimer chaired the Senate education committee, her office worked with me and she eventually sponsored S2357, a bill that prohibited the disclosure of students’ contact information without affirmative consent. The bill would allow the disclosure of name, picture, height, weight and additional traditionally disclosed directory information unless a parent or student 18 years old or in college “opts out.” None of these data could be used for sale or to profile students. The bill passed the senate 62-0 in 2011 but did not advance in the Assembly.

With the goal to get a bill passed in the Assembly, I tried – unsuccessfully for five years – to meet with Assemblywoman and Education chair Cathy Nolan to discuss a bill.

The Senate introduced S2357 again in 2012. This time, Assemblywoman Linda Rosenthal sponsored an Assembly bill but, once again, it did not advance.

I didn’t give up looking at directory information, because privacy experts continued to impress upon me the importance of having such a bill. With this in mind, I launched the annual “Opt Out’ campaign and worked with privacy expert Bob Gellman to draft the model “Student Privacy Protection Act.”

Along came inBloom and parents were suddenly awakened to the existence of data sharing. But then the controversy surrounding Common Core and opting out of testing took center stage. I stopped talking about opting out of directory information in New York State because anti-Common Core advocates had hijacked the term “opt-out” for their anti-testing campaign, which I do not support. I turned my attention to advocating for a Chief Privacy Officer for Education in New York State, a recommendation made by Joel Reidenberg in numerous studies. Once again, I worked with Bob Gellman – this time to write a  model bill to create this position. Thankfully, New York State did pass a law in 2014 that included the position of a Chief Privacy Officer for Education.

But I never gave up on informing families about directory information and the reasons why they might consider opting out of disclosure. On the federal level, I submitted comments in response to the notice of proposed rulemaking for FERPA in 2011 in regard to directory information.

Finally, this year, State Senator Carl Marcellino and Assemblywoman Nolan have sponsored new bills that address directory information sharing, S7626 & A10487.  This bill succinctly stops the hemorrhage and use of students’ contact information for profit and profiling. And the bill allows the traditional use of information for rosters and school publications to be shared without consent unless a student has opted out.

While Sheila tells PWR that she is satisfied with the language of the bill, she continues to have concerns about what the NYC Education Department is doing:

However, parents show be aware that New York City schools disclose directory information to the National Student Clearinghouse (NSC) when the organization can get the information as a school official or authorized representative. I’m also bothered by the fact that if New York City students don’t opt out of directory information when notified in February (not the beginning of the school year), they end up in a longitudinal study. I don’t think parents are aware this is happening.

And while we’re on the topic, if NSC is the only use of directory information in New York City, then how are pictures being taken and rosters and honor rolls distributed? Something odd is going on in New York City, so perhaps a state law will help close the holes.

PogoWasRight.org has been following Sheila’s work since she first opened her web site in 2007 and stands in awe of her dedication and persistent efforts to protect student privacy. In addition to her own efforts and collaboration with Bob Gellman, Sheila has also facilitated the work of many others involved in student privacy advocacy, including EPIC, Joel Reidenberg of Fordham Law School, and the World Privacy Forum, who produced their own helpful resources on opt-out from directory information.

Given how useless the state legislature has been for so long, PogoWasRight.org has no idea whether the two privacy bills will pass before the rapidly-approaching end of this legislative session. This blogger hopes they do, but whenever they do, parents in NYS should know that it’s Sheila Kaplan they have to thank for her advocacy for an opt-out bill and a Chief Privacy Officer.