Here’s my take on the data collection/storage/sharing wording in the much discussed and debated NY Assembly bill A8929 that passed in the NY Assembly by a vote of 117-10 this past week. See the full bill here
I’ve copied out the data related sections and added my comments. I had to remove the ALL CAPS to make it easier to read (why is it in all caps like they typed it on a typewriter?)
S 12. 1. Prior to July 1, 2015, the commissioner of education and the state education department are hereby prohibited from providing any personally identifiable information or de-identifiable student information to any third party vendor pursuant to any contract or memorandum of understanding for the purpose of collecting, storing and/or organizing student data or information in order to provide access to such data or information to third party vendors operating data dashboard solutions.
The wording above does not mean the state still can’t collect massive amounts of student, teacher, and parent personally identifiable information (PII). It just indicates NYSED can’t provide it to any third party for a year. Then, this gets revisited again next school year which simply prolongs this and we have to go through this all over again next year. The state can, and most likely still will, collect all the data it wants and will keep using it, just not work it into the new inBloom type systems. They won’t be able to provide the data dashboards to parents for at least another year. The wording below does not halt data collection.
2. A parent of a student, a person in parental relation to a student, or a student eighteen years of age or older may request that such student’s personally identifiable information and/or such student’s biometric record not be disclosed to any third party. The department and/or any school that receives such request shall be prohibited from disclosing such information to any third party unless such disclosure is required by law, pursuant to a court order or subpoena, for the purpose of a state or federal audit or evaluation to authorized representatives of entities identified in section 99.31 (a)(3) of title 34 of the code of federal regulations implementing the family education rights and privacy act, or is necessary due to a health or safety emergency.
The wording above indicates disclosure of PII might be required by law. So, spell it out. Which laws and when applicable?
3. The department shall develop a form that shall be used for requests made pursuant to subdivision two of this section. Such form shall be made publicly available and shall allow such individuals the option to opt-out of disclosure of personally identifiable information and biometric records to any third party or to certain types of third parties. The department is authorized to identify a list of types of third Parties that individuals may opt-out of disclosure of such information and records and such individuals may opt-out of disclosure of such Information and records to any type and/or all of the listed third parties. Such list developed by the department shall not require the Names of such third parties to be listed. Such list may identify the Types of services such third parties provide.
This section above could cripple current school technology practices, which would be bad. The key phrase is “or to certain types of third parties.” In modern-day 2014, we have to permit districts to use tech systems to facilitate transportation, scheduling, and other educational technologies including those used for instruction and learning by classroom teachers (Learning Management Systems, free/paid web based tools, cloud based email systems like Google Apps, etc.)
Wording also indicates NYSED will develop the list of services third party vendors can provide. The state doesn’t have to indicate the name of the vendor (e.g., inBloom) just what they do (e.g., data store). So NYSED can simply list out one of the possible services that parents cannot opt out from as “data store”, “data organization” or any other clever term used to continue their needs for collection, storage, analysis, mining, and sharing. Again, the prior paragraph indicates the storage tied to sharing is on hold until July 2, 2015, so NYSED can simply use next year to work on the list of services necessary and wait for July 2 hoping that no new legislation is brought forward to extend that temporary halt. This is also going to be a nightmare for schools to monitor and track what parent has opted out of what database/system/tool. The better approach is to simply eliminate PII from moving its way up the data levels to the ultimate spot of the NYSED offices. Long term, I’d like to see a rework of the data levels 0, 1, 2, etc so PII never reaches the state level and never leaves the local BOCES offices. I still have not heard from NYSED why they need student/parent/teacher PII.
5. Schools and the department may not under any circumstance disclose personally identifiable information or biometric records to any third party unless such third party has agreed in writing to: a. Provide the department or the contracting school with a breach remediation plan acceptable to the department or the school; b. Report all suspected security breaches to the department or contracting school as soon as possible but not later than forty-eight hours after such suspected breach was known or would have been known by exercising reasonable due diligence; and c. Report all actual security breaches to the department or contracting school as soon as possible, but not later than twenty-four hours after such actual breach was known or would have been known by exercising reasonable due diligence.
This section above is a good common sense approach. I would like to see added to that section details about performing security audits and making the results of such audits public. A state representative should be working with these third party vendors to verify that data is secure and not just take their word that it is.
The major item I think is missing from not just this proposed bill, but any relating to data that I have seen to date, is what our fellow citizens in Oklahoma added to their new legislation on this topic last summer: an explanation of data fields. There bill isn’t perfect, but it better than what they had there. I want to see a law that mandates that ANY state department or entity that collects, stores, share, and uses data or is in contract with any third party vendor to collect, store, use, share any PII related to the citizens of the state outline for citizens the specific types of data it collects (field names), the very specific purpose of the field (so in the NYSED databases they would have to explain in detail why every piece of data is needed), the length of time the data element is keep in the data base, if it is connected to any other state databases, and the specific details about any third party use of the data. Notice should be given to state citizens in much the same way the health care providers and insurance agencies have to notify customers of data use.