Thoughts on Data Protection Wording of NY Assembly Bill A8929

Here’s my take on the data collection/storage/sharing wording in the much discussed and debated NY Assembly bill A8929 that passed in the NY Assembly by a vote of 117-10 this past week. See the full bill here

I’ve copied out the data related sections and added my comments. I had to remove the ALL CAPS to make it easier to read (why is it in all caps like they typed it on a typewriter?)

_______________________________________________________

S  12. 1. Prior to July 1, 2015, the commissioner of education and the state education department are  hereby  prohibited  from  providing  any personally  identifiable information or de-identifiable student information to any third party vendor pursuant to any contract or memorandum of understanding for the purpose of collecting, storing  and/or  organizing student  data  or information in order to provide access to such data or information to third party vendors operating data dashboard solutions.

The wording above does not mean the state still can’t collect massive amounts of student, teacher, and parent personally identifiable information (PII). It just indicates NYSED can’t provide it to any third party for a year. Then, this gets revisited again next school year which simply prolongs this and we have to go through this all over again next year. The state can, and most likely still will, collect all the data it wants and will keep using it, just not work it into the new inBloom type systems. They won’t be able to provide the data dashboards to parents for at least another year. The wording below does not halt data collection.

_______________________________________________________

2. A parent of a student, a person in parental relation to a  student, or  a  student  eighteen  years  of  age  or older may request that such student’s personally  identifiable  information  and/or  such  student’s biometric  record  not  be  disclosed to any third party. The department and/or any school that receives such request shall  be  prohibited  from disclosing such information to any third party unless such disclosure is required  by law, pursuant to a court order or subpoena, for the purpose of a state or federal audit or evaluation to authorized  representatives of  entities  identified in section 99.31 (a)(3) of title 34 of the code of federal regulations implementing  the  family  education  rights  and privacy act, or is necessary due to a health or safety emergency.

The wording above indicates disclosure of PII might be required by law. So, spell it out. Which laws and when applicable?

_______________________________________________________

3. The department shall develop a form that shall be used for requests made pursuant to subdivision two of this section. Such form shall be made publicly available and shall allow such individuals the option to opt-out of disclosure of personally identifiable information and biometric records to any third party or to certain types of third parties. The department is authorized to identify a list of types of third Parties that individuals may opt-out of disclosure of such information and records and such individuals may opt-out of disclosure of such Information and records to any type and/or all of the listed third parties. Such list developed by the department shall not require the Names of such third parties to be listed. Such list may identify the Types of services such third parties provide.

This section above could cripple current school technology practices, which would be bad. The key phrase is “or to certain types of third parties.”  In modern-day 2014, we have to permit districts to use tech systems to facilitate transportation, scheduling, and other educational technologies including those used for instruction and learning by classroom teachers (Learning Management Systems, free/paid web based tools, cloud based email systems like Google Apps, etc.)

Wording also indicates NYSED will develop the list of services third party vendors can provide. The state doesn’t have to indicate the name of the vendor (e.g., inBloom) just what they do (e.g., data store). So NYSED can simply list out one of the possible services that parents cannot opt out from as “data store”, “data organization” or any other clever term used to continue their needs for collection, storage, analysis, mining, and sharing. Again, the prior paragraph indicates the storage tied to sharing is on hold until July 2, 2015, so NYSED can simply use next year to work on the list of services necessary and wait for July 2 hoping that no new legislation is brought forward to extend that temporary halt. This is also going to be a nightmare for schools to monitor and track what parent has opted out of what database/system/tool. The better approach is to simply eliminate PII from moving its way up the data levels to the ultimate spot of the NYSED offices.  Long term, I’d like to see a rework of the data levels 0, 1, 2, etc so PII never reaches the state level and never leaves the local BOCES offices. I still have not heard from NYSED why they need student/parent/teacher PII.

_______________________________________________________

5. Schools and the department may not under any circumstance  disclose personally  identifiable  information  or biometric records to any third party unless such third party has agreed in writing to:   a. Provide the department or the  contracting  school  with  a  breach remediation plan acceptable to the department or the school;   b.  Report  all  suspected  security  breaches  to  the  department or contracting school as soon as possible but not  later  than  forty-eight hours  after such suspected breach was known or would have been known by exercising reasonable due diligence; and   c. Report all actual security breaches to the department or  contracting  school  as  soon  as possible, but not later than twenty-four hours after such actual breach was known or would have been known by  exercising reasonable due diligence.

This section above is a good common sense approach. I would like to see added to that section details about performing security audits and making the results of such audits public. A state representative should be working with these third party vendors to verify that data is secure and not just take their word that it is.

_______________________________________________________
The major item I think is missing from not just this proposed bill, but any relating to data that I have seen to date, is what our fellow citizens in Oklahoma added to their new legislation on this topic last summer: an explanation of data fields. There bill isn’t perfect, but it better than what they had there. I want to see a law that mandates that ANY state department or entity that collects, stores, share, and uses data or is in contract with any third party vendor to collect, store, use, share  any PII related to the citizens of the state outline for citizens the specific types of data it collects (field names), the very specific purpose of the field (so in the NYSED databases they would have to explain in detail why every piece of data is needed), the length of time the data element is keep in the data base, if it is connected to any other state databases, and the specific details about any third party use of the data. Notice should be given to state citizens in much the same way the health care providers and insurance agencies have to notify customers of data use.

Advertisements
Leave a comment

Have something to say? Please take a moment to comment. Thanks.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: