Fordham Law’s Center on Law and Information Privacy released a study that found state educational databases across the country ignore key privacy protections for the nation’s K – 12 children. The findings come as Congress is considering legislation that would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information.

CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32 percent of states warehouse children’s social security numbers; at least 22 percent of states record student pregnancies; and at least 46 percent of the states track mental health, illness, and jail sentences as part of the children’s educational records. Also, almost all states with known programs collect family wealth indicators.

Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives.

Professor Joel Reidenberg

“If these issues are not addressed, the results could be catastrophic from a privacy perspective,” said Professor Joel Reidenberg, founding director of CLIP. “We don’t question the legitimacy of collecting data for school accountability, but we urge Congress and state officials to take rapid steps to ensure the data is collected and stored properly and used in compliance with established privacy laws and principles.”

CLIP launched the study in 2008 because state departments of education throughout the country had recently established statewide longitudinal databases to track all K-12 students’ progress over time. The trend has been accompanied by a movement to create uniform data collection systems so that each state’s student data systems can be interoperable.

Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act. One state, New Jersey, diverts special education Medicaid funding to pay for an out-of-state contractor to warehouse data, including medical test results. Many states do not have clear access and use rules regarding their longitudinal databases and over 80 percent of states apparently fail to have data-retention policies and, thus, are likely to hold student information indefinitely. Several states, like Montana, outsource the data warehouse without stipulating privacy protections in the vendor contract. Other states, such as Louisiana and Florida, track a long list of disciplinary matters that could remain on students’ records indefinitely.

Even so, House Bill 3221, or the Student Aid and Fiscal Responsibility Act, contains a section that calls for the expansion and further integration of these databases without addressing these privacy concerns. A Senate version of the bill is expected to be released from committee shortly.

“The CLIP study meticulously documents the states’ disregard for safeguarding children’s most personal data,” said Barmak Nassirian, Associate Executive Director, American Association of Collegiate Registrars and Admissions Officers.  “And yet Congress is poised to fund an ill-thought-through expansion of these systems to include data ranging from pre-birth medical information to education, employment, military, and criminal records.”

The study makes several recommendations for increasing the privacy, transparency and accountability of the databases:

  • Data at the state level should be made anonymous through the use of dual-database architectures.
  • Third party processors of educational records should have comprehensive agreements that explicitly address privacy obligations.
  • The collection of information by the state should be minimized and specifically tied to an articulated audit or evaluation purpose.
  • Clear data-retention policies should be instituted and made mandatory.
  • States should have a Chief Privacy Officer in the department of education who assures that privacy protections are implemented for any educational record database and who publicly reports privacy impact assessments for database programs, proposals, and vendor contracts.

The full report is available here.