My Review of Proposed Privacy Legislation for Louisiana

My apologies for not getting to this topic (and many others I’ve neglected) sooner. I may have finally bitten off more than I can effectively chew in things I’ve agreed to do. I have the best of intentions, I promise you, but sometimes my eagerness to help everyone runs smack into the limiting reality of my available free time.

While I haven’t been writing as much I have been working with different groups and gathering their input, and researching various stories, laws, and debunking other’s false research and statements. Consider that statement the segue into today’s post.

The Louisiana House Education Committee will be hearing statements and reviewing bills on student privacy, Wednesday March 19th starting at 9am. From what I’ve been hearing this should be a packed house in House, with many parents and parent’s groups eager to attend and be heard.

My good friend and fellow education blogger, Michael Deshotels, has been keeping track of the various education bills and posting them to his website. His last update was on March 10th. A link to that posting follows:

A number of parent’s groups and bloggers I work with have been very supportive of Schroeder’s privacy bill, HB 946. To my eye the first 5 bills Mike lists are very similar in intent and some of the verbiage. . .

HB 555 by Henry, HB 560 by Ivey, HB 946 by Schroeder, HB 384 by Cromer, and SB 455 by G. Smith prohibits certain student data collection and sharing

. . . with a few caveats. The bill proposed by Representative Schroeder defines penalties for violating the statute and is more emphatic about not collecting, storing, or using Social Security Numbers and prohibits anyone but local school districts from possessing student level data. Schroeder’s bill also more clearly defines what should not be collected. Some or all of the other bills lack these details.

HB 946 is appealing for its relative simplicity and clarity. However there are definitely some tweaks that I would make that I think most privacy advocates would endorse:

  • I did not see an exception for certain groups that may require data that will benefit children and parents (i.e. sports/athletic organizations that may require grades, enrollment, grade level and so forth for participation in football or other competitive sports or sharing of data with local medical institutions for care of the student.)
  • Many parents transfer to non-public schools and out of state, so public schools will need to have the defined ability to transfer records on those instances.
  • I did not see a provision for retention or destruction of certain types of records. (I.e. Grades and enrollment records should be maintained indefinitely. Discipline records are supposed to be destroyed according to current law but by virtue of being transmitted to the state they are permanent.)
  • I did not see a provision for students who have graduated being allowed to access or request their own records. I would think once children reach 18, graduate, or become emancipated they should have access to their own records.

I would recommend these legislators work with Representative Schroeder, although based on the strikingly similiar intro’s I suspect they are already.

I highly recommend that Senator Appel’s bill (SB 449 ) meet an untimely death as soon as possible (unless significant modifications are made.) It appears this bill borrows a lot from American Legislative Exchange Council (ALEC) bill called the Student Data Accessibility, Transparency and Accountability Act and clearly has passages submitted by the Louisiana State Department of Education (such as the section related to calculating the 4 year cohort rate).

The ALEC bill does nothing to protect student privacy or parental rights. A more simple and accurate name for this bill would be the Student Data Accessibility to Corporations Act. That makes sense as ALEC’s clients are many of the corporations that want to have unfettered access to student information. Appel’s bill is actually even worse than the ALEC bill (to parents and students, not corporations) in many respects in that it enshrines all the data sharing adventures that LDOE, the Workforce Commission, inBloom and anyone else under the sun might want to embark upon.

The highlighted passages are the deal breakers in my opinion.

Proposed law requires BESE and the postsecondary management boards to develop, publish, and make publicly available policies and procedures to comply with the Federal Family Educational Rights and Privacy Act (FERPA) and any other applicable state and federal laws and policies. Further provides that such policies provide as follows:

(1) Access to student and de-identified data in the student data system shall be restricted to: (a) authorized staff of the state board, the state department, a postsecondary management board, the governing authority of a public elementary and secondary school, or a public postsecondary educational institution, and third-party private contractors working on behalf of these entities who require such access to perform their assigned duties; (b) school administrators, teachers, and school personnel who require such access to perform their assigned duties; (c) students and their parents; and (d) authorized staff of other state agencies as required by law or defined by interagency data-sharing agreements or memorandums of understanding.

You will also note from the above passage that Appel legitimizes all the data collections, sharing and exploitation that LDOE has recently done that has upset so many people in the first place! I can’t see this law appeasing anyone (including yours truly) who was upset by those actions.

This proposed law expressly permits any educational institution to designate anyone they please to have access to student data. This law also allows any non-educational agency to have access to this data (like Workforce Commission) as long as they have an agreement to share this data. That was already the case. However this passage is much weaker than FERPA in that iIt allows for all sharing if a state law requires it, for any reason. SB 449 also allows agencies to access student level data if they simply agree to share the data, for any reason. FERPA at least alludes to the need for an educational purpose be involved. This law makes no such pretext necessary. The LDOE’s sharing of student data with the Workforce Commission, a project being managed by Governor Jindal’s mother, is very troubling to me. This project will potentially allow employers to discriminate on who they hire based on any number of factors unrelated to the acquisition of the necessary technical certifications or graduation requirement or endorsements.

I initially thought Appel’s law defers to FERPA (which was weakened through US ED policy reinterpretations to be nearly useless), throughout his law. However upon rereading I see where it includes FERPA, and does not defer to it as many other laws I’ve seen do. If this law simply refers to FERPA as an additional law to comply with, and not an exception to the law, then I do not see a problem with it. FERPA is currently written to expressly permit State’s to make stricter laws governing privacy. Any law proposed must not allow for an exception for FERPA or the entire bill could be rendered useless, so be on the watch for that wording change.

The proposed “Privacy Officers” are quite simply a waste of taxpayer money. These positions are designed to deflect criticism from BESE, John White and LDOE, and other educational agencies and they report directly to the heads of these agencies which to me is a direct conflict of interest. These positions need to be independently elected and need to report to an entity outside the offices they are charged with overseeing. If Privacy Officers were independently elected or appointed (but not appointed by the Governor) and all data sharing agreements had to flow through these entities to be considered legal, well that could be a whole different story. . .

H.(1) The state board and each postsecondary management board shall

14 designate a chief privacy officer who shall be responsible for ensuring that all

15 student data policies and procedures are followed and every precaution is taken

16 to ensure the privacy and protection of student data.

For those of us critical of LDOE and their often touted (though equally often disproved) successes, or those wishing to conduct research in general, this bill is designed to shield LDOE explicitly from ever providing data to independent researchers or auditors to verify their claims on voucher, charter schools, VAM, SPS scores, etc.

Only aggregate data shall be used in public reports or in response to record requests.

(3) Requires the state board and each postsecondary management board to develop

criteria for the approval of research and data requests from state and local agencies,

the legislature, researchers, and the public. Provides that unless otherwise approved

by the state board or appropriate postsecondary management board, student data

maintained by these boards and institutions under their supervision shall remain

confidential. Further provides that unless otherwise approved by the state board or

appropriate postsecondary management board, only aggregate data may be used in

the release of data in response to research and data requests.

In truth, the other proposed bills would eliminate data sharing as well, but this bill emphatically shields LDOE from ever providing data to anyone except those who will give them glowing reviews about their programs and policies.

This next passage is quite perplexing to me:

Provides that student data does not include, unless included in a

student’s educational record, juvenile delinquency records; criminal records; medical

and health records; student Social Security number; or student biometric information.

So . . . data is not student data . . . unless it is student data? Wow. This passage seems like it was thrown in there to make it seem like the bill addresses the retention and collection of criminal records, juvenile justice records, medical records, SSN’s and biometric data, when it does absolutely nothing about those issues.

Despite the name, Appel’s SB 449 is not a student data privacy bill, it’s whatever the opposite of that is; a student data sharing bill perhaps? SB 449 is a student data sharing bill with a few more rules for folks to jump through in exchange for more opportunities to share data. This bill is clearly designed to please corporations and corporate donors, to okay everything LDOE has done to date, and to facilitate the expansion of data sharing in our state under the guise of protecting the privacy and rights of children. Passage of this bill means inBloom, and anyone and everyone like them, can open up shop immediately and with the State’s blessing.

For those of you wishing to put a stop data sharing, SB 449 is not for you. With some tweaks that bill might be able to better define the conditions under which data sharing can take place, and how such sharing and data collections are conducted and documented in the future. However the clear intent of this law is to enable data sharing and facilitate data harvesting through a more methodical process. This bill does not have an enforcement mechanism, or penalties defined for violations and violators. I see nothing in this proposed law that will restrict the uses of student data or whom can have access to said data. If anything this law expands the possible list of data recipients and data uses beyond what FERPA allows. (Of course it would take years of court battles to resolve that difference and in the meantime the data would already have been released into the wild and essentially irrecoverable.)

I also see SB 449 as removing any feeble barricades that might remain to put the brakes on data sharing. In exchange what you might get out of it is more transparency as to where this data is going and what the initial uses are for this data. It will not prevent unlimited redisclosures of data by vendors and I see no enforcement mechanism to ensure agencies are documenting their disclosures in a timely and complete manner. I also see no mechanism by which parents can opt out of disclosures, and no mechanism by which parents can report possible violations of this law or seek redress, remediation or compensation. This law also does not address whether parents or students can access their data or correct data that is inaccurate. I see nothing about destruction of certain types of sensitive data after specific time (such as discipline or medical records).

I would rather nothing pass than Appel’s bill, SB 449, as written. This bill will quite likely make things worse for the children of Louisiana. If this law passes, or nothing passes, parents need to hold the legislators who stood in the way of protecting their children responsible.