I know its reaching, but I thought I’d give everyone a little Easter reference with this surprise post.
Before I left LDOE 3 years ago I was asked to help assemble some de-identified data for a research outfit named CREDO. At the time most of my colleagues didn’t know who CREDO was or what they were all about. (It turns out they are a pro-charter funded propaganda machine masquerading as legitimate researchers.) We had a standing policy not to provide this type of data to anyone. . . except a few local research universities like ULL we had established contracts with – to provide analysis services to LODE for specific grants.
Then came John White and CREDO. We’d been telling CREDO “No” for years because the amount of data they wanted was excessive and the time involved with compiling it was also going to be pretty steep. John White was not the State Superintendent when he started giving orders through Erin Bendilly, a Jindal appointee. This request was one of those, and it was coordinated, reviewed, and delivered by Kim Nesmith, the “Data Quality Director” and department’s FERPA enforcer. (The fact that this request was being forced through quickly on John White’s behalf was confirmed by both Kim and Devora Davis, head CREDO researcher, in a conference call.)
US DOE requires State agencies to select a number between 1 and 10 to mask all their student level data to conform to FERPA. Kim actually required the department go one step further. She insisted we mask by using less than (<) and greater than (>) symbols in the ones digits in most numbers reported. (We can still derive the specific numbers from the percentages and enrollment numbers but I won’t tell if you won’t)
(You can Download the full report example if you’d like.)
Another provision of FERPA calls for agencies to restrict access to data – keep it private from those that don’t need that access to perform their specific role or function. While I dealt with the student data of all students, I did not need to have access to their medical records or diagnoses, or their specific Special Education classifications. This role was handled by the folks that worked directly with this data and these students in our SER system or those folks who produced necessary reports to the Finance department. For the nine years I worked there, I did not have access to that data.
New Orleans based, Research on Reforms filed a lawsuit to discover just what data LDOE had released to CREDO. When ROR eventually prevailed I learned what else LDOE had provided to CREDO. (LDOE first denied the existence of this MOU until I agreed to testify for Research on Reforms. Then LDOE argued that they could choose whomever they wanted to evaluate their programs and did not need to provide equal access to anyone else to cross examine the claims. The first judge agreed, but the appeals court overturned this ruling.)
It turns out LDOE violated their own very expansive MOU. What follows is a description of a few things that should not have been sent.
For instance, it turns out that LDOE sent quite a bit of detailed data on non-public students, their DOB’s, their teachers, their special education conditions, schools, etc. Non-Public schools were not part of the research project and not part of the MOU.
Here’s a snapshot of some of the NPB (Non-Public School) records. Hundreds of non-public schools’ data was disclosed – without their knowledge I would imagine.
And here is some of the specific data elements they handed over on nonpublic and public students – some of which is specifically prohibited and some of which should have been because it was outside the scope of the study. This shows the full Date of birth (not just month and year) as well as any section 504 classifications and also identifies one student as blind and another one as deaf. (Note: these records are from completely different sections and do not match up to any of the schools shown above.)
Of course if that’s not enough, they also included the specific teacher and the course they took with that teacher for each student. (Note: each snap shot is from different records to prevent identification of students. Something LDOE might have considered.)
To make sure researchers could identify and use all these codes, LDOE created a decode file with useful tables like this one for Special Education classifications.
You will note in the study, none of this info is necessary, and if you look at the final CREDO reports none of it was used – but it was provided unnecessarily.
LDOE also can’t make the claim they did not know what they were providing or that they were unaware that to provide it was a violation of FERPA. Most of the files, like the one containing Special Education data, carry a pretty convincing warning.
This report contains personally identifiable information or information that when combined withother reports and/or information a student’s identity might be revealed. Personally identifiable studentinformation must be kept confidential pursuant to the Family Educational Rights and Privacy Act (FERPA)codified at 20 U.S.C. 1232g. Information in this report cannot be disclosed to any other person,except for employees of a student’s school or school system who must have access to that information in order to perform their official duties and for those other persons and entitiesspecified in 20 U.S.C. 1232g.
In this case, LDOE provided this information without any masking for every school in the state (including Non-Publics). They provided a file that contains the school, school year, grade, age, ethnicity, disabilities, gender. They provided this information for counts as low as one single student.
You would think a Student Privacy Director and Data Quality Director would know better, wouldn’t you?
According to the MOU, here is the scope of the study:
The dubious nature of the decision to provide all the data they agreed to provide aside, I don’t see any reason to provide private school data, let alone disabled student data. Do you?
This is an example of why LDOE needs to be fully transparent and properly overseen. There is no telling how many other data sharing agreements LDOE has entered into that most of us are completely unaware of. LDOE is apparently incapable of even adhering to their own internal privacy decisions and their own MOU’s. This is not an example of a rogue department providing data accidentally. This is an example of LDOE’s top privacy guru, the Student Privacy and Data Quality Director reviewing and assembling the data, personally, before handing it over to strangers in California.
It’s only a combination of chance and persistence that I stumbled across the details of this agreement and am able to share my findings with you. How many more agreements like this are out there that are unknown to us? How poorly have they been reviewed? I can’t actually say. Someone outside of LDOE needs to review these types of disclosures (All of them) – before they happen. It is important for the public to have an accounting of both what was promised, but also what was actually delivered. Frankly, if LDOE doesn’t understand their own data, they shouldn’t be providing it to others. I also question whether they should be collecting it all or storing it for decades in the first place.
9 thoughts on “LDOE Lays an Egg: Violates FERPA and Their Own MOU Providing Data to CREDO”
Whoa… so this means they essentially sent EVERYTHING on ALL STUDENTS in ALL REGISTERED SCHOOLS to CREDO?
I’m assuming the ULL unit that LDoE sent data to back before White’s arrival was the Picard Center for its longitudinal research?
Not sure i understand your question. It looks like they sent all testing files and all records in those files which include test records of non-public schools. They also sent statistics on all disabled children in SER the Special Education Reporting system. Disabled students in non-public schools are entered in SER.
What makes this entire post wrong is that FERPA specifically allows state agencies to turn over personally identifiable information on students to “organizations conducting studies for, or on behalf of, educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction,” as long as their research does not itself reveal anyone’s identity. See 20 U.S.C. 1232g(b)(1)(F).
But it can. For instance – We have non-public schools with a single disabled student reported with their exceptionalities. Are you telling me a small school with only one disabled child in a wheelchair can’t be identified ( along with mental disabilities not readily apparent and other data?)
Additionally, USED interpreted the law and provides guidance to and sanctions to state department’s of education to not disclose data below a threshold amout. In our case that threshold is 10.
Finally, while data can be shared, for research purposes, that does not mean State departments are free to provide any and all data – especially data unrelated to the research and outside of the specific MOU agreement governing the research.
I also question whether the department may have violated other state and federal laws by disclosing info on disabled children, and data from non-public schools which it had access to, but which is outside their governance and without these school’s or students permission.
Can you please explain to me what predictive test, student aid program or improved instruction the CREDO study served? Also please explain why they provided data outside even the scope of the study? If I were contracted to do a study for a single school to administer and validate a test, does that entitle me to get all student data for all time from every other institution – even ones i don’t oversee? Does that permit the department to release all data on all students in all grades – like pre-k – when working with a group to provide college student aid?
And LDOE has said repeatedly this study was not for them. CREDO has claimed LDOE had no role in the project and no interest – which is why they “claimed” it was unbiased by such condiderations.
If FERPA doesn’t protect against those disclosures it’s even more worthless than anyone thought…
“We have non-public schools with a single disabled student reported with their exceptionalities. Are you telling me a small school with only one disabled child in a wheelchair can’t be identified ( along with mental disabilities not readily apparent and other data?)”
So what? The issue isn’t whether that information was reported to CREDO (that’s fine under FERPA) but whether CREDO published anything about that school in a way that identifies someone. Did CREDO do so?