You are on page 1of 8

Dear Directors, I expect the school board and superintendent are fully-informed on the scope, rewards and penalties

of the Road Map Project, billed as a cradle-to-career education improvement initiative. If not, you should be. This understanding should go beyond sound bites and cheerleading. Parents are justifiably upset that our district has agreed to a discretionary release of reams of our students personally identifiable information for TEN YEARS, for a massive experimental database in The Cloud. This release will be to yet-unidentified third parties who will allow access to this data to employees, summer helpers, and(who knows who?). The question you should ask yourself is to what end? Are the rewards worth the risk? Would YOU like your information released into the Cloud, available to anyone with a password to manipulate, collate, and make available in a handy easy-to-use interface? Your social security number, transcripts, health status, and disciplinary records released without your permission? I think not. Fellow parent, Melissa Westbrook, provided you the background of the U.S. Department of Educations (ED) amended Family Education Rights and Privacy Act (FERPAa0 regulations. In short, the ED has likely overstepped its authority by assigning its own definition to statutory terms. In doing so, the ED has essentially gutted FERPA law. The Electronic Privacy Information Center (EPIC) has sued the ED stating: Contrary to the agencys contentions, Congress itself articulated specific reasons for precluding noneducational state agencies from accessing, altering, or storing records containing the personally identifiable information of students. The laws chief sponsor Senator James L. Buckley specifically intended that FERPA would prevent linking academic data to non-academic data for the purpose of measuring schools impact. Senator Buckleys statement in the Congressional Record describes FERPA as a safeguard against the dangers of ill-trained persons trying to remediate the alleged personal behavior or values of students, which include poorly regulated testing, inadequate provisions for the safeguarding of personal information, and ill -devised or administered behavior modification programs. (emphasis added) FERPA Redefinition of Who is a School Official The ED has determined that prior consent is not required to release personally identifiable information from an educational record if the disclosure is to other school officials, within the agency or institution whom the agency or institution has determined to have legitimate educational interest including contractors, consultants, volunteers and other outside parties to whom an agency or institution has outsourced institutional services or functions. These rather unconventional school officials must, however: 1) Perform an institutional service or function for which the agency or institution would otherwise use employees; 2) Act under the direct control of the agency or institution with respect to the use and maintenance of education records; and 3) Is subject to the requirements to not redisclose PII from education records. A legitimate educational interest is pretty vague. Who is the best judge of whether a party has a legitimate educational interest? As the parent, shouldnt I have a say whether an outside organization has a legitimate educational interest in my childs disability status? Or whether she struggles with math? Or social communication? I posit that the contractors, consultants, volunteers and other outside parties that fall under the CCER MOU ARE NOT under the districts direct control. Read the MOU and see for yourself (attachment 1). Further, the district has not met the regulatory requirement to use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate education interests; there is no language to that affect in the MOU. 34 CFR 99.31(a)(1)(ii) requires that an education agency or institution ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest

requirement Considering that OSPI has just issued a Corrective Action to the district, mandating review of that very same policy in response to the district Acting General Counsels unconscionable release of a students special education settlement I have no illusions that the district will not do whatever it wants with sensitive student information, reasonable measures or not. Lets examine risks of this broad characterization of school official. One might say that FEL service providers qualify as school officials, as they provide tutoring and help with study skills (more on their involvement later). Yet, if the district cannot fully vet athletic coaches (as recent debacles at Ballard and Roosevelt demonstrate) how can it effectively oversee the enlistment of nonemployees and volunteers who are to be trusted with our students personally-identifiable information? Non-profits are not required to conduct background checks. Wouldnt that be a reasonable measure? How many will go to this expense, when many rely on volunteers? Established non-profits, like FEL provider Seattle YMCA, does conduct background checks on employees and volunteers but what about Causeys Learning Center? The Vietnamese Friendship Association? The Community Day School Association (CSDA)? (Not to single these three out from any other FEL service provider.) The CSDA, for example, does not request WDL data on its application and relies on the applicants veracity. We know some people do not fill out applications truthfully. What will that service provider do with this data? I expect that workers without the proper training or experience will use it to make assumptions about students and their capabilities. This is highly plausible because teachers and administrators do that now and they should know better! Additionally, a review of the Citys FEL contract language with these service providers (agencies) finds there is no provision to mandate background checks of individuals who will be accessing our students PII and educational records. In fact, the contract only states that, by no means, are agency employees or agents to be construed as under the direction or control of the City. The City also sees fit to require agencies to hold the City harmless against any losses, liabilities, claims,..actions or damages of any sort whatsoever If any third party is aggrieved by careless data management, they will only be able to go to, say, the aforementioned Vietnamese Friendship Association for relief. I believe they should hold the district responsible, as you released the data in the first place. Directory Information Not Just Your Old Yellow Pages anymore! The ED states that the amended FERPA regulations modify the definition of directory information to clarify that an educational agency or institution may designate as directory information and nonconsensually disclose a student ID number or other unique personal identifierif the identifier cannot be used to gain access to education records except (emphasis added) when used in conjunction with one or more factors that authenticate the users identity (like a password maybe?). Now a district can decide that socio-economic status, SSI, and disability is directory information. All it takes is a login from a sub consultants office, non-profit, or service-provider to be able to connect Johnny with his contact info, emotional disorder, grades, and single parent household. Youre probably thinking thats not so terrible, right? Passwords are good, right? Anyone can get a password. Think of a sexual predator seeing an opportunity to identify and groom a vulnerable child (Jerry Sandusky). Or a student volunteer doing data-entry, thinking it would be funny to use social media and torment this child (cyberbullying). Misuse or redisclosure should not be difficult for you to imagine. Just read the news: Feb 2013 - Microsoft Hacked: Tech Giant Latest High-Profile Company To Suffer Cyber-attack; Feb 2013 - Facebook Hacked In 'Sophisticated Attack,' Company Reveals; July 2013 - Apple Hacked: Company Admits Development Website Was Breached. Lets not be under the delusion that this could never happen. The districts, CCERs and its contractors safeguards are not as robust, and transient users will have access to the databases. But since this will not directly impact you or your personal information, then let us continue to dismiss this possibility.

Based on these redefinitions, school districts can pretty much give student personally-identifiable information to anybody it wants to, and withhold it from the rest. As a strong proponent of our public disclosure laws, I have always respected confidentiality of student information. Given recent events, OSPI findings, and other district snafus, it appears that the board and district administration do not. The Districts elective decision to hand our students educational records to CCER First, lets clarify something: the Seattle School District was and is under no obligation to participate in the Road Map Project. District involvement began under the leadership of the superintendents predecessors with NO public engagement. (Oh, I remember one time Mary Jean Ryan did a quickie update during Superintendent Comments in February 2012. Funny, there was no mention of putting our students data in the Cloud.) Much like the districts collaboration with Teach for America, an outside organization was entrusted with public engagement. Do you know whether they fully shared CCERs plans for student records? Mr. Banda made the decision to continue down this road with this Gates-funded endeavor and so must take full responsibility. I also fault his staff and legal counsel. Was Mr. Banda fully briefed on the benefits and pitfalls of participating in the Road Map Project? I dont think so, as the funding, benefits and supports are still undefined (more on this later). His legal counsel crafted a wholly inadequate Memorandum of Understanding with CCER that fails to adequately protect student PII and educational records. SPS CCER MOU and Best Practice The ED-established Privacy Technical Assistance Center (PTAC) has published guidance documents for student-level longitudinal data systems and FERPA exceptions. The FERPA regulation on the studies exception mandates a written agreement with any organization conducting a study requiring personally identifiable information from education records without consent. Lets compare the MOU with mandatory requirements and PTAC recommendations: Required Elements SPS MOU? Notes and provision

Studies exception Purpose of the study to be conducted Yes

Scope of the proposed study Duration of the study Information to be disclosed

No No Yes

Use PII only to meet the purposes of the study

Maybe

Limit access to PII to those with legitimate interests

Yes

CCERs research team will use District data to understand educational trends across not only the District, but the region as a whole. CCER will provide that analysis to the District to inform instructional strategies for improving educational outcomes in the District. No specifics. No methodology. Only states the District will provide CCER ten years of data, until 2020. No description of length of a study. A lengthy list. The MOU states CCER may request other elements depending on the nature of the questions to be addressed by CCER. What? They dont know what they will study? CCER will use Personally Identifiable Information shared under this Agreement for no purpose other than to meet the purposes of the research studies identified in this Agreement However, the Road Map Project describes other uses, described below. However the MOU allows CCER to disclose PII to authorized employees, contractors or agents with legitimate interests. This is not defined in the agreement. Cant we define who has legitimate interest?

Destroy all PII when the information is no longer needed for the purposes for which the study was conducted and within a specified time period

Maybe

MOU says CCER will require its contractors, or agents to destroy all data files. But there is no mechanism to ensure this happens.

PTAC Best Practice Bind individuals to the agreement Yes Agree on limitations on use of the PII, No including any methodological restrictions, such as linking to other data sets Specify points of contact and data custodians Yes

Jose Banda and Mary Jean Ryan No limitations specified. In fact one Road Map objective is to link Seattles data with six other districts. The MOU designates a named individual as temporary custodian of the data that the District shares with CCER. Temporary? Who will be the custodian throughout the duration of the agreement? There is no safeguard in place for ethical review of study proposals or risk-benefit analysis. There is NO mention of penalties in the MOU. This is contrary to what the board was told by staff. Upon termination of MOU or when PII no longer needed for research purposes Within six months of either condition. Gee, thats nice; CCER wont charge the District. The MOU goes on to state: The District agrees as consideration that CCER will be able to use data collected for and on behalf of the District for CCERs Road Map Project analyses in a manner consistent with this Agreement. So the District will pay CCER by handing over our students data. Not JUST for studies, but for the Road Map Project, for developing apps to be accessed by outside parties. The District is allowed to see the records kept by the temporary custodian. These records include a log of data requested and received, and confirmation of destruction of data. MOU states the method of transfer shall be via physical media (ex. USB drive, CD or DVD) or secure FTP. Thats right; nobody ever loses USB drives or laptops.

Mention Institutional Review Board review and approval State ownership of PII Identify penalties for inappropriate disclosure Set terms for data destruction

No Yes No Yes

Include funding terms

Yes

Maintain the right to audit

Yes

Identify and comply with all applicable legal requirements, including maintaining the data in a secure manner by applying appropriate technical, physical and administrative safeguards to properly protect the PII, both at rest and in transit Have plans that are in accordance with any applicable State and Federal laws for responding to a data breach, including, when appropriate or required, responsibilities and procedures for notification and mitigation Review and approve reported results

Maybe

No

None, zilch, nada. Read the MOU for yourself. Who is liable for data breach? Misuse?

No

Define terms for conflict resolution

No

The District has no say in how results are reported or to whom. In fact, CCER reserves the right to disclose our student data (without PII) to entities and individuals other than those listed in the agreement. There is no provision for arbitration or mediation of disputes.

Specify modification and termination procedures, including approved destruction methods for each specific type of media (e.g. data wiping, degaussing, shredding, etc.) Inform the public about written agreements

The MOU only states CCER will destroy all data files and hard copy records that contain PII and purge any copies of such data from its computer systems. What assurances are there that the data is truly purged? No Of course we now all know that there was no effort to inform the public, let alone parents and guardians. In fact, I stumbled upon the CCER MOU in a February records release and informed parents. In fact, I will bet most of the board directors unaware of this MOU. This should have been introduced and approved at a regular legislative meeting. As you can see, there are critical gaps in this MOU that place our students PII and education records at risk for inadvertent or purposeful re-disclosure. Is what we get in return going to be worth this risk? Let us examine just what the Road Map Project offers our district. Road Map Project Essentials I will try my best to distill the 600+ page Road Map Project to something more readily digestible. I have tried to divvy up the investment across the seven districts that participate in the Project. I will readily admit this numbers may be all wrong, but I will venture to say it is all you have to go by. Even the RTTT Road Map Application states: The following budget narrative represents a likely scenario of how the investment Fund may be spent, based on identified high yield strategies that districts are interested in pursuing. Actual expenditures will be dependent on the specific Projects selected pursuant to the rigorous consortium proposal evaluation process. All elements can be verified here. I leave it up to the reader to discern just how much our district stands to gain. Projects 1. Invest in Teaching and Leading * STEM Instructional Leadership * ELL and Cultural Competency Training * STEM endorsement training * Professional Development Training * Principal Leadership Program 2. Develop Common Regional Data Portal and Data Sharing Agreements Centrally-located data warehouse Front-end data dashboard with easy-to-use interface 3.A Establish High-Functioning Prek-3 Grade System Region-wide Four PSESD FTEs, including Content and Data Coaches One-time contract with UW for framework 3.B Establish High-Functioning Prek-3 Grade System at District Level Districts submit RFPs to cover extra hours for Trainers and Substitutes Four-week Kindergarten Jumpstart sessions District PreK-3rd Coordinator National Presenters and coaching contracts DD1 Kent East Hill Partnership Cover Substitute salaries for essentially one all-day training per year for 1 FTE What does Seattle get? Approx Funds $1M RTTT grant per district over four years. Assumes expenditure of $4M total of Fed Title 1, Title II, district general fund, Fed Bilingual Assistance and LAP funds $2M RTTT grant for region Districts will assume costs to maintain after term of Project. $2.4M RTTT grant for region $28k ea. district mgmt time, general fund $624K RTTT grant per district over four years $49K for district salaries ????** 1 FTE per district ????** None Assumes expenditure of $940K per district of Fed Head Start, Title I, Title II, and BEA $1M

No

* 1 STEM Mentor per district * 25/7 or 3.5 teachers/year * 25/7 or 3.5 cohorts/year * 200 hours PD per year * 2 participants per year 1 hour data dashboard training per teacher in district (1 Analyst, server, and Tableau licenses, set-up fee, contract labor for region.)

DD2 White Center Partnership DD3 Investment Fund to Develop Additional Site-Based Partnerships effectively operationalize intensive student-level interventions, in school and out. Inventing and then scaling highly effective service integration models is key to our goal of personalizing instruction and supports for each student.Projects will be selected pursuant to the rigorous consortium project evaluation process. 4. Expand the Use of Digital STEM Tools to Personalize Instruction *Purchase licenses for internet-based tools, to be selected by RFP, for high-need schools *Purchase 410 computers *Train teachers at districts receiving tools 5. Create a Regional System for Career Awareness and Exploration *ESD Database Coordinator *Proprietary ccInspire license for 6-12 schools *Proprietary ccSpark license for K-5 schools *Expand Workforce Development Council of KC *Increase STEM awareness

None

$1.2M

ESD FTEs and computers Contracts to 3 out of 7 districts with training stipend awarded by RFP Partnership slush fund ????** for Seattle

$1.3M RTTT grant for ESD costs $707K RTTT grant (ea.) for 3 district over 4 years $150K RTTT grant Districts will assume costs to maintain after term of Project. *$2.6M RTTT grant funds for 77 schools/region *$1.6M RTTT grant funds *$131K RTTT grant funds $1.2M RTTT grant funds region wide for database mgmt. and licenses

*51 K-5 & 16 6-8 schools region wide *140/year across region *2 hrs for 350 teachers/year across region

*1 ESD FTE *12 SPS 6-8 schools *24 SPS K-5 schools

Assumes expenditure of $5.1M total of Fed Title 1, Title II, district general fund, State funds, Jobs for America grant Fed BEA and LAP funds

6. Create an Integrated System of Middle and High School Advising *Train college/career advisers *Expand UW Dream Project Counselor Assistants *18 district counselors attend $500K RTTT grant funds workshops per district over 4 years *22 Counselor assistants Assumes $310K total other Fed and grant funds

7. Adopt the College Board College & Career Readiness Pathway Pay fee for SAT tests for every junior in district Train teachers as proctors 8. College & Career Readiness Investment Fund IB Coordinator CAS Coordinator Extended Essay Coordinator Cost for Substitutes AP and STEM books Training contracts ** Amount going to SPS is unknown and may be minimal 2,850 district students 3 hrs training per MS/HS $2.8M region wide for 3 years of exam fees/trng.

????** Awarded by RFP

$4.1M RTTT region wide for proposed projects Assumes expenditure of $5.1M total in general fund, Fed BEA and private grants.

The Road Map Project RTTT application has attached strings to these projects. While spending millions on PSESD staff, computers and office supplies, the Executive Committee will expect districts to put some skin in the game. The importance of sustainability has been a major factor in every facet of the proposal's development. If the grant is awarded, sustainability will be a strongly weighted criterion in all the subsequent Investment Fund decisions. In our Consortium grant proposal development process, priority was given to including Projects where the impact could be maximized with one-time investments. Where investments are proposed that might impact ongoing district budgets, the Executive Committee will require districts to analyze their potential for redeploying existing dollars before they are awarded Race to the Top dollars. In the specific awarding processes of the Investment Funds, we will explicitly require match dollars in order to ensure that other funders are brought in early and to ensure that districts are strongly invested in project success. Building local ownership of the Consortiums major regional system change will be key to achieving and sustaining much higher system performance. Note that 54% of the funds in the Road Map Project budget come from existing Federal and State grants and district operating funds. Yes, $48 million of the seven districts Title I, Title II, Fed BEA, State BEA and levy funds will be redeployed as they say. Did anyone estimate how SPS would cover this 54% before signing this agreement? That would be the prudent thing. What will be cut for these experiments? If the intention is to run our district more like a business and make smart, cost-effective investments, then we should closely scrutinized these grant opportunities to ensure: a) our budget has to capacity to match funds; and b) that the end result is sustainable and worthwhile. Project 2 is not research or a study It is clear that the intention in Project 2 to create a Regional Data Port and Data Sharing Agreements is not research or a study. The rationale provided for this effort to upload ten years of PII and education records of every student in the seven school districts, is a weak one: Given the high mobility of students throughout the Road Map District Consortium, standardizing region-wide data systems and data sharing agreements will enable student information data to follow students when they move between districts. The system will present student data analytics to facilitate quick instructional decisionmaking for students moving from district to district, and allow districts and community-based organizations (emphasis added) that serve students to access the data in a FERPA-compliant manner. This mobility is clearly overstated and hardly justifies the uploading of gigabytes of PII into a regional database for use, or misuse, by as-yet unidentified parties. Recall that the EDs best practices call out Agree on limitations on use of the PII, including any methodological restrictions, such as linking to other data sets. The CCER MOU is silent on this. But Project 2 is not. The RTTT grant application spells out multiple non-research uses of data, across many data sets (emphasis added below): (I)nvest regionally in a centrally-hosted data warehouse that will serve as the backend system, creating a common format for data to flow more easily between member districts. This regional system will be connected to individual district systems to import data on a regular basis, and provide a one-stop reporting shop for community-based organizations and early learning providers. The system willallow districts and community-based organizations that serve students to access the data in a FERPA-compliant manner (comment: theyll have passwords). Data exported from the central data warehouse will be available in an open data format (such as CSV, XML, or ODS) that can be used by external programs. One example of how this open data format will provide benefit is through the ability to export data to community-based organizations for use in their own data system. They will be able to bring in non-proprietary student information such as test and assessment scores and

incorporate that data into their own system to support extended day learning for students that aligns with student needs and coursework. Community-based organizations will use a specifically designed portal to access the information they need about students and to enter information useful to schools. Smaller organizations often do not have data analysts on staff, so a well-designed graphic interface will help understand their caseload,and individual student data. Hold all important student information in a common format, including demographics (name, gender, birth date, race, and language); academic history (course-taking, grades, teachers, assessment scores, ELL status, intervention status, student learning plans); health and social data (immunization information and Early Warning Indicators) and family records (guardian name and contact, as well as primary language spoken at home). The data portal developed in Project 2 will support the transfer of data among all districts in the Road Map region. The region will implement a data warehouse that will be housed centrally and linked to each district. The warehouse will be customized to be able to regularly pull in and report on data from districts using other data systems. Grant funds would be used to ensure that each district has an instructional data dashboard with a sufficient layer of data analytics applied and an easy-to-use interface which will help student, parents, educators, and trusted partners view and more easily understand the data. RTT-D investmentswill enable us to capture and share student-level data to support personalized learning approaches and establish level of data interoperability and continuity The database will be used for RTT-D performance management reporting.

It is clear that CCER, the BERC Group, and its contractors plan to develop an In-Bloom type graphical interface with student PII that will be accessible to outside parties, all under the pretense of legitimate educational interest. This is not research or a study. The MOU, and our districts party to it, makes a mockery of protecting student privacy. I believe I speak for many parents who say preserve our students privacy! We strongly object to this release of student information without consent.