Recommendations following exposure of DC students’ personal info
Last week, Fox5 first reported and then ABC7 and DCist also wrote about a student personally-identifiable data breach related to a DCPS performance oversight hearing data request which was then posted (and recently removed) on DC Education Committee Chairperson Grosso's website. The data file contained 2,000 students' names, identifiers, dates of birth, and demographic information.
According to the Fox5 report, DCPS contacted the families who were impacted:
"In a letter to parents on Friday, Interim DCPS Chancellor Amanda Alexander wrote that "DCPS mistakenly included the student information in a spreadsheet it provided to the Council."
The spreadsheet contained students' names, dates of birth, ID numbers, schools, grade level, attendance information, housing status, and eligibility for special education and/or English Language Learner classes, according to Alexander's letter."
This sort of accidental release of data is more rare today than in years past but is still unacceptable. There were several checkpoints between the DCPS student information system and Grosso's website, and they all failed to protect the security of students' personal information. It may have occurred and just not reported, but we are concerned that our education leaders did not specify detailed action steps to prevent a similar breach in the future.
Maybe they need support in figuring those steps out? If so, we offer the recommendations below as a starting point. The strategies center around three central areas of improvement: data system infrastructure, policies and practice, and staffing. Many of our recommendations follow best practice guidance from National Center for Education Statistics (NCES) here and the US Department of Education here and here.
Data System Infrastructure
Privacy settings exist within most student information data systems that allow users to only see a narrow set of data, normally at the aggregate level. Very few district-level users should need row-level access to see individual student information. For personnel who do interact with student data views, any export function should restrict student information like ID, name, birth date, and address.
For any system granting public access, like cloud-based file folders and internet links, we recommend Council staff and DC Government agencies use products that are able to read files and produce additional warnings for any that may contain personal information. For example, in the actual breach scenario, if Dropbox had a feature that read the spreadsheet for headers and noticed one said "name," a popup warning could have alerted the staff member posting the data before hitting submit, preventing the breach.
Policies and Practice
Our District agencies should have narrow limits and specific approval protocol when requesting personal data between agencies. There are very few instances when student level information is required to complete an oversight request. In the instance it is required, we think this is where the Auditor's office can play a bigger role. The Office of the DC Auditor is fluent in best data practice and is more likely to play an independent role in accessing quality of the underlying data and verifying its accuracy while safeguarding the identifiable information.
Staff Professional Development
Our society has entered an era of big data where the amount of useful information and access to it is exponentially proliferating. Nearly every job, at some point, has access to personal data. Therefore, every District government staff member, especially those in our education agencies, should be required to complete data privacy training. For DCPS, OSSE, DME, and charter schools, the training would include information on the federal Family Educational Rights and Privacy Act (FERPA) along with specific guidance around the limited circumstances under which student information should be shared and how to best protect future data breaches.