In June, the state legislature passed and Governor Kasich signed into law HB 487, the mid-         Unknown-5
biennium budget review for education.  We were told by the press and by our state legislators that the bill would address many issues Common Core opponents have raised, including privacy concerns over the collection and sharing of student data.

A June 3rd Gongwer report outlined the ways in which HB 487 would protect student privacy:

  • Prohibits collection of student and parent social security numbers, political or religious affiliation and biometric data during testing.
  • Prohibits sharing student names and addresses with multi-state testing consortia.
  • Requires the State Board to establish data security safeguards.
  • Requires State Superintendent to make recommendations regarding student data security and use.

House Education Vice Chairman Andrew Brenner touts these accomplishments in his June 27th blogpost and Senate Education Chairwoman Peggy Lehner is quoted by the Columbus Dispatch as follows,

“We’re trying to address those concerns that we have heard from citizens across the state, particularly around privacy and selection of curriculum to let them know we have listened and have put safeguards in place.”

The strong and growing grassroots opposition to Common Core is obviously making itself heard at the Statehouse, but concerned parents can’t rest easy yet.  A close reading of HB 487 leaves one to wonder if the measures enacted in HB 487 will actually have the effect of protecting student data.

Representative Brenner points to the following changes made to Ohio Revised Code in HB 487 which aim to strengthen student privacy:

“Sec. 3301.947. Data collected in the course of testing…shall be used for the sole purpose of measuring and improving the academic progress and needs of students, educators, school districts, and schools.  In the course of such testing, no student’s or a student’s family’s social security numbers, religious affiliation, political party affiliation, voting history, or biometric information shall be collected, tracked, housed with, reported to, or shared with any entity including the federal or state government.” (HB 487, Page 50)

“Sec. 3301.948. Notwithstanding anything in the Revised Code to the contrary, the department of education, any school district, any school, or any third party under contract with the state, a school district, or a school shall not provide student names and addresses to any multi-state consortium that offers summative assessments.” (Emphasis added.) (HB 487, Page 51)

The language bolded above is so narrow it appears as if it was written so that it can be circumvented.  Currently, the entity that develops and offers Ohio’s achievement tests, PARCC, is a multi-state consortium.  But in the future, Ohio could contract with a different type of entity (such as a private corporation), in which case student names and addresses could be transferred because another section of HB 487 states that “personally identifiable information about any student” can be transferred to a person “employed by an entity with which the department contracts for the scoring or the development of state assessments.”

Section 3301.0714(D)(1)  “The guidelines shall prohibit the reporting under this section of a student’s name, address, and social security number to the state board of education and the department of education.  The guidelines shall also prohibit the reporting under this section of any personally identifiable information about any student, except for the purpose of assigning the data verification code required by division (D)(2) of this section, to any other person unless such person is employed by the school district or the information technology center operated under section 3301.075 of the Revised Code and is authorized by the district or technology center to have access to such information or is employed by an entity with which the department contracts for the scoring or the development of state assessments.” (Emphasis added.) (HB 487, Page 40)

The fact that the two sections have conflicting language – one prohibiting names and addresses to be transferred to a multi-state consortium and the other allowing personally identifiable information to be reported to a person employed by a testing or scoring company – could lead to misinterpretation and the erroneous transfer of personally identifiable information at some later point.

Another contradiction exists between these two sections. Section 3301.948 prohibits the department of education and third parties from transferring student names and addresses to a multi-state consortium.  But Section 3301.0714 bars the ODE and third parties from having such information in the first place.  How could these entities transfer information they don’t have?  It makes a person wonder if these entities have personally identifiable information in their possession improperly.

Ohio students who participated in the PARCC field testing last spring have already experienced, albeit unknowingly, the effect of Section 3301.0714 (D)(1).  On March 19th, the OLC posted an article notifying readers that private student data had been transferred to PearsonAccess (PARCC’s test administrator) in preparation for the PARCC field tests.  Included in this data were the names and state student identifier codes of the students who participated in the field testing, along with birth dates, gender, race, disability type, disability accommodation, gifted status, and free lunch qualifier.

Now that PARCC and Pearson Access have both the state student identifier codes and the student names of the field testing participants, these entities can tie student test performance and demographic information to individual students.

Keeping personally identifiable information out of PARCC’s grasp is of utmost importance to those interested in protecting student privacy because in its agreement with the federal government, PARCC has committed to provide the U.S. Department of Education and its contractors “timely and complete access to any and all data collected at the state level.” Once private student data is in the hands of PARCC and its contractors such as PearsonAccess, the state of Ohio has lost all control over it; such is the case for those students involved in the PARCC field testing.

The Ohio Assembly needs to review the above referenced statutes to sort out the conlicts between them and to determine whether the language which describes entities prohibited from receiving personally identifiable information should be broadened.

Additionally, what does the Ohio Assembly plan to do about the personally identifiable student data that was released to PARCC for the field testing?  Now that PARCC and PearsonAccess have the student identifier codes and the personally identifiable information for the affected students, does this mean that all future performance and demographic data transferred for these students can be tied back to student name?  If so, the privacy of these students has been forever jeopardized unless there is a way to somehow purge the personally identifiable information from PARCC and PearsonAccess that has already been sent.  What steps does the Ohio Assembly plan to take to see that the privacy of these students is restored?

If Representative Brenner, Senator Lehner, and others who have expressed concerns about student privacy are serious, they will take the appropriate actions so that no more personally identifiable information is transferred and the privacy breach that has already occurred is rectified.

Has your child’s personally identifiable information been transferred to PARCC?

A list of the school districts which participated in the PARCC field testing can be found  HERE.  Scroll to the bottom of the article.  Please note the list is incomplete because PARCC was still accepting field test participants at the time of publication.

HB 487 as enrolled can be found HERE.