Rep. Andrew Brenner has introduced a bill to limit the time allotted for standardized testing in Ohio schools. The bill has been amended to Substitute House Bill 228 to expedite the legislation for the lame duck session.
Since Race to the Top calls on states and school districts to work toward offering state achievement testing online in the future, HB 228 includes a provision requiring the Ohio Department of Education (ODE) to submit a report to the Governor and the General Assembly by December 31, 2014 on the security of student data in connection with the administration of online assessments. The bill reads,
“Not later than December 31, 2014, the Department shall submit a report to the Governor and the General Assembly, in accordance with section 101.68 of the Revised Code, on the security of student data with regard to the administration of online assessments.”
If HB 228 does become law this November, the ODE will need to move quickly to finalize its report by December 31st. Here are two items which should be included in ODE’s report:
Transfer of Private Student Data to PearsonAccess
In preparation for the PARCC field tests which took place this past spring, PearsonAccess, PARCC’s test administrator, requested the following information from school districts:
- State Student Identifier Code
- Student Legal Name
- Birth Date (optional)
- Type of Disability
- Disability Accommodations (optional)
- Gifted Status
- Free Lunch Qualifier (i.e. pays full price, receives reduced price, or receives free meal)
Not all Ohio school districts participated in the field testing, but those that did may have complied with PARCC/PearsonAccess’ request and transferred both the state student identifier code and the student legal name. Sending the student name along with the student identifier code erases the anonymity the identifer code affords relinquishing any privacy protection for the students affected.
Once the data is in the hands of PARCC/PearsonAccess, it’s “Katie bar the door” because PARCC has agreed to provide the U.S. Department of Education and its contractors with “timely and complete access to any and all data collected at the state level.”
Transfer of Private Student Data to Disability Rights Ohio
In August, the ODE placed a Notice to Parents on its website notifying parents that a federal court had ordered the release of the educational records of all Ohio public school students registered for the 2013/14 school year to Disability Rights Ohio (DRO), a federally funded legal aide organization.
The data transferred included: student identifying number; demographic information such as school, grade, gender race, age and disability category; attendance statistics; information on suspensions and expulsions; and results on state tests such as the Ohio Graduation Tests, the Ohio Achievement Assessments, and the Third Grade Reading Guarantee.
Parents were told student names, addresses, and social security numbers would not be included in the data release, and as such, student privacy would be maintained. However, as discussed in a podcast with Heartland Institute’s Joy Pullman and Bluegrass Institute’s Richard Innis, student anonymity cannot be guaranteed when de-identified data files containing a large number of data fields are released to third parties. Innis explains,
“Generally, in these de-identified databases to facilitate research, there’s still a lot of data collected…After awhile you get a lot of that data and it starts to become unique. The probability that two students will share exactly the same set of data as you collect more data pieces gets smaller and smaller and smaller until you can re-identify data with a pretty high degree of accuracy if you have another extensive database to compare it to.”
The State of Ohio proudly proclaims in its Notice to Parents that its one of only three states that does not store student name and social security number at the state level. But so what. Uniquely identifying student data files with a student identifier code serves much the same purpose.
The court further attempted to safeguard the security of the data by placing a protective order on the data released. But if DRO or their consultants were to violate the protective order either by accident or with intention, it is highly unlikely that anyone would ever know or be able to trace the violation back to the responsible party. The privacy of Ohio school students now rests in the hands of an agency few Ohioans know anything about and their third party consultants.
The data release to DRO highlights the danger of storing individual student data files at the state level. Doing so makes it far too easy to fulfill such sweeping data requests as DRO’s. Keeping private student data at the district level enhances student privacy by requiring third parties to seek approval for data requests from each of Ohio’s 610 school districts. The ODE can just as thoroughly monitor the performance of Ohio school districts with aggregate data.
Student Data Privacy Does Not Exist in Ohio
Student privacy rights in Ohio have in effect been waived by the transfer of student name and state student identifying number to PARCC/PearsonAccess for PARCC field testing and by the federal court order to transfer student educational records to DRO.
Parents often hear Ohio government officials talk about the safeguards in place to guard student privacy, but when it comes right down to it, it’s just talk. Student privacy law has been corrupted to such a point that student data can be transferred without parental consent and even over the objections of parents. And with the massive bureaucracies in place at the state and federal levels, parents have no idea when their child’s data is being sent to third parties.
The only way to protect student privacy is to keep student data out of the hands of state and federal officials. Private student data should only be stored at the district level and should only be released with the approval of the parent or guardian. Until such a system is in place, don’t be fooled, there is no student data security in Ohio.