Rob Manning has additional details on a controversial situation involving Portland State University conducting research on k-12 students. The initial report by Katie Shepherd on Willamette Weekly raised questions as to whether notice and consent were required by FERPA and whether the university had violated any laws by having its graduate students, who were student-teachers for the public schools, collect data from protected classes.
The controversy came to light because a graduate student filed a formal complaint with the university about the research, claiming that although it had IRB approval, it violated FERPA and that he had ethical concerns. The university is now investigating.
Manning’s reporting, which is a must-read if you are interested in this case, also incorporates reference to data security. If students were pulling down student data that they would then “de-identify” perhaps, then what security was in place during the downloading of the data from the secure platform? Were they exposing data to a MITM attack? And onto what device did they download the still-identified data? Was it encrypted?
How did the graduate students, who reportedly hadn’t even been really trained on FERPA, protect the data they collected? Has anyone seen a security audit on this aspect?
Perhaps one of the most concerning aspects is that the public schools are not sure whether there has been any violation of law at all. As I tweeted earlier today, I suspected that a lot of the problem is related to the expansive notion of “school official” that came into effect when FERPA was amended. By using a broad approach to what is a “school official,” a district may excuse or permit a lot of what otherwise would not be permissible.
Manning’s report actually highlights that concern:
Portland State’s right to analyze private student data is based partly on federal law, but also on agreements the graduate school has with individual school districts. At least one of those contracts appear to grant PSU graduate students wide latitude to gather student data: The contract with the Hillsboro School District, which OPB obtained from the district.
“The University’s students may conduct research projects within the school(s) of the District when activities are consistent with the educational program of the District,” reads a portion of the Hillsboro contract.
Later, the Hillsboro agreement clarifies that “University and Student [the graduate student-teacher] are considered a ‘school official’ of the District for purposes of the Family Education Rights and Privacy Act (‘FERPA’).”
But the contract with Portland Public Schools that PSU officials shared with OPB, lacks some of those explicit allowances. Instead, the PPS contract emphasizes limits on the uses of student data.
“Except in very specific circumstances, Institution and Student [the graduate student-teacher] shall not disclose to any other party without prior consent of the parent/guardian any information or records regarding students or their families that Institution or Student may learn or obtain the course and scope of its performance of this Contract,” reads the PSU agreement with Oregon’s largest school district.
Read more on OPB.
Districts have an obligation to their students under FERPA. They should not “punt” that obligation to universities or to those with whom they have contracts, but that appears to be what happens all too often. If the U.S. Education Department is serious about protecting data and privacy, it needs to actually do some enforcement under FERPA, something which it has not really done in more than 40 years that FERPA has been the law.