As schools re-open, the Federal Trade Commission (FTC) published a consumer alert for parents on how to protect your child’s information at school. I would encourage my readers who are parents to read their advice, but keep the following in mind:
Although their advice sounds good, 20+ years of real-world experience suggests parents will get serious misinformation about the security and privacy of their children’s records when they do try to follow it. As but one example, the FTC recommends:
- find out who has access to your child’s personal information, and verify that the records are kept in a secure location
Despite what your child’s school district may tell you, there are many employees who will have access to your child’s personal information that you will not be told about. Part of the reason is that most district administrators – including FERPA compliance officers – simply do not know where all of a student’s records and personal information reside(s). Personal information on your child may be located in files in the building principal’s office and/or the school’s main office, the school (or district) nurse’s office, the school (or district) psychologist’s office and/or social worker’s office, the vice principal’s office, and a variety of district administrative offices, including the district’s special education department and the office or department that handles bus transportation. Other personally identifiable information may be located off-site on a server that is maintained for the district by an outside contractor, whose employees would presumably also have access to your child’s personal information. And of course, as we’ve seen in some data breach reports I’ve covered on DataBreaches.net, your child’s personal information may be in the hands of some researcher to whom the district or state has granted access.
Even if you ask your district to identify each and every location where your child’s personal information is stored or retained, and even if you ask the district to list all personnel or job titles that would have access to their data, the district will most likely not give you a full and accurate list because they have not made privacy and security enough of a priority to find out where all of the data are and who has access to it – despite what they may claim.
So even though FERPA gives parents the right to inspect all of their child’s education records, parents filing a request to inspect under FERPA will likely not get to see all of their child’s records because most districts do not seem to know where all of a student’s records are located – and that’s apart from the issue that some records that might not be considered “education records” may not be provided to parents even though parents would want to know about them and inspect them.
The U.S. Education Department has failed miserably when it comes to protecting the security and privacy of student’s personally identifiable information. If it was serious, it would order all schools to conduct a serious audit of their security and system for tracking the location of records and would send in outside auditors to conduct independent assessments about how much schools are routinely exposing students and their parents to unnecessary risk of privacy or security breaches.
In the meantime, do take the FTC’s advice and opt your child out of directory information and whatever else you can opt out of. As Adrian Monk might say, “You’ll thank me later.”