An inadvertent but significant breach of student privacy in Missoula a few weeks ago should serve as a wake-up call for every school district in Montana.
Sensibly, Missoula County Public Schools is now undertaking a review of its policies and best practices regarding the handling of confidential information. But every school district in the state should be doing the same. While the recent incident in Missoula was unusual, as more information is collected, stored and transmitted using increasingly connected technology, the potential also increases for more serious breaches.
That’s why it’s important for schools to ensure tight control of student records, and for Montana to develop a consistent statewide policy to enforce student privacy.
MCPS, like most school districts, already has general policies in place regarding student record-keeping and privacy. The recent release of student data exposed a few places where these policies could be tightened.
On Dec. 4, 28 parents connected with the football program at Hellgate High School received an email that included an attachment with private information about more than 1,000 Hellgate students. The attachment also contained some information that wasn’t sensitive, interspersed with private academic, criminal, disciplinary, family and medical records, as well as one teacher’s evaluation.
Later that month, following its investigation, the district announced that the assistant principal at Hellgate was responsible; that administrator subsequently resigned. MCPS Superintendent Mark Thane explained that best practices had not be followed, that the district would be reviewing its relevant policies, and that a new policy would be added that would avoid similar incidents in the future.
Thane also offered reassurances that the information security systems in place at MCPS are sound, and that staff are trained in privacy protocols.
The federal Family Educational Rights and Privacy Act is the preeminent law covering student information in the United States, and school districts that violate this act risk losing Department of Education Funding.
Yet in many key ways the federal regulations also come up short. They primarily concern the right of parents to access their children’s education records, and to prevent the release of some information (with a long list of exceptions). Some advocacy organizations, such as the Electronic Privacy Information Center based in Washington, D.C., have long urged the passage of a Student Privacy Bill of Rights that would explicitly describe the right of students to access and control their own records, as well as provide a framework for security and a process for enforcement.
These groups point out that school districts are collecting more information on their students than ever before, and that this information is sometimes shared for purposes that stretch the definition of education.
Moreover, in mid-November, a congressional committee held a hearing on information security at the Department of Education to follow up on an inspector general’s report from 2014 that found the department’s information systems are vulnerable to “serious security threats.” It concluded that those systems remain vulnerable.
Schools will collect a lot of information about their students over the course of their educational careers. This data will include test results and grades, but may also include also physical and mental health evaluations, family income and housing information, custodial agreements, and a host of other sensitive information.
And while it’s rare for a news organization – which constantly pushes for more and better access to public information – to advocate for tighter control of any information, these students records are clearly private and should remain so.
The best way to ensure it stays private is to delineate the rules for handling this information, and the consequences for failing to follow the rules.
Of course, OPI would need to be allotted sufficient funding to provide training, and the necessary authority to enforce its policies. The state Education and Local Government Interim Committee will meet next on Jan. 14 in Helena. We would urge the committee members to add this discussion item to their agenda.
In the meantime, it would be a smart idea for Montana’s school districts to begin reviewing, updating and training staff on privacy standards on a regular basis. Those that don’t leave their students increasingly vulnerable at a time when information technology is only growing more invasive and sophisticated.