Tuesday, January 12, 2016

Data Collection on Children, A Security Crisis

"I think anyone should know my child's religion, prenatal care information, physical appearance, behavioral health, allergies, browsing history, home address, and then some... without my permission. I mean, that Target credit card breach a few years ago wasn't fun enough"  said no parent ever.

But as we delve further into a world of Big Data, we as consumers are constantly at risk of data security breaches, such as the Target credit card fiasco, Premera Healthcare, Home Depot, and the US Military to name a few seen in an info graphic here.   Millions upon millions of people's social security numbers, credit card numbers, and worse were jeopardized.  Your child could be next.

But don't worry, the US Government ensures you that your child's health and education data is safe and secure - never mind that the US military and the IRS had security breeches, you're safe, trust us, we're the government.

Ok, you say, but what info can schools possibly have on my child? Maybe their name, birthdate, and report card grades? No big deal.

But it is.

Because schools collect a whole lot more on your child and even you yourself, if you are a caretaker of your child. Remember a teacher's empty threat, "This will go down on your permanent record"? It is no longer a threat but an Orwellian reality.

To highlight key points of a Washington Post Article,  there is indeed a lot more being collected on your child and family than you could ever suspect, and it is not secure as you would hope.

To quote a quote within a quote in the  aforementioned Washington Post Article,  

"During a February 2015 congressional hearing on “How Emerging Technology Affects Student Privacy,” Rep. Glenn Grothman of Wisconsin asked the panel to “provide a summary of all the information collected by the time a student reaches graduate school.” Joel Reidenberg, director of the Center on Law & Information Policy at Fordham Law School, responded:
“Just think George Orwell, and take it to the nth degree. We’re in an environment of surveillance, essentially. It will be an extraordinarily rich data set of your life.” "
To expand upon this, which I will mention again in this blog post, the government is creating a "rich data set" of health data, school data, and career data as one. Reidenberg is not exaggerating with his haunting statement on the Orwellian at a set being put into place RIGHT NOW.

Resistance is futile.

"Most student data is gathered at school via multiple routes; either through children’s online usage or information provided by parents, teachers or other school staff. A student’s education record generally includes demographic information, including race, ethnicity, and income level; discipline records, grades and test scores, disabilities and Individual Education Plans (IEPs), mental health and medical history, counseling records and much more.
Under the federal Family Educational Rights and Privacy Act (FERPA), medical and counseling records that are included in your child’s education records are unprotected by HIPAA (the Health Insurance Portability and Accountability Act passed by Congress in 1996). Thus, very sensitive mental and physical health information can be shared outside of the school without parent consent."
Even as your child, an unwilling pawn,  simply clicks "3" on some educational software game in the classroom, data is being collected and disseminated. Not only may their results be collected (as in "got 8/10 multiplication problems correct") but their browsing behavior is collected for non-education reasons- for profit- to help target advertisement as explained here.  
Your child's test scores, in fact their entire academic record, are "uploaded" and can be given or sold to "educational" people and organizations. Your child's behavior record , any school counseling, and all medical records that the school has are included as well. Special Education students have a plethora of private data in their IEPs which is, you guessed it, available to those who have a justifiable reason (a loose meaning of the term) to access it.
And to repeat a very key point, your child's information can legally be shared outside of the school without your consent
Much of this data is part of the SLDS or Statewide Longitudinal Data System, which can be summed up here, and it is actually far more than it seems to be. One might envision a "virtual transcript" for each student, but it aims to collect far more for far longer, as part of the SLDS- linked P-16 (a.k.a. P-20, B-20, P12), a literal cradle to the grave data set on each child. Just google P-20 and you will find more information than you need, from most every state, school district, and college in the nation. Wikipedia does a satisfactory job of summarizing it very briefly here; there is far much more to explain and learn if you wish. One key point is that it states each child has a unique, secure identifier to NOT link the data to the person, but many schools do not know how to encrypt student data (not to mention the risk of "hackers"), mentioned here- student data should be, and often is, encrypted, but there is no law in place to ensure it is encrypted.
So what data is indeed being collected? Every state, and indeed every school collects different information, but any information collected by the school in any form can easily be part of the data set. The CEDS or Common Educaton Data Standards list all sets of information which can be collected on students, and disseminated to employers (a.k.a. the workforce), colleges, research organizations, curriculum/textbook companies, school staff, government employees (such as those in health or education departments) to name a few. The CEDS "list" of data is here  and here (a blog post of mine)  through California's SLDS called CALPADs,  and includes parameters for data on your child such as; 
* class start time
* home address
*family income
* disciplinary record including perpetrator, witness, and victim information
*  developmental delays and programs offered thereof
* prenatal care information and gestational age at birth/birth weight
* incarceration data  (a blog post of mine mentions this, look for FETPIP in a graphic here
* Bus stop place and time
* religious considerations
* height, weight, other physical identifiers

I just ask all readers to think: If a school doesn't encrypt this data (therefore it connects your child's name to all this information) or someone "hacks" this data, are you comfortable with that data "out there"? In a best case scenario, are you comfortable with this data being collected on your children? Do you feel your prenatal care information, mental health data, etc should be provided to your child's future employer, a textbook company, a university student collecting data?