By Hollie McKay, ,
Published February 23, 2016
A federal judge’s order earlier this month that California public schools turn a trove of personal information on millions of children over to two nonprofits has parents worried and privacy rights advocates outraged.
The nonprofits, who advocate for special needs kids, say they need access to information on a state database to gauge compliance with federal law, but critics don’t believe Social Security numbers, home addresses and other sensitive records should be included. The ruling by Judge Kimberly Mueller of the Eastern District of California, grants access to data on all students enrolled in Golden State public schools at any time since 2008, a number estimated at 10 million.
“People are confused, worried and angry.”
“People are confused, worried and angry,” said Bill Ainsworth, a spokesman for the California Department of Education.
The order from Mueller, who sits in Sacramento, stems from a 2012 lawsuit filed by two special needs advocacy groups, the Morgan Hill Concerned Parents Association and the Concerned Parents Association, alleging local educational agencies have failed to accommodate children with disabilities in compliance with federal law.
The non-profits wanted to access the database for an effective analysis and claims it offered the Department various scenarios for obtaining percentages and related statistics without ever having to see personal records, but they say the Department refused. Eventually, Mueller ordered that the plaintiffs simply be able to access the entire database of student information to perform the analysis. Varying degrees of sensitive data is embedded with student files in the database.
Critics say the ruling could also potentially expose statewide assessment results, progress reports, behavior and disciplinary information, special education evaluations and records pertaining to health, mental health and medical information.
“We characterize the data release as risky, unnecessary and unprecedented,” said Pam Dixon, executive director of the World Privacy Forum. Eva Velasquez, CEO of the Identity Theft Resource Center, warned that one lapse could have “devastating consequences for California’s students.”
The Family Educational Rights and Privacy Act and the Individuals with Disabilities Education Act are federal laws in place to protect the privacy of students. The state ensures compliance with a vast database, which the plaintiffs would have access to under the ruling. Attempts to reach a deal limiting the information made available to the groups have failed.
State education officials have been inundated with thousands of calls from parents, educators and school districts over the past week, according to Ainsworth. State Superintendent of Public Instruction Tom Torlakson is a “strong supporter of privacy rights,” Ainsworth said, but now must follow the order.
"The California Department of Education has been fighting vigorously to defend the privacy rights of students throughout California, but we are required to comply with the court order in this case," Ainsworth said.
The department alleges that last year it provided the organizations with all the information from a California Special Education Management Information System database, which includes records of special education students and those being tested, but with personal data extracted. However, the plaintiffs “continued to seek students information” in a database containing personal details, according to education officials.
Angry parents lashed out at California Concerned Parents, prompting the organization to deactivate its Facebook page citing the “significant number of comments that included profanity, threatening language or veered off topic.”
The organization claims the information previously offered is insufficient, but insists it doesn’t want sensitive data such as Social Security numbers. Officials said no information has been turned over yet, but that it will be handled with discretion when it is.
“The information has not yet been released to them and they have yet to be told the day of the release,” Christine English, vice president of the California Concerned Parents, told FoxNews.com. “The information will never be released to the association, only to their attorneys and consultants – less than 10 people. Every possible precaution is already under way to safeguard the data.”
The non-profit insists that it requires data about every student in California -- not just those with disabilities -- so that it can make such determinations as whether a disproportionate number of certain ethnicities receive certain services and to test CDE’s contention that its educational programs are compliant with state and federal law.
Mueller’s order addressed security concerns by barring distribution of the data outside the parties involved and ordering that the group “return or destroy” as soon as it completed its analysis. Mueller also appointed a magistrate and a special master to ensure compliance with all aspects of her order.
Still, there is no way to ensure against a data breach once the information is turned over, according to attorneys who followed the case.
“I’m shocked that the court would allow this type of disclosure that would be a treasure trove for identity thieves,” Beverly Hills-based attorney Troy Slaten said. “Identity thieves already preyed on minors because they tend to have clean histories.”
Fellow attorney Rosa Noyola agreed, noting that even large corporations with sophisticated security measures have been susceptible to hacking and leaks.
“If Target and BlueCross can fall victims to security breaches, how is a non-profit, with presumably limited resources, able to ensure that personal information is kept secure?” Noyola said.
Parents, guardians and former students now over the age of 18 have until April 1 to register their objection to the disclosure by submitting a request to the court either in a letter to the court or by printing out and mailing a special form. It is not clear if doing so would create an automatic exemption.
Still, critics say the process for objecting has not been made clear, and Ainsworth was dubious that information on those who opt out could be removed from the database.