Data Security in House Bill 487

Over the next several weeks I am going to write a few posts comparing and contrasting as enacted House Bill 487, Governor Kasich’s midterm education bill which I sponsored, to Substitute House Bill 237. In today’s post I will discuss data mining and security.

danger_student-data-compromised.pngHouse Bill (HB) 487 does far more to protect children from data mining than anything in House Bill 237. First off, HB 487 is now law and HB 237 still has to be voted on in the house and then heard and voted on in the Ohio Senate and then sent to Governor Kasich. Regardless, House Bill 237 is very limited in what it does to address student data protections.

Student data has been collected from standardized tests for well over 20 years.

Prior to House Bill 487, Ohio Revised Code only addressed student data as it is collected for the Ohio Department of Education. It prohibited individual student data from going to the State of Ohio Department of Education and required that each students data be sent via an individual identifier number. (This requirement made it harder for the Ohio Department of Education to be able to monitor data manipulation by Columbus City Schools.) It leaves third party contractors, like Pearson, and the federal government silent as to what to do with individual data. In fact the Ohio Department of Education’s response to the House Education Committees inquires this last January about what the current contracts looked like regarding individual student data was that it was the local school districts decision and not their problem. They have since changed their minds on this.

Below are several of the changes to Ohio Revised Code related to student data privacy which was contained in House Bill 487. House Bill 487 was signed by Governor Kasich and will be law within 90 days.

  • The sole purpose for data collected during testing shall be for measuring and improving the academic progress and needs of students, educators, school districts, and schools. The following information shall not be collected, tracked or reported to any entity including state or federal government during testing: student’s or a student’s family’s social security numbers, religious affiliation, political party affiliation, voting history, or biometric information. ORC 3301.947, page 50 HB 487
  • No student names or addresses shall be shared with a multi-state assessment consortium. ORC 3301.948, page 50 HB 487 (Not only does this include PARCC, but ANY multi-state consortium.)
  • The state board shall establish standards to provide strict safeguards to protect the confidentiality of personally identifiable student data. 3301.0714 (A)(5), Page 36 HB 487
  • Requires the State Superintendent to make recommendations by December 31, 2014 regarding safeguarding student data. Section 16, Page 246 of HB 487 (I felt a timeline was needed, anything open ended means, we won’t get it.)
  • The state board shall establish standards to provide strict safeguards to protect the confidentiality of personally identifiable student data. 3301.0714 (A)(5) Page 36 of HB 487

By contrast below is the language in Substitute House Bill 237 and Senate Bill 237 (You can read the Substitute version of HB 237 by reading the as-introduced senate bill):

(D) If the United States department of education requires as a condition of a federal education grant that the grant recipient provide personally identifiable information of students or teachers, the grant recipient shall provide aggregate data only. The grant recipient shall not release personally identifiable information without informed written consent of the student’s parent or guardian or of the teacher.

Also in the bill,

Access to the information shall be restricted to the fulfillment of contractual obligations to process data on behalf of the school district. Such contract shall include a stipulation that the personally identifiable information shall not be shared with additional parties.

First off, why collect certain data at all? We already outlawed most of the major data issues in 487. As you can see House Bill 237 does absolutely nothing to stop the collection of the data and it does not limit what data can be collected. It has a loophole which says that a grant recipient can give out the information if there is consent. The bill does nothing to review the existing data collection system nor does it put additional safeguards into law to prevent data breaches and confidentiality in our local schools. It also doesn’t spell out a timeline for reviewing data security. House Bill 487 does.

House Bill 237 says that, “Access shall be restricted to the fulfillment of contractual obligations to process data on behalf of the school district. Such contract shall include a stipulation that the personally identifiable information shall not be shared with additional parties.” This language does not prevent the contractor from collecting and using the data themselves. For instance how does the language stop local school districts from collecting the data in the first place? It doesn’t. So if the contractual obligation says to, “collect social security numbers of the students” and the contractor collects them. I do not think this is good policy.

This issue is not over with and we as a legislature will need to monitor and possibly continue to change the law in order to make sure that student data is protected. If for instance the Ohio Department of Education and local school boards find loopholes in the law, we will need to go back and correct them. I for one will be making sure the Ohio Department of Education does their jobs.

My next post will be dealing with Ohio’s academic standards in House Bill 487 and how we have started to reign in control from the Federal Government. I will also explain why an immediate repeal has not happened and will not work the way people think it will. 487 is not enough and I will continue to work chip away federal control.

Be the first to comment

Please check your e-mail for a link to activate your account.
Donate Tell Your Friends Volunteer