October 17, 2021

School Data Breaches: A New Trend Coming to a School Near You

Below is a guest op/ed by Anne Taylor a mom in Minnesota who is concerned about student data breaches in her local school district.  This is a problem that is not limited to Minnetonka, MN or even the state of Minnesota however.

School Data Breaches: A New Trend Coming to a Minnesota School Near You

Many school districts are beginning to implement the usage of technology by way of school issued iPads or chrome books. The Minnetonka school district has been implementing the distribution of iPads to its students from 7th-12th grade at no additional charge. The only recommended ‘charge’ to families is a non-refundable $40.00 insurance fee due at the onset of picking up the iPad. According to Minnetonka High School principal Jeffery Erickson in an email he states, “The iPad is considered an integral part of the educational experience and is utilized daily. It is really how we do business.”

In working with the “21st Century” movement towards increased technology usage in classrooms across America, one has to wonder if their child’s identity is being protected. We hear about breaches with Target, Fairview Hospitals & Clinics, Cub Foods, and most recent JP Morgan and Home Depot, but has anyone considered their families information going viral and through their trusted, chosen school district?

Like many of us who use and rely on technology daily, I am eager to say that I come in with a little hesitancy when it comes to our schools usage of technology. Let me explain to you why.

In winter of 2011, our family transferred from a private school to the Minnetonka school district. Within a week upon entering the district, it was noticed that two other children appeared on my family’s private electronic school account called “Skyward”. These were children I did not know of, nor were related to in any way. I was able to view the children’s first and last names with middle initial, date of birth, graduation year, school status, student ID, age, gender and language spoken. I also had access to view the children’s vaccination records and had access to phone numbers.

During that time email addresses of families in my contact information also appeared on Skyward that I never submitted to be recorded. I was told by the district that the system could not be changed as it automatically links up Minnetonka’s Community Education with the Minnetonka school district – regardless of whether that family or child(ren) attend the school in the district. In other words, enrolled or not, if your family took a community education course, that information is shared and may be linked up in your personal contacts (emergency contacts, for example).

While handing in the following year’s health forms, I began to express concern over what took place the previous school year with Skyward to the school’s front desk personnel in the PARA department and was surprised to learn that my situation with Skyward was not unique. There was a sincere, verbal acknowledgement and apology by staff and was told this actually happened frequently over the summer to other families.

Upon confronting superintendent, Dennis Peterson, I was told staff denied ever making such comments. Principal David Parker of Groveland elementary also denied recalling events around

my situation even though I clearly recall him stating to me personally before front desk staff that my situation was “a fluke” and was told the other parent wouldn’t have seen any of our family records. I also remember him calmly informing me “not to worry” as the other family was no longer in the district. Mr. Parker then apologized and admitted my situation violated privacy laws.

I was told in emails and in person by the district Superintendent that I made allegations and accusations about my situation. That was further from the truth when I presented the district with original documents and emails I had printed off indicating the actual names of the two children and their personal information.

In a follow up response from the district, I was told “(I) never actually saw the records of another Minnetonka student because they never enrolled in (the) district. (The district has), however, taken steps to make sure this type of mixup never happens again.” I was informed that my circumstances were “incredible” and that another mother under the same name as mine with the same middle initial had actually begun the enrollment process of her two children – an incredible circumstance indeed.

So in late August of this year, just prior to school beginning, you can imagine my surprise when I learned the district came out stating there was an “Important Notice” regarding my school log-in account. During what’s called a parse process, the district made it known that several email addresses of families of the Minnetonka school district had been shared electronically district wide. This information was part of a 90 page email disclosure, with personal email addresses explaining the new process on how to access their Skyward system, as they converted to a new system called “My Minnetonka Single Sign-On.” My email address just happened to be listed among approximately 80 other family email addresses of which the district considers to be private information.

Directly related to this and nearly 12 hours later, another email was sent by the district informing families that my email address was shared with “some other Minnetonka School District parents” and that no passwords, security questions or other private data were shared, but that the sharing of email addresses are considered private data by the district. And if there were additional questions or concerns about this incident, families were instructed to fill out a form where they will share information with staff and respond within the coming days. What was the form? A Survey Monkey questionnaire with three questions: (1) “Do you have a question, comment or request to change your primary email?” (2) “To request a new primary email, please type the NEW email address here. Our Family Helpdesk will contact you to verify security questions before making the change.” (3) “How Can We Contact You? (name, email address, daytime number)”.

For those of you who think when filling out a Survey Monkey form that your answers are anonymous or confidential, they are not. I want to inform you of the reality of these forms. I worked for a nonprofit as an AmeriCorp VISTA (Volunteers In Service to America). While it was our job to recruit and maintain records of volunteers, it was also our job to conduct surveys on a regular basis. As an administrator of the surveys, specifically using Survey Monkey, we were able to look up who was actually answering the questions and how. So, if you think your answers are anonymous or confidential, they are not. One begs to question how a survey will answer a breach. Needless to say, I declined to take the survey.

And speaking of surveys, since classroom time is so precious, can we really use 1 hour of regular class time for our students and children to fill out surveys? Especially when we don’t know where the information goes? These surveys begin as early as 5th grade and extend into high school and are given by the Minnesota Department of Health or another local company such as “Search Institute” in the name of assessing student attitudes and high risk behaviors. There are approximately 140+ questions and ask anything from who the child lives with, grades, work wages, IEP, free and reduced lunch programs to abuse, sexual partners, birth control, smoking, alcohol and drugs, even tanning bed usage. While it is said that these surveys are anonymous, it is not clear whether they are confidential. That being said, the results of these surveys, particularly state surveys, are sent to the department of health. If you are not seeing the light yet on breaches, just wait as there is more.

Often, when students are asked to do these surveys they are accessing them using their personal school ID code which links to their personal family account. Anyone with common sense knows the information is completely traceable. What if the student, or your child, was goofing off and thought it would be funny to answer that they smoke pot every day? Well, it’s now on their record. This is where it becomes your option, and duty, to opt your child out of both tests and surveys. This allows you to take them completely out of this system, and no school or administration can deny you of doing it. It is about the protection of your child and your family.

Sadly, this and other critical factors were missed in the interview with both Lakeshore Weekly and Sun Sailor, two local papers of the Minnetonka area.

While both authors stepped up in reporting this important issue, below are points that are critical to understanding what is at stake for families and their children nationwide regarding the collection of data in our schools. It is rather astonishing to hear a Superintendent merely brush off this instance by stating: “Most [parents] were OK with what happened; it was an unfortunate situation and we do not want that to happen, it shouldn’t happen, but they were understanding.”

Why be concerned? The complete lack of control our schools and government have over this private information. Last year Jim Ragsdale, former Pioneer Press state Capitol reporter and most recently quoted in Glenn Beck’s book on Common Core “We Will Not Conform,” wrote an article for the Star Tribune, stating an audit revealed that the Minnesota Department of Education (MNDOE) lacked “adequate internal controls” as well as comprehensive security plans for private student data. Also, the MNDOE failed to document where private data was held or the internal controls needed to secure it. Who can see your families’ data? According to the rewrite of FERPA from 2012 (Family Education Rights and Privacy Act), ANYONE, including any 3rd party group or person granted access by the district or school.

Another grave component is the State Longitudinal Education Data System, better known as “SLEDS.” On the surface, SLEDS is designed to help districts, schools, and teachers make informed, data-driven decisions with the intention of improving student learning. It is a free application provided to schools to access the district’s Student Information System (SIS). It provides districts, schools, and teachers with access to historical data, including Assessments, Attendance, Enrollment, Courses, and Grades that began as early as 2006-2007 school year.

On April 14, 2010, the Minnesota P-20 (pre-K to workforce) Education Partnership adopted the following governance structure for the SLEDS system. Minnesota developed the P-20 statewide longitudinal education data system (SLEDS) and is jointly managed by the Minnesota Office of Higher Education and the Departments of Education in conjunction with Employment and Economic Development. The system matches student data from pre-kindergarten through completion of postsecondary and into the workforce, thus allowing educators and policymakers to answer a range of program and policy questions that can be used to gauge the effectiveness of programs and design targeted improvement strategies.

When I read this, I think guinea pigs.

Some might be taken in by the overzealous need for closing the supposed Achievement Gap that runs deep in our state. With the constant barrage of standardized testing – some districts are doing them 4-5 times throughout one single school year – one has to wonder when teachers actually have time to teach? The endgame here is the cradle to career mined shadow that will ultimately track and remove individual, unique freedoms based on a forced system of control. Add to that our state placed into law “The World’s Best Workforce.” We cannot allow this to be our countries end game, and most especially our children’s.

Ask yourself if this is who you want access all your families expected private data? This is in OUR American schools! Should schools be viewed as a business (and yes, they are), ask yourself then if this is even remotely ethical.

So, the next time you meet up with your child’s teacher or guidance counselor during school hours and are asked to hand over your driver’s license, think about your Constitutional right – not ‘policies.’ For example, the machine schools use to photograph your license in exchange for an ID sticker to enter your child’s school is data that is being collected and stored. Often parents are sold that districts swipe driver’s license information in the name of preventing sexual predators from entering the building. While it may be the school’s policy, considering the recent breach of private data, is it in your best interest to continually have your data researched, potentially getting into the wrong hands?

I see a new kind of data breach that will be affecting millions of our children and its families and I am concerned we are closer to it than we think.

Share
Source: