Several years ago, student privacy legislation was introduced in the New Hampshire Senate. I was the only person in the room supporting privacy protections for New Hampshire students. Ed Tech lobbyists were there to protect their profit stream. I was warned that the Ed Tech vendors would send their lobbyists to fight for their interests, so I was prepared. But when you are one person, your voice can easily be drowned out by the high priced lobbyists representing the technology industry.
I testified in support of student privacy, but I also watched as the elected officials chatted with the tech lobbyists in the hallway; that’s how it works. Deals are made while legislation is watered down.
Fortunately New Hampshire has better privacy laws on the books compared to other states because we do have legislators who understand what’s important. But the privacy laws still allow personal data on children to be shared with Ed Tech vendors without parental consent. So when Senator Hassan was featured on WMUR about the PowerSchool hack, I felt it was necessary to let the reporter know more about this important issue:
Dear Ms. Litterst,
After watching your report on WMUR concerning PowerSchool, and the data breach, I wanted to share additional information with you.
Prior to the announcement from PowerSchool on the data breach, I contacted the Superintendent in SAU21 about a lawsuit against PowerSchool. If you read the allegations, PowerSchool was accused of selling student data. Here is a link to the lawsuit: https://edtech.law/wp-content/uploads/2024/05/complaint-powerschool.pdf. As you can see there are some serious allegations, and what one would consider, violations of student privacy.
New Hampshire laws do require action when there is a data breach, but if Ed Tech vendors are giving the personal information away, or selling it, that doesn’t seem to generate much concern. Why does it take a breach of data to get attention? Why is no one concerned about PowerSchool sharing this personal information?
On page 44, the court document explains why PowerSchool believes they do not have to obtain parental consent when sharing student data. https://edtech.law/wp-content/uploads/2024/05/complaint-powerschool.pdf. Bain Capital claims that sharing the personal data is legal: https://www.aol.com/lawsuit-accuses-bain-capitals-powerschool-102801165.html So it’s not ok for hackers to access personal data on someone’s child, but it’s ok for PowerSchool to share the personal information?
It’s my understanding that schools continue to use PowerSchool in New Hampshire. If that is the case, you can see that nothing has really changed. A data-breach allowed unknown hackers to access student data, but according to the lawsuit, there is plenty of personalized student data that is being sold: (Line 19)
“3. PowerSchool, without effective consent, collects, stores, analyzes, and shares
students’ sensitive data, which it acquires through its educational technology products that it sells to
schools and school districts. The information PowerSchool takes from students is virtually
unlimited. It includes everything from educational records and behavioral history to health data and
information about a child’s family circumstances. PowerSchool collects this highly sensitive
information under the guise of educational support, but in fact collects it for its own commercial
gain.”
While New Hampshire has some of the strictest laws on student data privacy, we can still see that even without a breach, Ed Tech companies claim sharing student data is legal: https://www.aol.com/lawsuit-accuses-bain-capitals-powerschool-102801165.html
To understand why they believe that they are sharing this sensitive data legally, you have to go back to when the student privacy law was changed. The Family Education Rights and Privacy Act FERPA has been weakened by adding a loophole so this sensitive information can be shared without knowledge or consent by parents or the students.
From Parent Coalition for Student Privacy: FERPA:
It forbid any educational agency, institution or school from disclosing personally identifiable information (PII) from a student’s educational records to any non-school official — even other governmental agencies — without parental notification or consent.
But in 2008 and again in 2011, FERPA was radically revised by the US Department of Education – without any vote or authorization from Congress.
Today a student’s education records are shared with for-profit Ed Tech vendors without parental consent because of a FERPA loophole. FERPA once protected these records but due to FERPA exceptions, this sensitive data can now be shared. If politicians and school personnel really cared about protecting student data, they’d require informed consent from parents before any data was shared.
Senator Hassan saying that technology vendors have to improve their security measures would help when it comes to actual data breaches. But what about all of the data vendors are sharing? I have to wonder if Senator Hassan has a clue about where the problems really exist.
How can student data be secured? We can do that several ways. Senator Hassan can propose legislation to remove the exceptions that were added to the FERPA law. Then parents would have to consent before these vendors could access student data. You can expect Tech lobbyists to flood that hearing to oppose going back to real security measures.
State legislators could also require parental consent prior to the sharing of student data with Ed Tech Vendors, and restrict their ability to share data without parent consent.
School administrators can also do more to protect student data. They can look at changing the privacy protections before purchasing Ed Tech products. The privacy protections that currently exist are woefully inadequate. Vendors will claim that they are protecting student privacy by following the FERPA law, but even if they follow the law, the loophole allows them to violate a student’s privacy rights.
If you pursue this story any further, I wanted to make sure you were aware of all of this. I believe many schools continue to use PowerSchool right now. And as you can see from this link to PowerSchool, they have an agenda to collect massive amounts of data on children from preschool to the workforce:
Recently, PowerSchool introduced Connected Intelligence, the first commercially off-the-shelf P20W platform for K-12. Powered by Snowflake, Connected Intelligence P20W allows education and government agencies to securely unify, integrate, and access all source system data in a state-specific data cloud. This provides insights into previously siloed, underutilized, and inaccessible data with unparalleled ease.
See more about the State Longitudinal Data System here.
Maybe parents are not comfortable with the government, or Ed Tech vendors, collecting, storing and even sharing this sensitive data on their children. Someone suggested that New Hampshie eliminate its SLDS. We the People voted to recognize our privacy rights, amending our constitution [Art.] 2-b. [Right of Privacy.] An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.
December 5, 2018
All of this government and vendor data mining appears to violate a student’s right to privacy. What Senator Hassan suggested doesn’t address any of the real problems that currently exist.
Sincerely,
Ann Marie Banfield
Parental Rights Advocate and Researcher
