"I think it's totally illegitimate to take kids' data without parental consent," said Leonie Haimson, a parent activist and executive director of Class Size Matters, a nonprofit organization that wants smaller classes in New York City's public schools and the nation as a whole. "If these exact same records were in a doctor's office or hospital, it would be illegal to collect them without parental consent," she told InformationWeek in a phone interview.
Haimson has taken special aim at inBloom, a nonprofit startup funded by the Bill & Melinda Gates Foundation and the Carnegie Corporation of New York that seeks to be a vendor-neutral data service to collect student data gathered in many different software systems and services.
Haimson and others worry inBloom and other efforts using student data -- such as the Ed-Fi Alliance, the Michael and Susan Dell Foundation-funded education data integration initiative -- may ultimately feed sensitive, personally identifiable information to for-profit companies. They also worry about accidental release of the data through, for example, hacking.
For its part, inBloom states in its FAQ that the company "has no ownership of student records." It continues: "Neither inBloom nor any other participating agency or vendor may sell or share confidential student data" unless "authorized by a state or district with legal authority over those student records."
[ For another take on student data issues, read Hope Battles Fear Over Student Data Integration. ]
Vendors of data collection, analysis and sharing platforms in education routinely say they are sensitive to privacy concerns. Personally identifiable information (PII) is programmatically anonymized for this very reason, they say.
But the critics aren't convinced.
"You can always put it back together, nothing is really ever anonymized," said Sheila Kaplan, who has been monitoring regulations around student directory information for years. Kaplan's website, Educationnewyork.com has become a clearinghouse for news and information about the topic.
Suspicions also involve the specific types of data being collected.
For example, Haimson wonders why inBloom needs to collect so much "incredibly individualized data," including a student's address, disciplinary history and special-needs status.
In April, InformationWeek asked inBloom about reports that its data set would include social security numbers. An inBloom spokesperson responded:
inBloom discourages districts and states from storing social security numbers in our data service; instead we agree with the industry-wide best practice many school districts and states have of assigning a unique student ID number that is separate from the student's social security number. That said, it's ultimately up to each school district or state to decide whether or not they track and store student social security numbers.
"That's a cop-out," Joel R. Reidenberg, a law professor and founding academic director of the Fordham Center on Law and Information Policy at Fordham University School of Law, told InformationWeek in a phone interview. "InBloom includes [the social security number] as a data field, and if they didn't include it, schools would have to use something else. The choice of data fields is a policy decision."
Separately, inBloom has said its data privacy and security protections exceed Family Educational Rights and Privacy Act (FERPA) requirements. FERPA is a decades-old federal law that protects the privacy of student education records and provides parents certain rights to their children's education records.
But FERPA itself has been the target of privacy activists.