Privacy Questions Mount After DC Exposes 12,000 Students’ Data


Washington, D.C.’s Office of the State Superintendent of Education announced that the private data of approximately 12,000 of the District’s public school students was erroneously uploaded to a website and was accessible to the public for several hours.

This information was made known through a memo sent internally, and the children’s data was taken down on the same day, writes Perry Stein for The Washington Press.

Education officials said the information was accidentally uploaded to a D.C. Council public Dropbox account before a council hearing on the education department. All of the students are part of the Individualized Education Program in which students with special needs are provided with personalized education plans.

The 12,000 young people attend public and charter schools and are in K-12th grade. The data that was made known included the individual student’s assigned school, identification number, age, race, disabilities, and additional services that the student receives.

“I am deeply disappointed by this situation,” Hanseul Kang, the state superintendent of education, wrote in a letter to colleagues Tuesday. “Our families deserve to know that their students’ personal information is being kept confidential and secure in the education system.”

In the District, the position of superintendent is distinct from D.C. Public Schools. The Office of the State Superintendent is in charge of federal grants, standardized tests, and compliance with federal laws. A spokeswoman for the office, Patience Peabody, said the office had concluded that the document was downloaded from the website by a community organization. The group has agreed, at least verbally, to delete the item from their network.

Now a further investigation will begin to discover who is responsible for the upload of the data. The superintendent’s office established a hotline to address parent, family, and community questions concerning the posting.

In a March security breach, District officials released an Excel file to the news website BuzzFeed following a Freedom of Information Act request. It unintentionally included enrollment data and information about students’ suspensions and expulsions and other disciplinary actions.

Reuters’ Dado Ruvic said there was yet another leak that lasted from 2010 to the beginning of 2015. The data included private information about special education students that had remained accessible online for all five years.

“As you know, we have taken significant steps as an agency over the past 11 months to better protect our student data, but they are clearly not enough,” Kang wrote in Tuesday’s letter.

Students have increasing amounts of digitized school work, and computers have become as common as paper and pencils in the classroom, which has made student data increasingly vulnerable. The Electronic Frontier Foundation (EFF) filed a complaint in December with the FTC against Google alleging that the search/advertising company had collected students’ Internet search data and personal information.

Ethan Harfenist, reporting for Vocativ, quoted EFF Staff Attorney Sophia Cope who advised in a statement that:

“We commend schools for bringing technology into the classroom. But devices and cloud services used in schools must, without compromise or loopholes, protect student privacy.”