Delta inadvertently releases student information to The Collegian

6217
0

In a response to a public records request by The Collegian, Delta College inadvertently revealed private student information and educational records of some of the student body.

The Collegian requested public records on information related to the rollout of the MyDelta system in an email directed to Delta administration on Aug. 29. The Office of Human Resources and Risk Management provided the records on Nov. 4, 67 days after the initial request. In total, 2,386 pages were disclosed.

Among these were several emails between employees of Delta and Highstreet IT Solutions LLC, a third-party company implementing the MyDelta system, that revealed detailed information regarding students with names, identification numbers, and, in some cases, course grades, grade point averages, home addresses, waiting list registrations dates, Delta email addresses and a student transcript.

One student’s profile revealed goals, probation status and assessment levels for composition, mathematics and reading skills.

Overall, information for 86 students was exposed to varying degrees.

Students’ personally identifiable information was never part of The Collegian’s request.

DeAnna Solina, Vice President of Human Resources and Risk Management, said it was an oversight. After rechecking the emails in question, the department realized it had incorrectly assumed the fields were filled with “dummy” information — fake student information used for the purposes of working with a third-party company to understand the new system. The information was indeed real, and students’ educational records were used in conversations between Delta and Highstreet.  

“Unfortunately, within an email chain between District staff and our consultants, describing the process to access a class roster, was an embedded screenshot of a class roster including about a dozen student names and their student number, and four unconfirmed phone numbers. One example included a student profile with an address and class selection,” Solina wrote in a follow-up email to Collegian questions.

According to Solina, the mistake occurred because the department worked to comply with the request in a timely manner. In hindsight, she said, a more thorough review of the 2,300 pages of documents was needed before turning them over to The Collegian.

“The Administration and Human Resources takes the protection of student information very seriously and staff are trained on this protection,” Solina wrote in the follow-up email. “Missing this information was a regrettable oversight within the voluminous responsive records.”

According to Mike Hiestand, senior legal counsel at the Student Press Law Center located in Washington, D.C., Delta’s act is a violation of the Family Educational Rights and Privacy Act (FERPA).

“This is clearly a FERPA violation. This is exactly the sort of  student  academic information that FERPA was actually designed to protect,” said Hiestand. “Anything that is clearly tied to a student’s academic life, transcript and GPA … this an education record, very clearly. I think they have violated  FERPA in this particular instance by releasing students’ education records that clearly identify specific students.”

There are a few exceptions to this rule.

FERPA allows personally identifiable information from students’ education records to be accessed by third party providers in order to deliver the agreed-upon services on the condition that such party will not permit any other party to have access to such information without the written consent of the adult student.

The California Public Records Act gives public institutions a 10-day window to either provide the requested documents or a reason for denial.

The initial response by the administration to the records request came on Sept. 5 as an acknowledgement, with no decision regarding the disclosure of public information.

After prompting by The Collegian, Delta responded to the request with an explanation that the disclosure had been delayed due to their examination of “the voluminous amount of separate and distinct records that [were] demanded.” Delta planned to fill the request by Nov. 4.

Jim Ewert, general counsel for the California News Publishers Association (CNPA) reiterated the purpose of disclosing public information and the responsibility of the organization delivering such records.

“Any request for information that’s provided to a local agency is presumed to be disclosable information unless an exemption applies,” said Ewert. “Because the Public Records Act requires schools to segregate exempt from nonexempt information, the school is not absolved from providing information that is being sought but only exempt information that is recognized under the law.”

Solina pointed out Delta’s commitment to fulfill the Collegian’s request, although it took a lengthy period to fulfill.

“Public Record Act requests come out of here all the time and it’s generally for very standard collated data on information, with number of applicants, just the numbers, but not asking for things to this level of detail. There is not usually ever any ability to receive any kind of information to this kind of detail,” said Solina.

FERPA is itself a vague and sometimes confusing law, according to Hiestand, with harsh punishments for violations that are rarely enforced.

“FERPA is a misunderstood law, there is no private cause of action under FERPA. The only time a school is supposed to get punished by FERPA is by a drastic consequence.  It’s a restriction to all federal aid, which is a nuclear option really.  If you actually enforced FERPA’s penalty against schools, then you would actually put them out of business. It’s really supposed to be imposed against schools that make a policy or habitual practice of releasing student’s private information and educational records,” said Hiestand.

Hiestand believes FERPA needs a major overhaul due to its draconian style of punishment.

“There needs to be some sort of middle ground in terms of damages or penalties that are assessed. To this date, there has been no school in the country that  has ever had all its  federal funding  cut due to a FERPA violation. I think by having a more reasonable sort of penalty brought to bear just needs to  happen,”said Hiestand. “If students are concerned with their FERPA rights, the only thing a student can really do is file a grievance with the Department of Education.”

The U.S. Department of Education offers a guide for students who contend that their privacy rights have been violated.  The procedure to file a complaint can be found at bit.ly/complaintFERPA.

According to Solina, Delta plans to reach out to all students affected by the disclosure.

“Human Resources requested the record be returned for proper redaction to ensure no further disclosures happen, and will ensure each student is notified that their information was shared with The Collegian,” Solina wrote.

FERPA EXPLAINED

The Family Educational Rights and Privacy Act (FERPA) is a federal law passed in 1974. 

It requires that institutions keep students’ grades, enrollment and billing information private unless the school has specific permission from the student to share them.