Is Kentucky’s On-Line Public School Student Data Going to Be Safe?

The Dallas Morning News reports that personal student data and test scores in Florida and Virginia were accidentally disclosed recently by a computer-based testing company. Texas also has a contract with the firm and is now anxiously checking to see if their student data will receive better protection.

Does this matter to us in Kentucky? You Bet!

I don’t think that Kentucky has any contracts with the firm that messed up in Florida and Virginia, but that does not mean we have no worries.

In early August, two separate legislative committees heard reports on a pair of massive education databases that are being assembled by the Kentucky Department of Education. The first of these, known as “Infinite Campus,” will make all sorts of student data available on line. Teachers will be able to access and update electronic grade books from home (or anywhere else), and parents will be able to see those grades and information about their child’s attendance, as well. Infinite Campus is also supposed to integrate with the folks who run Kentucky’s KEES Scholarship program, facilitating rapid transfers of ACT scores and high school grades to speed up the process of awarding these state-funded scholarships.

A second database effort sounds even more far-reaching. Called the Kentucky Instructional Data System (KIDS), this data management octopus will reach into many other computers located in various state agencies that nominally have little direct contact with education. Areas that may get linked include medical files and student drivers' licenses (to insure students who are failing don’t get/keep them).

Proponents of these systems, which include many state leaders from the governor on down, paint glowing pictures of how these systems will help improve the information available to policy makers and ultimately improve state efficiency. They make a convincing argument, one the Bluegrass Institute might ordinarily be happy to bandwagon.

But, on this monster effort, we see the chance for serious troubles ahead. There are shades of George Orwell’s “1984” all over this. Here are some quick thoughts:

1) The education department will be storing student social security numbers along side their own student identification numbers because the KEES Scholarship database can’t use the student numbers. There may also be plans to store a lot of sensitive data about parents – possibly including their social security numbers and income information – to determine eligibility for free and reduced cost lunches.

In this day and age of identity theft, any database that stores social security information is ripe for criminal hacking. When income information, home addresses, and telephone numbers are also available, the chance of identity theft undoubtedly becomes far worse.

2) How much student and parent data does the department of education really need? When is the amount of data kept in the hands of just a few too much information? Who decides? What are the qualifications of those who decide who gets access to what?

3) With such a hugely valuable database in hand – one that contains a tremendous amount of information about each child (information about learning disabilities, behavior, and maybe even a picture as well as age, sex, phone number and address), and which may allow access to other databases that contain an even more enormous amount of information about all of us – are there any requirements for those who have broad access to pass criminal background checks? Were any criminal background checks run on the computer programmers and the contractors who are assembling Infinite Campus and KIDS? Certainly, access to this data would be a child molester’s dream.

After all, if a parent wants to help out at school, they have to pass an investigation. Do we have lower requirements for the people controlling information that could be very valuable to the criminal element?

In any event, we are hearing lots of promises from our state leaders about security for this information. I’ll bet folks in Florida and Virginia heard the same – before their data compromise happened.

But, the mistake happened, anyway.

And, last year, a school finance person was able to manipulate the Kentucky Department of Education’s MUNIS financial accounting system in an attempt to hide illegal payments, as well. If the department can’t protect money, how confident can we be that they will successfully protect your child’s social security number – or yours?