Poway schools data breach: Look for new policy

Posted at 2:56 PM, May 19, 2016
and last updated 2016-05-19 18:13:43-04
POWAY (CNS) - The Poway Unified School District announced Thursday that it will develop a new policy on handling student data, following the accidental release of records of thousands of pupils to a parent.
According to the district, the parent made a Public Records Actrequest in early April for district communications that mentioned her or her children, but she ended up with two compact discs that contained information on around 36,000 students.
The PUSD said the information did not include Social Security numbers, financial data or sensitive Individualized Education Program data, but it did contain names and birthdates, student identification numbers, demographics, directory information, language fluency, and hearing and vision screening results.
A document also contained gifted education testing results -- for a program commonly known as GATE -- for around 1,750 students in the district, which covers Poway, Rancho Bernardo and Rancho Penasquitos.
The parent, Gabriela Dow, turned over the CDs and her laptop computer to the District Attorney's Office, according to the district.
"At this point, we have determined there is no danger or threat to our students -- and families -- safety or identities," according to a district statement. "No social security numbers or financial information was included, and the information was given to only one person and will subsequently be destroyed. This person has represented that she did not share the CDs or the data on them with anyone other than the District Attorney's Office."
The district said most PRA requests are handled in-house. But because of high volume, some were processed by the district's lawyers. The request by Dow, who is active in San Diego's high-tech entrepreneurial community, involved around 9,500 emails, many with attachments.
As of Wednesday, all PRA requests will be handled in-house, and protected student data will be redacted from the documents, according to the district's statement.
Poway Unified also said it would adopt a new policy regarding access to school records as soon as possible, provide ongoing training and consider other changes to make student records more secure.
Statement the Poway Unified School District Sent to Parents
Dear Parent/Guardian,
Earlier this week, we sent you a notification of a breach of student information.
The Poway Unified School District shares your concerns about preserving and safeguarding student privacy, and we want to take a moment to inform you of the results of our investigation, answer your questions, and clarify what may have been said or reported in the media.
Why did the person request this information? Explain the process of how a person gets this information.
Any member of the public has a right to request public records from a public agency pursuant to the California Public Records Act (PRA). Public records include “any writing containing information relating to the conduct of the public’s business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.” (Gov. Code sec. 6252(e).)
In education, business communications can include student directory information (parents/guardian names, phone numbers and addresses) and education records. However, this information is exempt from disclosure in public records act requests, due to the Family Educational Rights and Privacy Act (FERPA). Parents can request records for their own children to ensure proper placement and personalized learning, among other reasons.
On April 7, 2016, a parent submitted a broad and multi-part request for records, including “any and all documents, emails, and records containing her name and her childrens’ names.” During a query for this information, the search picked up many other students’ education records, in addition to those of the person who made the request. Because students’ education records are protected by FERPA, once data responsive to a PRA request such as this is identified, it is reviewed for any confidential information which is then redacted or removed before providing it to the requestor.
The District has received 84 PRA requests this school year, many of which were handled by District staff in-house. Beginning in February of 2016, given the large number and volume of these requests, a decision was made to have the District’s counsel review the data and redact confidential information. In this particular request, the process of pulling files included over 9,500 emails, many with attachments. Some unredacted files were inadvertently included.
Who was the data given to?
To fulfill the parent’s public records request, she received the data in the form of two CD’s. She was in possession of the CD’s for approximately one week, from May 6th to May 13th. According to the parent, she did not misuse the data or share it with anyone. Once she realized she was in possession of sensitive data, she notified the Board of Education on the evening of May 9th. District administration began investigating this matter. On May 12th we requested the parent return the CD’s to the District. On May 13th, the parent turned over the CD’s and recently her laptop as well to the San Diego County District Attorney’s office, which is still in possession of those items. Those CD’s will be destroyed. Importantly, this data was not delivered by PUSD to the parent via other electronic means or over the internet and the District did not give it to anyone else.
What and whose information was included in the data?
A March 2014 document containing the GATE testing results of 1,752 students tested. A July 2014 document including 36,443 students’ names and birthdates, student ID numbers, demographics, directory information, language fluency, hearing and vision screening results. This information is used by staff in the normal operations of school districts. Social Security numbers, financial data, and Individualized Education Program (IEP) data were not released. A January 2015 document containing 75,716 parents’ names, employers, and occupations. Given the scope of data involved, it is likely most, if not all, PUSD students enrolled during this time period and their parents were included.
What is the potential impact on our students?
At this point, we have determined there is no danger or threat to our students’ and families’ safety or identities. No social security numbers or financial information was included, and the information was given to only one person and will subsequently be destroyed. This person has represented that she did not share the CD’s or the data on them with anyone other than the District Attorney’s office. The parent has also stated that anything that could contain a trace of the information is in the possession of the District Attorney’s Office. The District Attorney’s office confirmed that the CD’s and the laptop that she reviewed the discs on have been secured. PUSD appreciates the parent’s actions in delivering the information to the District Attorney.
The District will handle and process all PRAs internally effective May 18th, 2016 and will eliminate any protected student data from the documents being requested. The District will adopt a new policy regarding access to District records as soon as possible. Additionally, the District will ensure ongoing training is provided for all personnel involved in PRA requests.
The District will continue to examine how student data is stored and shared as part of our daily work to support the success of your child. The District will consider and implement changes that will make our processes more secure.
The Poway Unified School District reiterates its commitment to maintaining the safety and security of its students.
Alert us at of any data breach that you believe has occurred.
Read the draft for PUSD’s Public Records Act policy. (Subject to Cabinet and Board revision and approval)
Read more about the Family Educational Rights and Privacy Act here.
Read more about the California Public Records Act here.
We regret this unfortunate inadvertent release of information. As stated above from our investigation, I am confident that the data was contained to one person on two CD’s. This individual turned over both CD’s and her laptop to the District Attorney’s office. We will continue to work diligently to protect the privacy of all students, families, and staff.
Mel Robertson, Ed.D., Acting Superintendent