The Virginia Center for Innovative Technology (CIT) sponsored the Virginia Longitudinal Data Systems (VLDS) Insight conference, at George Mason University, on June 26, 2013.
The purpose of this e-mail is to review, at a high level, topics that were discussed at this meeting, as they relate to the design, use, and security surrounding the VLDS.
A large portion of the agenda was devoted to addressing VLDS privacy and security concerns. Clearly, managers, who are responsible for the design, development, and implementation of VLDS, are sensitive to citizens’ repeated charges that VLDS collects individual personal, private student information and communicates that information to a national database. They made it clear that this is not true, nor is the system connected in any way to Common Core State Standards (CCSS). They even went so far as to print three “myths” surrounding the VLDS, which they wish to dispel.
Myth 1: VLDS is not part of the Common Core State Standards Initiative
Fact: VLDS is a program of Virginia state government agencies, and Virginia does not participate in the Common Core.
Myth 2: VLDS is part of a system to provide personally identifiable data to the Federal Government.
Fact: VLDS does not collect data. VDOE, for example, does not provide student-level data to the US Department of Education (USED) or any other federal agency. The Commonwealth is not participating in any project to create a national or multi-state database of personally identifiable student information.
Myth 3: VLDS collects highly private information like religious affiliation, political affiliation, voting records, and medical /psychological information.
Fact: VLDS does not collect or warehouse data at all, personal or otherwise. VLDS participating agencies do not collect data on the religious or political affiliations or voting records of its citizens.
These points were emphasized both by Bethann Canada, Director Educational Information Management Systems (Virginia Department of Education) and Kathleen Styles, Chief Privacy Officer (US Department of Education) in their presentations.
From the educators’ perspective, VA DOE sees itself as developing a system that will help them better understand student performance and prepare the students for the workforce. From their viewpoint, the data that they are collecting will be provided to researchers, who can use the information to perform quantitative analysis that shows correlation between educational programs, student performance, and workforce readiness. The educators are adamant that this information is privately protected through a process, which they referred to as de-identification, which accomplishes two purposes: (1) replaces student unique information with a randomly generated primary key that is used by both the resident database and the recipient database so that specific student data cannot be attributed to that student and (2) data extraction procedures, enforced by the security policy of the existing information systems in which the required data resides, limits the ability to query and access private data to specific individuals who have a defined “need to know.” They also assert that this information complies with all federal and state privacy laws and good practice. Last, they state that their approach to building this model and processing data through it is governed by what they call a “federated” governance policy, which they claim is unique to Virginia and is now being adopted as a model by other states.
In a nutshell, the designers of VLDS are asserting that VLDS does not replicate data from native systems, warehouse it in another place, and allow third parties to build queries against that replicated database. Instead, the user builds a dynamic query, using a unique and secure primary key, to reach out to disparate databases in which the required underlying native data resides and retrieve the requested data without having to reference the underlying database’s primary key (which could be used to identify the specific individual to which the data belongs). Furthermore, controls have been placed on system users that do not allow the user to request such a limited set of data that the result would allow him or her to infer the identity of the person to which that data belongs.
In response to their claim that VLDS opponents have mischaracterized the nature of the system, the following observations are offered, based on presentations that were made by various speakers.
First, proponents’ description of the present state of the VLDS is accurate, as far as it goes. The VLDS is being constructed in a manner that assumes that it can only be used for a good and beneficial purpose, without delimiting its development to preclude its potential inappropriate use when and if Virginia state and federal regulations change to either allow or be forced by mandate to accept Common Core State Standards and / or changes to the Federal Educational Rights and Privacy Act (FERPA). Such a scenario is not farfetched, as we have seen with federal imposition of the healthcare law and other laws which have been historically left to the states.
To make my point, Common Core State Standards (CCSS), the Longitudinal Data System (LDS), and changes to the Family Education Rights and Privacy Act (FERPA) are analogous to the barrel, receiver, and magazine of a gun. Each may be built and manufactured separately, and as separate entities pose no threat to anyone. However, if they are assembled and loaded with bullets (data), one has a weapon which can be used for either good purposes (police enforcement) or bad purposes (armed robbery). By diminishing the potential interrelationship of these three components, the education community can state truthfully that any one component does not pose a risk. However, when a nationalized curriculum is integrated with its underlying longitudinal data system and connected to its underlying data it becomes a tool that could be used for good or evil, depending upon their hands into which it is placed. Therefore, this fact needs to be recognized now, and an appropriate legal or state constitutional framework put in place that precludes the ability of the Federal government to assemble this weapon.
A second observation is that a difference exists between what VLDS administrators state they are delivering and what users of the system want. For example, several presenters made the point that this system willbe a tool for research. However, when one participant asked what privacy regulations are in place to protect against inadvertent third-party (researcher) disclosure of data or inappropriate use of data, Kathleen Styles, Chief Privacy Officer (US Department of Education) stated they had not really explored that. Similarly, one VA DOE presenter emphasized the value of the tool in research, but readily admitted that downstream commercialization of the data could pay for its collection and use. Both of these comments should strengthen opponents’ resolve to add protections that address potential as well as real privacy issues that protect against future misuse.
Last, the present VLDS program emphasis is the use of historical information to produce what the owners of this system refer to as “report cards.” Translation: the system uses nothing but historical information to measure performance of organizational entities against past performance targets. The historical information (a lagging indicator) is not linked in any way to leading performance indicators, which would provide with the capability to statistically relate current performance to future outcomes and thereby drive organizational change. So in effect, the system is a look back system which utilizes data that is, in some instances, as much as two years old. In other words, in its present state, the system is currently designed for researchers who are looking backwards in time and not for policy makers or managers who wish to forecast future performance. When asked, the presenter admitted this was a limitation and could not state when prognostication capability would be added. It would seem to me that such a system lends itself more to “investigative” purposes then management purposes. Isn’t that what NSA’s PRISM system does?
Moving forward, I think that those who stand in opposition to VLDS must acknowledge the underlying assumption that they are not against tools and techniques that will allow the state to deliver mandated products and services effectively and efficiently. However, opponents should expect acknowledgment by proponents of the potential misuse of such a system and both parties should demand that the state put in place conditions that will preclude its prospective use for purposes other than those for which it was designed. One possible action could be to reframe the data governance model and insert provisions that delimit the scope of the system or limits the use of individual data to state use only (no federal use allowed). Similarly, the scope of the system and its interface with federal systems needs to be bounded in Virginia law so that prospective federal requirements which might be antithetical to privacy, liberty, and other constitutional concepts are addressed by the state before they become a real federal concern. Other possibilities include:
- Institute a reporting system, similar to a fraud protection system, that notifies the individual if third-party requests use an individual’s data;
- Provide each individual with the ability to generate a random key that must be provided by the individual to a requestor before new or non-standard reports are run.
- Establish a definition of mandatory versus non-mandatory data that must be provided by an individual to receive public services. For example, a person’s political or religious affiliation is not nor should they ever be necessary data that must be provided in order to receive public service.
 Conference brochure, page 20