School District 833 report: Employee error cited in private student data release
The South Washington County School District has completed its investigation into an employee’s mistaken release of private data in bus information emails last month.
The investigation details how the information was released to nearly all parents and the actions the district has or will take in response.
“We understand the frustration and concern expressed by our parents and community members regarding this human error,” Superintendent Keith Jacobus said in a statement Sept. 12. “It is my sincere hope that all those impacted will see that the district has taken this matter seriously and is working to make sure this type of incident does not occur in the future.”
The data accessible in emails to over 18,000 parents included student names with home address, identification numbers, school, parent names, phone number, email addresses and busing and transportation information, including bus names and route details. No data was released on special education students who receive specialized transportation.
“The initial release of private data resulted from an inadvertent employee error but did not involve any unauthorized access to or acquisition of private data by an employee, contractor, or agent of the district,” the district wrote in its investigation report.
The investigation was conducted internally, so there was no additional cost beyond staff time, according to Shelly Schafer, the district’s communications coordinator. The district consulted with a security provider but was not charged for the information. The district also consulted with its attorneys but has not yet been billed.Release through Blackboard
The information release occurred in emails sent through Blackboard, a contracted education communication provider the district has been using since August 2014.
According to the district, a “mail merge” option is generally used to attach student information to only that parent’s email. After employees created a general email message last month with transportation information for the 2017-18 school year, a transportation employee clicked an “attach file” button, which created a link to data on roughly 9,000 students and put it in an email. The employee thought the button was a step for the mail merge feature, the district said.
The employee used the attach file feature for two lists, each containing information on about half of the district’s students. The second email contained a link to data on over 9,000 students. The emails were sent to parents at 6:30 p.m. and 6:45 p.m. Aug. 16.
The first parent notified the district around 7 p.m. that a link to the student data was included in the email message. About 20 minutes later a district employee contacted Blackboard technical services.
The district’s investigation found that a Blackboard representative said the email contained an attachment and that there was nothing the company could do to retrieve or delete the emails.
“The Blackboard tech support representative erred when he stated that the emails contained an attachment,” the district wrote in its investigative report. “The emails did not contain an attachment. Rather, they contained a link to the data file. Had the district known that the emails contained a link, rather than an attachment, the district would have instructed Blackboard to disable the link immediately.”
District employees found out about 12 hours later that the emails did not contain attachments, but links. Staff contacted Blackboard to disable the links.
Blackboard released a statement saying the district is responsible for email content.
“We are aware of South Washington County Schools’ inadvertent disclosure of some personal data using our mass notifications solution," a Blackboard spokesperson said. "The content of messages sent is controlled by the individual client and their authorized users. Our support staff assisted the district with rendering the data inaccessible."
The district said it will no longer use Blackboard or another mass email notification system to send bus route information to parents. Parent Portal, a secure website provided by Infinite Campus with parent login information required to access personal information, will be used to provide that information to parents in the future.
The district has asked Blackboard to remove the “attach file” option for all district users. Also, Blackboard will provide training to district staff who use the notification, and the district will set up an annual training and review process. The district will pay for the training; a rate is being negotiated.District responses
Since South Washington County students returned to class last week, staff have been providing elementary and middle schoolers with information about bus safety, and safety while walking to and from school.
The district has also asked principals at each school to hold parent meetings by Oct. 1 to discuss bus and walking safety guidelines.
The bus routes were renamed in August, and changes were made for any students whose parents requested a new route. The updates were sent in the mail rather than through Blackboard.
The district determined it would not need to change student ID numbers, which were released in the transportation link, because the number is only used for internal school identification and has been determined to cause not risk of harm to students. There is no financial or personal information linked with a number that cannot be accessed without a password.
A community advisory group comprised of private sector data security professionals is being formed to review district procedures quarterly, including a district parent.
The district is consulting with Technology and Information Educational Services (TIES) to audit their systems and recommend new security protocols in order to avoid a similar situation in the future.
Some district employees will be part of a “call center” staff that will be on hand to answer parent phone calls during any future emergencies.
Since the data release, some parents and district residents said employees responsible for the release should be disciplined.
As of late last week, no final disposition of any disciplinary action has occurred, Schafer said.
State and federal laws prohibit the release of certain educational data. The district received calls and emails from parents who had questions or wanted to express concerns, but no formal complaints have been filed, Schafer said.