Skip to main content

Crazy Crawfish’s Blog: Data Security Fail: John White and LDOE Up to Their Old Irresponsible Data Tricks Again

John White recently testified multiple times in front of the Louisiana House Education Committee that he has a firm commitment to student privacy and takes his responsibilities toward ensuring the department only collects data that is absolutely necessary and does so responsibly. He made the argument that without detail student level data, the Department would not be able to fulfil their reporting duties lain out by the federal government and auditing duties to ensure data is being accurately reported. When State Representative John Schroeder introduced a bill a few months back that only allowed LDOE to collect aggregated data, John White was adamant that he would not be able to adequately report to the legislature and federal government. Neither assertion is true. White also assured House members he took great pains to safeguard information and that he did not need to document all the data elements he was collecting, or what they were being collected for, but we could be sure they were only collecting exactly what was needed.

All of these claims were complete lies, but they sounded convincing to most folks and I was not asked by any Senator or Representative to debunk them, despite my numerous offers to cut through White’s BS before the session and during it. (If anyone would like to contact me I am still available.) I’ve worked with other state’s privacy advocates and Senators so I’m not sure why ours have not accepted my numerous offers. (I was told more than half a dozen times that I would be called or contacted about the various privacy bills making their ways through the Senate and House, but these promises never materialized into any actual direct correspondence. I find that . . . interesting. Perhaps folks don’t want to know the truth? But I digress.)

Last I checked Louisiana has a privacy bill that has been voted on in the House but which has not been taken up in the Senate. As this legislative session closes it appears less and less likely every day that we will get a privacy bill through the legislature and onto Governor Jindal’s desk to sign. I can only assume Jindal will sign such a bill since he has had his folks publicly support it while it made its way through the House.

This brings me to this week’s latest finding that might be of some interest to parents and legislators pondering data privacy and security issues and the promises John White made just a few weeks ago in front of cameras, parents, legislators, the press, and God. His testimony is still available to review if you care to take the time to listen. . . But back to the latest example of LDOE incompetence under John White.

Introducing the new:

Alternative School/Program Data Collection

Please forward to district alternative school/program staff.
The 2013-14 Annual Report on Alternative Education Schools/Programs is a report submitted to BESE on the effectiveness of alternative education schools and programs. Please complete the school/program overview and student roster layout provided (under Announcements to the right) by May 23, 2014
and email a signed and scanned copy of the overview to Renee Montogmery at
renee.montgomery@la.gov. The alternative program/school roster should be uploaded via your districts’ secured FTP site. For questions regarding data collection, layout/template, or FTP upload instructions, please contact Crystal Wilkinson at crystal.wilkinson@la.gov.

    

LDOE created a new data collection they want LEAs to submit by May 25th of 2014 that they introduced on May 2nd. LDOE is asking school districts to aggregate all their data for them on the first page, which is the data they really want, but they also want LEAs to submit student level data (that they already have and that was obtained more securely) via an unencrypted Excel Spreadsheet. Element H, Student Sate ID, is Social Security number for 97+% of students in Louisiana. They are having schools and districts submit this along with a student’s full name and Date of Birth to ensure if this info was stolen it could be used to obtain credit cards and apply for loans. To ensure student’s privacy rights will be violated they are asking LEAs to define students as dropouts, their discipline records, whether they were expelled, and if they are disabled.

Wow.

They did this while the legislative session is still going on.

They are doing this after they testified they don’t request info unnecessarily. (All of this info is already in their possession except dropouts – which are not final and are official produced by LDOE not school districts, and the program code.)  None of that data is necessary if they just collect the summary page which I have no objection to as long as this was only done this one year and next year the program element was collected in SIS properly.

LDOE attempted to collect this data in a wildly irresponsible way that no one would endorse as a safe or proper way to collect data (Even themselves when questioned about it.) Here is an official response from Barry Landry, official spokesperson for LDOE. I asked who was in charge or this and questioned the wisdom of doing this (in a less civil way to be sure.) The response I got back was mildly reassuring . . . at first.

Jason,

 This original form is not an appropriate way to collect this data,  [emphasis mine] and the Department has taken down this form. No information or data concerning alternative schools or programs was submitted by any district to the Department.  

 Barry

It took LDOE a few days to get back to me. (I learned they were scrambling around based on my initial inquiries and trying to get their stories straight.) I did verify they took the information about the collection down from their “Insight” portal, where they communicate with school district personnel indirectly. Per John White, LDOE staff are not permitted to talk directly to school districts on the off chance they would provide helpful information accidentally. That is not made up or even the slightest bit sarcastic. I’d tell you to ask a current LDOE staffer if this was true, but they would not be able to answer you without worrying about being fired. Instead I ask you to ask a recently departed staff member and verify.

Now, back to the data collection. I was briefly encouraged that LDOE was taking my concerns, parent’s concerns seriously for once. I actually figured they would just hold off on collecting this data this way until after the legislative session, so legislators would go home without passing any serious student privacy and data security legislation and go about business as usual. However, even I was surprised that Kim Nesmith, the creator of this data collection, immediately contacted SIS (Student Information System) vendors and denied that they were doing away with this collection, or even that they were doing away with this data collection method. She told them to continue building the reports and files less than 5 hours after I received an e-mail from Barry Landry at LDOE that “this was not an appropriate way to collect data”. The following e-mail was sent by one of the SIS vendors to their client. Apparently they were contacted around noon.

I have been in contact with the state. They have not made that decision yet. They may or may not require the file at this time. They just don’t know.

I will keep you up to date as I get more information. Please forward me the statement from Barry Landry saying they won’t need the report.

It is true they took the form down about this data collection. (at least for a few hours)  It may be true that no data was transmitted this way. What is missing is any confirmation that they are not collecting data this inappropriate way. All Barry reported to me was they took the form down (true) and that no data was transmitted this way. (I have not verified this one way or the other yet.)

When I saw this collection, I knew right away that Kim Nesmith was behind it. I verified this on my own later although, and one of the contacts listed as a contact reports directly to her, but LDOE refused to confirm this officially. However this is not the first time Kim has collected data this way. In 2011 she demanded IT collect data this way for students that were corporally punished or bullied and for identified bullies. I refused to collect this data this way because I believed it was dangerous, inefficient and stupid, however I was overruled by Patrick Dobard (currently the superintendent of RSD, then Superintendent Paul Pastorek, and Kim Nesmith.) What happened was Kim collected this data herself, but was unable to use it to build any reports so I was called in to link the hundreds of excel data files and report from them. Paul, Patrick and I are gone, but Kim remains. Kim no longer has anyone that can summarize the data, hence the summary page.

Kim is also LDOE’s FERPA compliance person in IT, the supervisor in charge of data collections and data collectors (including student data collections), and the self-titled Data Quality Director. Yep. Kim is the person who LDOE put in charge of ensuring your students’ data is treated carefully and securely, that data is reported accurately, and that school districts know what to report.

I will have more information on current issues facing the data collections department, under Kim, in future posts. I have been getting specific complaints about her from school districts for years. I’ve done my best to give LEAs information they can feed back to LDOE to fix the data problems they have been having in the wake of firing or driving off all the experienced and qualified IT staff, but it has gotten so bad that even if I get step by step instructions on what to fix Kim’s staff is unable to address any of the problems they are having. Currently they are unable to properly calculate dropouts. I believe they are also the reason LDOE gave incorrect budget numbers to the legislature at the start of the session that John White tried to vaguely explain away.

White said $35 million of this year’s shortfall is tied to having higher-than-estimated student enrollment for the 2013-14 school year.

This is the 2013-2014 school year. We have those numbers in October 2013 and February 2014. How could they have been surprised if they had the actual numbers 6 months prior to being surprised unless the numbers they originally collected were wrong?

I don’t blame Kim’s staff. With proper training and a competent supervisor I’m sure they would do fine. I blame Kim for claiming she knew what she was doing and for driving off all the people that did know what they were doing. I blame John White for promoting her, putting her in charge of our children’s data, for and keeping her around this long. This is exactly the type of situation you should expect from putting someone with a Home Economics degree in charge of Statewide data collections and data security and privacy. My degree is in Accounting and I specialized on systems accounting and design, but I would make a terrible dress maker.  Just sayin’. . .

Here are the actual files LDOE took down but probably still plans to use once the session is over unless by some miracle enough legislators start taking data privacy and security seriously enough to pass some meaningful legislation.

Copy of 2013-14 Alternative Schools Programs Data Collection Layout

Facilitating the Reporting of Alternative Programs and Schools

This blog post has been shared by permission from the author.
Readers wishing to comment on the content are encouraged to do so via the link to the original post.
Find the original post here:

The views expressed by the blogger are not necessarily those of NEPC.

Crazy Crawfish

Crazy Crawfish is the blog name of Jason France. Mr. France is a former Louisiana Department of Education employee. ...