Protect Illinois Students' Privacy

Update: As of 2/25/14, the state board announced that Illinios has no plans to move forward with inBloom.

The Illinois Department of Education plans to help corporations profit from schoolchildren’s most sensitive and confidential information without even obtaining parental permission. Illinois is one of five states committed to planning to share personal student data with inBloom, Inc. a corporation funded by the Gates Foundation. This information—including your child’s name, home address, email address, test scores, racial identity, economic and special education status, and detailed disciplinary and health records—will be stored on a “data cloud” and shared with for-profit companies, without any guarantee that the information will be safeguarded.

inBloom is being pilot tested in Normal and Bloomington school districts and will be expanded throughout the state unless we stop it. Already four out of the nine states that originally planned to share data with inBloom have pulled out because of privacy concerns and extensive parent protests.

FAQ:

What type of data will be collected, stored, and shared with private companies? inBloom is configured to collect extremely sensitive, personally identifiable student data, including student names, grades, test scores, detailed disciplinary, health and attendance records, race and ethnicity, and economic and disability status. Data fields even include whether a student is pregnant, attends a religiously affiliated school, has refugee status, has been removed from his or her home by Child Protective Services, or been involved with law enforcement for an out-of-school incident.

It is difficult to understand how students would benefit from having such sensitive personal information about them shared with for-profit corporations, but it is clear that such disclosures could harm students. Sensitive information about school employees, including teacher health records and reasons for employment termination, will also be shared with inBloom.

Where is the data being stored? Is it safe? The data is being stored on a “data cloud” owned and operated by Amazon.com. In a recent survey, 86% of technology professionals said they did not trust clouds to hold their “more sensitive” data. Indeed, inBloom Inc.’s own privacy policy acknowledges that it “cannot guarantee the security of the information stored … or that the information will not be intercepted when it is being transmitted.”

With which private companies will inBloom share student data? It has been reported that technology companies eagerly anticipate “huge” profits from access to this data. As of May 2013, the inBloom website lists 22 “providers,” including huge corporations like Amazon and Dell. To date, no inBloom or Illinois representative has identified what protections are in place to ensure that students’ information will not be shared within these enormous companies, many of which have multiple divisions other than those for whom the information is intended.

Who is paying for inBloom? The Gates Foundation has provided $100 million for the project’s initial development. Beginning in 2015, however, school districts will have to pay between $2 and $5 per student per year to have their students’ data stored on inBloom. Should data leakages, information abuse, or hacking occur, school districts could be liable for compromising their students’ confidential data.

Is this legal? inBloom officials claim that the sharing of data with inBloom and private companies is legal under the Family Educational Rights and Privacy Act (FERPA). But critics charge that the U.S. Department of Education’s 2011 changes to FERPA—which now allows school districts to share sensitive student data with private contractors—violate the original intent of the law. Recently, the Electronic Privacy Information Center filed suit against the U.S. DOE for these changes to FERPA. In addition, there are concerns that sharing of personal information violates the Children’s Online Privacy Protection Rule, which was recently updated by the Federal Trade Commission. The Children’s Online Privacy Protection Act restricts the capture and use of a child’s personally identifiable information in recognition of the huge risks to safety and privacy that occur when commercial entities obtain access to it.

Do schools need parental permission before sharing children’s information with inBloom? Can parents opt out on behalf of their children? No and no. Neither the state nor the district is giving parents the right to opt out or consent before their child’s data is shared with inBloom and other third parties.

Issue: