The Vancouver, Wash., school district has expedited a security audit of its Web site and hired a computer programmer to conduct periodic security checks, after confidential records for 6,916 students were accidentally placed on the district’s public Internet site recently.
The records, for all students in grades 5-8, included each student’s name, school identification number, birth date, ethnicity, school, teacher, grade point average, participation in programs such as special education, and test scores for several years.
District officials admitted that the posting was an accidental violation of federal law.
The information apparently was first discovered by a local newspaper reporter, who was researching the bounty of data on the district’s Web site. He called the district to ask whether something was amiss.
The district shut down the Web site until all the confidential student information could be removed—one day after it was made accessible to the public.
Officials had to read all about their mistake in the newspaper, The Columbian, but they believe no other members of the public downloaded the information.
The data were in a spreadsheet created to help schools plan students’ transitions between school levels, said Linda Turner, the director of information and technology services for the 21,000- student district. She said student information is supposed to be posted in a section of the Web site that requires authorized users, including parents, to type in a password.
But in this case, an official in the district’s assessment department mistakenly posted the spreadsheet on a Web page that was intended to publicize students’ overall performance on state tests, Ms. Turner said.
Because the mistake was “honest” and no apparent harm was done, the employee will not be disciplined, she said.
Caution on Software
The Family Educational Rights and Privacy Act, known as FERPA, requires schools to have written consent from parents to release personal student information.
Alice Hendricks, a Bethesda, Md.-based consultant on Web systems for government agencies and businesses, said a security audit can identify the procedural flaws that lead to the kind of mistake that happened in Vancouver.
Ms. Hendricks said Web site “authoring” software used by many organizations eases the process of adding information to sites, but can trip up inexperienced employees.
She said authoring software designed for businesses or for government agencies such as school districts should be set to give varying levels of access to different employees, and to require approval before information “goes live,” or becomes accessible to Internet users.
“The only way to prevent mistakes like that is [through review by] a human being,” Ms. Hendricks said.
