Confidential Records Mistakenly Posted on the Internet

Article Tools
  • PrintPrinter-Friendly
  • EmailEmail Article
  • ReprintReprints
  • CommentsComments

The Vancouver, Wash., school district has expedited a security audit of its Web site and hired a computer programmer to conduct periodic security checks, after confidential records for 6,916 students were accidentally placed on the district's public Internet site recently.

The records, for all students in grades 5-8, included each student's name, school identification number, birth date, ethnicity, school, teacher, grade point average, participation in programs such as special education, and test scores for several years.

District officials admitted that the posting was an accidental violation of federal law.

The information apparently was first discovered by a local newspaper reporter, who was researching the bounty of data on the district's Web site. He called the district to ask whether something was amiss.

The district shut down the Web site until all the confidential student information could be removed—one day after it was made accessible to the public.

Officials had to read all about their mistake in the newspaper, The Columbian, but they believe no other members of the public downloaded the information.

The data were in a spreadsheet created to help schools plan students' transitions between school levels, said Linda Turner, the director of information and technology services for the 21,000- student district. She said student information is supposed to be posted in a section of the Web site that requires authorized users, including parents, to type in a password.

But in this case, an official in the district's assessment department mistakenly posted the spreadsheet on a Web page that was intended to publicize students' overall performance on state tests, Ms. Turner said.

Because the mistake was "honest" and no apparent harm was done, the employee will not be disciplined, she said.

Caution on Software

The Family Educational Rights and Privacy Act, known as FERPA, requires schools to have written consent from parents to release personal student information.

Alice Hendricks, a Bethesda, Md.-based consultant on Web systems for government agencies and businesses, said a security audit can identify the procedural flaws that lead to the kind of mistake that happened in Vancouver.

Ms. Hendricks said Web site "authoring" software used by many organizations eases the process of adding information to sites, but can trip up inexperienced employees.

She said authoring software designed for businesses or for government agencies such as school districts should be set to give varying levels of access to different employees, and to require approval before information "goes live," or becomes accessible to Internet users.

"The only way to prevent mistakes like that is [through review by] a human being," Ms. Hendricks said.

Vol. 23, Issue 6, Page 5

Published in Print: October 8, 2003, as Confidential Records Mistakenly Posted on the Internet
Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on, you can post comments. If you do not already have a Display Name, please create one here.
Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.

Back to Top Back to Top

Most Popular Stories