Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.
Initially funded with support from the Bill & Melinda Gates Foundation and Carnegie Corporation of New York, inBloom offers cloud-based storage to host and integrate student data that is commonly stored in a variety of locations. The organization claims that its services allow educators to access data from multiple sources at once and “more easily tailor” instruction to an individual student’s needs. inBloom asserts that it is in compliance with the Family Educational Rights and Privacy Act (“FERPA”), which restricts the disclosure of personally identifiable information from education records. As support for its assertion, inBloom points to a federal regulation that allows disclosure without consent to school officials for a “legitimate educational interest” and includes third party contractors as school officials when, in part, they are engaged by schools to “perform[] an institutional service…under the direct control” of the school. See 34 CFR § 99.31(a)(1).
In a time when news of data breaches seems commonplace, the prospect of storing sensitive data about children on a cloud-based system has led to significant public outcry. Education Week reports that several states that previously worked with inBloom have ended the relationships. Organizations that offer data storage or organizations that seek solutions for storing and integrating sensitive data should watch with interest as the inBloom story unfolds.