Virginia investigation uncovers widespread privacy breaches following unauthorized data disclosure in Fairfax

The Virginia department of education stated on Friday that the Fairfax County Public Schools, the largest district in the state, is facing a district-wide issue regarding the protection of students’ privacy. The agency highlighted the need for additional training of staff members who were either “not aware of the precautions that should be taken” or lacked sensitivity towards the matter.

An investigation was initiated following a complaint from a Fairfax parent and special education advocate in December. This complaint was lodged after receiving accidental data concerning approximately 35,000 students, including confidential information such as special education records, legal memos, and mental health conditions. The disclosure, originally reported by The 74 on November 1, exposed sensitive details such as the names of students involved in lawsuits against the district for alleged sexual assault and those seeking counseling for issues like depression and suicidal thoughts.

The district, which serves 180,000 students, has been given until March 25 to either appeal the state’s findings or develop a “corrective action plan.” One of the key components of this plan involves additional training for staff members, a measure that the district has agreed to implement.

Although the training was initially scheduled to commence on October 31 as per the district’s response to a previous complaint from the same parent, a district official admitted during a Feb. 6 Q&A session with a parents group that the training had not yet started. Dawn Schaefer, who supervises special education complaints, mentioned that the launch date for the training is imminent but unspecified.

In its decision, the state underscored the district’s failure to address the repeated violations, emphasizing that optimal policies and procedures are ineffective if not followed by individuals. Patricia Haymes, the director of dispute resolution at the Virginia Department of Education, ordered the district to compile a list of affected students, inform their parents, and provide regular updates on the implementation of recommendations from an independent investigation initiated by Superintendent Michelle Reid after The 74’s report.

The state’s findings corroborate long-standing concerns voiced by some Fairfax parents regarding the inappropriate sharing of confidential emails and student records within the district. While experts have commended the state for pushing for additional training, some argue that the requirements may not be comprehensive enough, describing them as “fairly lackluster.”

Amelia Vance, the president of the Public Interest Privacy Center, expressed doubts about the sufficiency of the oversight provided to the families affected by the breach of trust between the community and the district. Despite praising Fairfax’s superintendent for promptly acknowledging and apologizing for the mistake, Vance stressed the need for more decisive actions to resolve the issue.

‘A bigger Band-Aid’

Prior to this incident, Virginia officials had accepted the district’s assurances that the previous disclosures were isolated errors. However, Callie Oettinger, a parent who inadvertently accessed unredacted records in mid-October, highlighted the larger privacy concerns within the district, citing overlapping privacy violations that authorities were investigating between March and mid-November of the previous year.

Oettinger described the remedial actions as merely “a bigger Band-Aid” compared to the steps the district had committed to taking, such as involving lawyers in vetting record requests before releasing them to parents. Todd Reid, a spokesperson for the state education department, emphasized the intensive nature of the corrective action plan in aligning with federal and state special education laws to drive prompt improvements.

‘Not letting it slide’

According to a privacy expert, the increased integration of student data with new technologies and demands from parents for electronic access to records have contributed to errors like these. Steve Smith, the founder of the Student Data Privacy Consortium, recommended that districts adopt systems that minimize inadvertent data sharing. He also acknowledged that public scrutiny from parents can prompt districts to enhance their privacy safeguards.

Smith emphasized the significance of holding districts accountable for their data protection measures, stating, “I applaud parents for not letting it slide.”