November 26, 2021, Fairfax County Public Schools (FCPS) was found in noncompliance of FERPA (Family Educational Rights and Privacy Act) regulations by the Virginia Department of Education (VDOE). (See VDOE Letter of Findings at the bottom of this article.)
VDOE concluded that that the legal invoices at the core of the investigation, which contain personally identifiable information (PII) about children, “are maintained by the school division, therefore they are education records under FERPA and this matter is within our jurisdiction.” In addition, VDOE rejected the following argument posed by FCPS, thus acknowledging that initials constitute PII:
Under the definition of PII, information is PII if it is possible to identify a student with reasonable certainty. In this case, students E1 and E2 have a different last name as the parent, and so the disclosure of parent name does not make the students identifiable.
Although VDOE determined the matter in its jurisdiction and once again found FCPS in noncompliance, VDOE refused to place weight on the thousands of students whose privacy FCPS has breached over the past five years, and did not “characterize” FCPS’s noncompliance as systemic.
VDOE’s argument against a systemic finding is flawed. Its finding is additional evidence of VDOE enabling rather than deterring noncompliance, and is an echo of the United States Department of Education (USDOE) Office of Special Education Program’s (OSEP) Differentiated Monitoring Support (DMS) report on Virginia, in which OSEP states:
“Completely ignoring credible allegations of noncompliance is not a reasonable method of exercising the State’s general supervisory responsibilities.”
On page 14 of its November 26, 2021, Letter of Findings (LOF), VDOE states:
We note that other allegations of FERPA violations by the LEA have been made by Complainant and others over the past several years. In some cases, where we were presented with a complaint meeting the sufficiency requirements of the regulations, and our investigations resulted in findings of both compliance and noncompliance.
The complaints presented, whether sufficient or not, involved a variety of fact patterns, different individuals and/or schools, and different sources of information. In that light, given (i) the fact that the division had in place policies and procedures that were compliant with the law; (ii) the size of the division; (iii) the diverse facts, individuals and areas of the division involved and (iv) the human propensity to make mistakes, we were not inclined to characterize this as a systemic issue.
Systemic complaints typically involve a policy or practice in a classroom, school or division that has more common features. That is still lacking in this instance, and therefore, we find no systemic violation arising out of this particular situation. However, we are concerned that continuing complaints in this area could signal larger issues in the school division’s response to matters concerning FERPA or an issue with insufficient training and/or procedures. Additional actions addressed through the state educational agency’s general supervision authority will be forthcoming.
History of Complaints and Jurisdiction
I’m the “Complainant” to which VDOE referred. FCPS has violated my family’s privacy on about a dozen occasions since 2016. Of the privacy-related complaints I’ve filed, VDOE has found FCPS at fault for the majority of the complaints. The height of the violations related to my family (at least the ones I know of) occurred in 2019, when FCPS averaged a violation a month for five months.
When VDOE did not find FCPS at fault or did not open an investigation, VDOE’s reasoning often was related to jurisdiction.
VDOE vs. SPPO
VDOE can address privacy violations under IDEA for children who have an IEP, but not for children who do not have an IEP. I once filed complaints that included one of my kids who does not have an IEP. VDOE would not investigate. Lesson learned.
On one occasion, FCPS sent information to the wrong recipient. FCPS advised VDOE that it recalled the email and that the person who received the email (an FCPS employee who had no business receiving it) did not read the information.
In this instance, VDOE refused to find FCPS in noncompliance because VDOE made its decision based on whether the recipient read the email, rather than basing its decision on the fact that FCPS was at fault for another breach.
However, in its November 26, 2021, LOF VDOE changed its tune when it stated:
Regardless of the actions taken to reduce the impact of the disclosures, the violation cannot be undone.
Correct. The violation cannot be undone.
FCPS recalling emails or stating that a teacher didn’t read the emails doesn’t undo the violation.
In addition, FCPS has tried to recall emails it inadvertently sent to me and to other parents and I promise that the emails didn’t all of a sudden disappear. I still have the “recalled” emails and still have access to the attachments to the emails, too.
Parent Filing Complaint
Another exception relates to VDOE refusing to open complaints I filed that relate to children other than my own.
February 28, 2018, I sent VDOE documentation of over 400+ special education violations, to include privacy violations, that FCPS admitted to in an internal document that FCPS inadvertently provided me. VDOE chose not to investigate. (Additional Reading: “Hot Topics” and “FCPS Reports List 400+ Special Education Violations; VDOE Refuses to Investigate“.
Virginia Administrative Code §2.2-3803 (A)(1) and (5)
In 2019, teacher Chris Walton forwarded private information about one of my children to the Fairfax County Federation of Teachers (FCFT) and to her private email address on multiple occasions. In a November 1, 2019, NOC, VDOE opened an investigation into the publicly identifiable information sent to FCFT (for which it later found FCPS in noncompliance), but refused to address Chris forwarding PII to her personal email address. VDOE cited the following:
This concern does not allege a violation of special education regulations; there is no indication that an unauthorized party accessed Student’s “private information.” Violations of any LEA practices and procedures regarding staff email lie outside the scope of our investigative authority.
I emailed VDOE and asked about its decision. In the email, I cited §2.2-3803 (A)(1) and (5) to VDOE, which states:
“A. Any agency maintaining an information system that includes personal information shall:
“1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency”
“5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed.”
In a November 12, 2019, email, Kathleen Harris of VDOE responded:
Parent’s November 11, 2019, email correspondence cites the Government Data Collection and Dissemination Practices Act (Title 2.2, Chapter 38, § 2.2-3800 et seq.). We note that the Act includes, at § 2.2-3809, provisions addressing injunctive relief for alleged violations of that statute:
§ 2.2-3809. Injunctive relief; civil penalty; attorneys’ fees.
Any aggrieved person may institute a proceeding for injunction or mandamus against any person or agency that has engaged, is engaged, or is about to engage in any acts or practices in violation of the provisions of this chapter. The proceeding shall be brought in the district or circuit court of any county or city where the aggrieved person resides or where the agency made defendant has a place of business.
In the case of any successful proceeding by an aggrieved party, the agency enjoined or made subject to a writ of mandamus by the court shall be liable for the costs of the action together with reasonable attorneys’ fees as determined by the court.
In addition, if the court finds that a violation of subsection A of § 2.2-3808 was willfully and knowingly made by a specific public officer, appointee, or employee of any agency, the court may impose upon such individual a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500. For a violation of subsection A of § 2.2-3808 by any agency, the court may impose a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500.
I hope this is helpful.
Size of Division and Human Propensity to Make Mistakes
Neither state nor federal regulations include a waiver that lets school divisions off the hook for violations due to “the size of the division” or “the human propensity to make mistakes”.
As one example, if VDOE’s reasoning was reality instead of a flawed argument, the Department of Environmental Quality (DEQ) would have let FCPS off the hook for multiple failures to comply with Virginia’s hazardous waste management regulations. Instead, DEQ fined FCPS $60,825 in 2021 for multiple violations. (Additional Reading: “The $60,825 Question: Should Fairfax County Public Schools Invest in Special Education or Pay Hazardous Waste Management Fines?“) Add to this the fact that FCPS’s Office of Special Education Procedural Support — the office liaising with in-house and out-of-house lawyers — has a history of privacy violations itself. In a period of one year, the office violated the privacy of about 100 students. (Additional Reading: “FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches” and “FERPA Violation Report Card: Fairfax County Public Schools“.)
The facts related to the violations are not “diverse” in terms of individuals and areas of the division.
VDOE cites different locations, yet when I previously filed a state complaint and asked that two specific locations—Silverbrook Elementary School and South County High School—be investigated for systemic privacy violations, VDOE refused. Although both schools were found in noncompliance by VDOE year after year, and even though VDOE required corrective actions year after year, VDOE issued a November 1, 2019, NOC stating that although it would open an investigation related to privacy violations, it would not open it at a systemic level. It based its decision on previous violations, which were time barred at that point. VDOE knew the schools were repeat offenders and that the schools; previous noncompliance wasn’t corrected, yet chose to ignore ample evidence of systemic violations. Two years later, VDOE relied on the same crutch to argue its position. This time, the violations of 2019 are time barred.
In addition, while some of the violations I complained about took place at the school level, the majority of the violations occurred when FCPS provided its responses to FERPA and FOIA requests, which are handled out of the same office. Hence, as one example, although the privacy of 70 Robinson Secondary School students was breached, the breach did not originate at Robinson. Instead, it came out of FCPS’s Office of Special Education Procedural Support, which was been the source of so many breaches.
VDOE was provided the 1,316-paged FOIA response related to this complaint. Among other things, those pages provide additional evidence that FCPS’s in-house and out-of-house lawyers vet FERPA and FOIA requests (Additional Reading: “What is Fairfax County Public Schools Trying to Hide? These 1,316 Pages of Clues Provide Answers“). Additional proof of this resides in the hearing transcripts for FCPS’s recent law suit against me and Debra Tisler, in which it admitted its lawyers vet FCPS’s responses. (Additional Reading: “Update on Fairfax County School Board’s Legal Action Against Parents)”
Policies & Procedures
FCPS supposedly having “in place policies and procedures that were compliant with the law” is irrelevant given FCPS repeatedly failed to follow policies and procedures that would ensure compliance “with the law”.
Placing weight on “policies and procedures” FCPS supposedly has in place is like the builders of the Titanic saying it was built so well that it would never sink. We all know how well that turned out — and in the Titanic’s case, it didn’t have a history of sinking, whereas FCPS has a long history.
Click on the image below to view VDOE’s Letter of Findings in full.