FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches

[Updated 11.11.21 to include more FERPA violations]

Fairfax County Public Schools (FCPS) Office of Special Education Procedural Support (OSEPS) has a history of failing to secure confidential information about children, to the point that one could say privacy breaches are an area in which FCPS OSEPS excels.

March 17, 2017

Jim Burgess, a former senior specialist in OSEPS, sent the email below with a cc to the wrong person. The email Jim forwarded to the wrong person is about the mother of a FCPS student and the student.

Click on the image below to view the email at a larger size.

(Personally identifiable information was deleted in advance of publication)

The mother filed a FERPA request. In FCPS’s response to her FERPA request, the mother found Jim’s email. This is how she found out about the breach, even though, per § 22.1-287.02(B), FCPS was required to make her aware of the breach.

§ 22.1-287.02(B) states the following:

In cases in which electronic records containing personally identifiable information are reasonably believed by the Department of Education or a local school division to have been disclosed in violation of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) or other federal or state law applicable to such information, the Department or local school division shall notify, as soon as practicable, the parent of any student affected by such disclosure, except as otherwise provided in § 32.1-127.1:05 or 18.2-186.6. Such notification shall include the (i) date, estimated date, or date range of the disclosure; (ii) type of information that was or is reasonably believed to have been disclosed; and (iii) remedial measures taken or planned in response to the disclosure.

After receiving the FERPA response, the parent asked Jim to tell her to whom her child’s information was provided. Jim refused. He maintained that the email had been recalled, per his second email below.

And yet . . . § 22.1-287.02(B) does not state, “In cases in which electronic records containing personally identifiable information are reasonably believed by the Department of Education or a local school division to have been disclosed in violation of . . . the local school division will recall the electronic record and thus will be off the hook for notifying the parent about the breach.”

October 7, 2020

Kelly O’Connell, a FCPS procedural support liaison in OSEPS, cc’d one parent on an email for another parent’s child. The email had an IEP termination letter attached. Kelly, like Jim, tried to recall the email. It is unknown if the child’s parent/s were made aware of the breach.

Click on the image below to view the email at a larger size.

(Personally identifiable information was deleted in advance of publication)

October 27, 2020

Dawn Schaefer, then-coordinator for due process and eligibility in OSEPS, forwarded me a transcript for a due process hearing filed by a family whose children attend FCPS. Like Jim and Kelly before her, Dawn made an attempt to recall her FERPA violation.

Click on the image below to view the email at a larger size.

(Personally identifiable information was deleted in advance of publication)

Guess what didn’t happen.

The email wasn’t actually recalled.

The original email and transcript didn’t magically exit my in-box because Dawn tried to recall it.

Coincidence: I know the family to whom Dawn should have sent the transcript.

Another Violation: FCPS failed to make the family aware of the breach. I told the family their privacy had been breached and the family had to ask FCPS what information was released and why FCPS didn’t notify them.

FCPS’s answer?

Classic FCPS. (Stick with me for a bit as I circle around to FCPS’s answer.)

I went to due process last year. On numerous occasions I expressed my concerns that FCPS would fail to secure confidential information. The hearing officer ordered that a protective order be put in place for the due process hearing. Among other things, the order stated the following:

To the extent any inadvertent disclosure is made pertaining to the educational records of [REDACTED] and/or any other FCPS student, the receiving party will immediately notify the other party of such disclosure and return or destroy such record. The receiving party agrees to take actions to prevent the further disclosure of such inadvertently produced educational records.

While the order states that we agreed to take actions to prevent the further disclosure of inadvertently produced educational records, it doesn’t say that I—or anyone else for that matter—must refrain from letting other people know that FCPS was at fault for another breach.

I knew the family whose privacy was breached. I made them aware that a breach occurred.

After the parent approached FCPS about the breach, FCPS’s lawyer accused me of violating the protective order. I corrected the lawyer. I agreed not to further disclose inadvertently produced educational records. I did not agree to keep silent about FCPS failing to secure confidential information.

FCPS told the family that it didn’t tell them about the breach because there was a protective order in place for a different student—even though the breach was about their child and even though 22.1-287.02(B) required FCPS to notify the parents.

October 2020

Dawn Schaefer, then-coordinator for due process and eligibility in OSEPS, breached the privacy of over 70 students attending Robinson Secondary School when she provided a spreadsheet of 8th graders enrolled FCPS to an FCPS parent. Dawn provided a link to the parent. The parent downloaded the documents and later found the breach in the documents. In addition to identifying the students as students in the special education program, it lists the students’ first names, last names, student ID numbers, the classes in which they are enrolled, and the names of their teachers. Read: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special Education

May 6, 2021

Jane Strong, the now-retired director of OSEPS, breached a student’s privacy when she emailed six documents related to the student to individuals who should not have received them. This student happened to be the child of the same family whose transcript Dawn sent to me instead of the family.

June 24, 2021

Dawn Azennar, a FCPS procedural support liaison (also under OSEPS), sent an email and a letter about a FCPS student to the wrong person (a FCPS parent in this case). Although the student isn’t mentioned by name, there’s a fair amount of information that would make tracking down the student and family doable. Craziness: This isn’t the first time FCPS has accidentally emailed this same parent. Just over two month’s prior, FCPS sent the parent an internal email in which FCPS admitted fault in relation to an investigation the Office of Civil Rights (OCR) initiated after I filed an OCR complaint. (Read “Office of Civil Rights Opens Investigation of Fairfax County Public Schools – Special Education Action“.) Related Reading: “Oops! . . . They Did It Again!; Fairfax County Public Schools Continues to Breach Student Privacy”

What Next OSEPS?

The Virginia Department of Education is investigating FCPS, for systemic privacy violations. (Read: Virginia Department of Education to Investigate Fairfax County Public Schools for Systemic Privacy Violations)

No matter which way VDOE rules, will OSEPS clean up its act?

Hard to believe that will happen.

If the very office that should be following procedures is the very office that is at fault for carelessness itself, there’s little hope that FERPA violations will cease.

Side Note

In addition to the breaches, the emails shared above contain worrisome information. For the first email, why were IEP team members coming and going during meetings? Why did the parent have to ask for the spreadsheet that FCPS previously committed to providing her? Why the issues with the dates? And, if the dates were changed on the IEP, what exactly was uploaded to FCPS’s SEASTARS system?

For the IEP termination letter email, I want to know why such a letter would go out in the first place. Did the parent know that FCPS doesn’t have the right to terminate an IEP without parental consent? Was the parent ever notified about the breach?