UPDATED 11.20.23 — FERPA Violation Report Card: Fairfax County Public Schools

[This article was updated November 20, 2023, to include two more FERPA violations. One occurred October 30, 2023, and the other occurred November 14, 2023.]

FCPS has been releasing information about students without their consent for years.

This article details FCPS FERPA violations between 2017 and 2021. It includes breaches related to records FCPS provided to me, breaches related to my own family (and about which I filed state complaints), breaches other FCPS families shared with me, as well as the hacking of FCPS that occurred in 2020.

In addition, it includes FCPS noncompliance related to it failing to provide parents an opportunity to inspect and review their student's education records and/or review the education records within regulatory timelines.

In a perfect world, there'd be no reason to mention this article will be updated in the future. In a realistic world, where past is prologue, the expectation is that updates might never stop.

Please join me in asking FCPS Superintendent Michelle Reid to finally address FCPS FULLY securing the private information of its staff and students. 

FY15-17:

In an internal FCPS document titled "Hot Topics", dated December 11, 2017, which covers the 2015-17 period, FCPS stated the following about Silverbrook Elementary School:

"A SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance. Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook."

In the same "Hot Topics" document, FCPS stated:

"Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS."

Click on image above to view document in full. I redacted names of students before posting.

Related Reading: Hot Topics and "FCPS Reports List 400+ Special Education Violations; VDOE Refuses to Investigate"

2.24.16

FCPS has a history of training staff to avoid putting information in writing, to prevent parents from obtaining it. While this isn't necessarily a cut-and-dry violation, the intention is to prevent access to information. Withholding of FERPA responsive information is a FERPA violation.

February 24, 2016, then-Silverbrook Elementary School (SES) principal Melaney Mackin advised school psychologist Michael Borsa the following regarding an email sent by a parent:

"I suggest that you do not email your reply to her questions (no paper/email trail) – either call her to discuss or email to say these can be answered when she comes in for the next meeting with the committee."

Additional Reading: Fairfax County Public Schools Trains Staff to Thwart FERPA Requests: Don't Put it in Writing 

6.10.16 FERPA Request:

Within its response to a 6.10.16 FERPA request I submitted, FCPS provided me the special education screening committee schedule, which listed two children from West Springfield Elementary school, who aren't my own.

7.21.16 FERPA Request:

Within its response to a 7.21.16 FERPA request I submitted, FCPS provided me information about two staff members at Silverbrook Elementary School.

2.3.17:

Former South County Middle School teacher Christina Schneider bcc'd her husband on an email that contained confidential student information.

Virginia Department of Education (VDOE) found FCPS in noncompliance for breach of privacy.

2.28.17:

Former South County Middle School teacher Christina Schneider bcc'd her husband again on an email that contained confidential student information.

VDOE found FCPS in noncompliance for breach of privacy.

3.17.17

Jim Burgess, a former senior specialist in OSEPS, breached the privacy of a student and parent and then refused to provide the parent the name of the individual to whom Jim provided information about her and her child. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches

6.7.17:

Former Silverbrook Elementary School teacher Wilson Johnson emailed Principal Melaney Mackin that he "heard through the grape vine that this family has been giving you a bit of trouble". Melaney Mackin responded to him, indicating that she would speak with him.

The family in question didn't provide the teacher information, did not provide him permission to talk about their child, and did not give Melaney Mackin permission to talk about the child with an individual who wasn't even an employee of the school.

Yet, evidently a grapevine of information was flowing from Silverbrook Elementary School. (As you scroll through this article, note how many times Silverbrook is listed.)

6.8.17 FERPA Request:

Within its response to a 6.8.17 FERPA request I submitted, FCPS provided me information about eight students at Silverbrook Elementary School and two students at unspecified schools.

Click on image above to view document in full. I redacted names of students before posting.

6.29.17

FCPS provided me a document related to a FCPS family that submitted a complaint to the Virginia Department of Education.

10.13.17:

I emailed members of FCPS school board, advising them of FCPS' privacy breaches. Elizabeth Schultz was the only person to respond. She replied:

"Thank you for taking the time to email and document your concerns. I understand how frustrating many of these circumstances can be and look forward to getting the appropriate staff involved to review the issues to date and make a determination of the necessary plan going forward."

10.27.17:

After emailing FCPS Superintendent Scott Brabrand, I was forwarded to former Chief Academic Officer Francisco Duran. I emailed, asking him to look into the privacy violations.

• 10.31.17: Francisco Duran responded to my 10.27.17 email:

"As you requested, I have looked into your concern about confidential student information disclosures.  Staff within the Department of Special Services are aware of two situations related to your son where there was a breach of confidentiality.  The recent one of student progress monitoring data being shared through your FERPA release is an inadvertent situation where other student names were not redacted. The second situation was the incident of the teacher inadvertently emailing her spouse sensitive scheduling information.  We believe these two incidents to be isolated in nature and not indicative of a systemic problem related to confidentiality.  However, in response to these two events, we will be developing tighter procedures around division wide FERPA practices as well as initiating additional training on the requirement to maintain student confidentiality.

"FCPS takes student confidentiality seriously.  Please know that the South County Middle School staff, including the central staff that provides support, certainly want the best for Max and his success."

That same day, I responded to Francisco, letting him know he'd been misinformed. He didn't respond.

Click on image below to view document in full.

11.8.17:

After not receiving a response to my privacy concerns, I contacted Congresswoman Barbara Comstock, who submitted an inquiry to FCPS on my behalf.

1.16.18 FERPA Request:

Within its response to a 1.16.18 FERPA request I submitted, FCPS provided me information about a student, at an unidentified school, his struggles, and the log-in/password information for a program he was using. They also provided special education screening information for a student at South County Middle School.

1.17.18 FERPA Request:

Within its response to a 1.17.18 FERPA request I submitted, FCPS provided me an unredacted copy of the internal FCPS document titled Hot Topics Region 4, which lists the names of other students, their lawyers, medical conditions, money paid, etc. and in which FCPS admits that it knows it has confidentiality and other issues. The document specifically states:

"Confidentiality of student records is a significant concern across the division. FCPS was found out of compliance by VDOE due to a confidentiality breach at Silverbrook ES, and we anticipate a noncompliant finding by VDOE again in the pending state complaint regarding Silverbrook and South County MS Schools need additional training on confidentiality of student information. While best practice is reinforced by IT, Division Counsel, and OSEPS, does not seem to be followed in day-to-day interactions. Additional training will be offered division wide, including at to Silverbrook and South County MS as part of the state complaint process corrective action. It may make sense to offer training to a wider audience.

"SLP asked all sixth grade speech students to stand to be recognized during the EOY assembly in front of entire school. Proposed resolution to parents and they declined. CAP required training for SES and letter of assurance.  Maintain student confidentiality, particularly about sped status. Provided FERPA/confidentiality training to Silverbrook."

Within the same response to my FERPA request, it provided me medical leave information about a South County Middle School Teacher.

Related Reading: Hot Topics and "FCPS Reports List 400+ Special Education Violations; VDOE Refuses to Investigate"

1.29.18:

Superintendent Scott Brabrand responded to my concerns in a letter to Congresswoman Barbara Comstock. This letter actually arrived just days before the "Hot Topics" document mentioned at the start of this article. While my FERPA request was dated earlier in the month, FCPS didn't provide its response until later. In addition, there was a delay between when Congresswoman Comstock's office received Scott's letter and when her office sent it to me. Within the letter, Scott stated:

"Ms. Oettinger shared her concerns about the Family Education Act (FERPA) violations by several FCPS school-based employees. These issues were addressed with each employee by their supervisors, following FCPS protocol for employee discipline. In addition, staff from the Department of Special Services met with the school team to review the violations and to develop a plan to ensure these violations are not repeated."

It was ironic (and disturbing and frustrating) to receive Scott's statement about my privacy concerns being addressed, only to receive another violation a few days later, in the form of the internal "Hot Topics" document stating, "Confidentiality of student records is a significant concern across the division."

Click on image above to view document in full.

11.7.18:

I had an in-person meeting with FCPS Superintendent Scott Brabrand, which lasted about an hour and a half.

During our meeting, I mentioned that as of that date I had been provided information on over 30 students and staff via FERPA and/or FOIA requests, even though I didn't request such information.

Scott replied:

"I don't know about that."

I stated again what I had and gave him some of the documents that I brought with me.

He then said that his team advised him it was more like TWO.

At that point, I had sent dozens and dozens of emails to Scott, his staff, and the school board. Scott's answer confirmed 1) that Scott's staff was not sharing all information with him; 2) Scott's choice was to believe his staff, rather than investigate facts provided by a parent; and/or 3) Scott was aware of FCPS privacy breach problems and was trying to deny them, none of which are good options.

2019

The names and grades of 12 students at Longfellow Middle School are included in this breach. All of the students were in the special education program at Longfellow in the 2018–19 period.

According to the FCPS family that forwarded this document to me (in March 2021), a former administrator at Longfellow Middle School provided it to them within a collection of other documents in 2019.

Related Reading: "FERPA Violation: Longfellow Middle School Students' Privacy Violated"

5.31.19:

South County High School teacher Chris Walton forwarded confidential information about my son to Ms. Davis at Fairfax County Federation of Teachers (FCFT).

• 10.16.19: Assistant Superintendent Jay Pearson emailed me and stated, I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.

VDOE found FCPS in noncompliance for breach of privacy.

6.2.19:

South County High School teacher Chris Walton forwarded private student-related information to her private email address on three occasions this day.

6.4.19:

South County High School teacher Chris Walton forwarded confidential information about my son again to Ms. Davis at Fairfax County Federation of Teachers (FCFT).

• 10.16.19: Assistant Superintendent Jay Pearson emailed, I am following up on the concern you raised, both in email and during our phone conversation, that a staff member sent information to an association representative that included personally identifiable information about [redacted]. We reviewed the information forwarded to the association representative, and we agree that it should not have been forwarded.

VDOE found FCPS in noncompliance for breach of privacy.

Click on image above to view document in full.

6.7.19

South County High School teacher Chris Walton forwarded private student-related information to her private email address.

August 2019:

A Silverbrook ES teacher failed to secure private information. Her daughter took a picture of private information and posted it to social media.

• 8.21.19: Assistant Superintendent Jay Pearson emailed, “I personally visited the school yesterday to address this issue. While there is an explanation as to how [redacted] was shared inappropriately, it is not excusable and not an acceptable manner for [redacted] to be shared. There will be a staff training in September on privacy and confidentiality of student information."

10.1.19:

South County High School Principal Gary Morris emailed confidential information about a student to Silverbrook Elementary School Principal Melaney Mackin. He didn't check the email address before sending the email.

VDOE found FCPS in noncompliance for breach of privacy.

10.24.19:

• 10.24.19, 7:25 PM: South County Principal Gary Morris emailed me, "I am writing to inform you that I was alerted today by a parent who picked up documentation from my office, that within her documentation I mistakenly included a document that had identifiable information of [Student] within it. This was totally my mistake as I somehow picked up a document with [Student's] information on it and packaged it with the information for the other parent."

• 10.24.19, 8:04 PM: A South County High School Parent emailed me to 1) make me aware my son's privacy had been breached and 2) advise me that she'd already contacted the school about the breach. She had submitted a FERPA request, and in response to her request, South County High School provided her 76 pages of information not related to her daughter, 12 of which were related to my son. "A document" is not quite the same as 12 pages.

VDOE found FCPS in noncompliance for breach of privacy.

11.25.19

Hearing Officer Frank Aschmann denied FCPS seven subpoena duces tecums in relation to the Due Process case related to a FCPS student.

FCPS still obtained records and didn't return them until 12.10.19, even though they were subject of Motion to Quash. FCPS did not make [Parent] aware that it had obtained these records. She was made aware after she did a request for detailed billing sheets from FCPS outside counsel Blankingship & Keith.

4.1.20

FCPS has a history of training staff to avoid putting information in writing, to prevent parents from obtaining it. While this isn't necessarily a cut-and-dry violation, the intention is to prevent access to information. Withholding of FERPA responsive information is a FERPA violation.

April 1, 2020, FCPS held a training session focused on COVID-19 procedural guidance. At about the 00:31:30 mark of part 2 of the video for the meeting, director of FCPS’s office of special education procedural support Dawn Schaefer and Hayfield HS assistant principal Andrew Guillen advised participants:

Andrew Guillen: Yes, Dawn. I just wanted to be clear, too. If that chat function is, um, enabled, parents could ask for a copy of it through a FERPA correct?

Dawn Schaefer: Yes, that is correct. So we really, um, strongly suggest that you turn it off.”

Andrew Guillen: Correct.

Dawn Schaefer: And remember, anything that gets typed over there gets kept.

Also of note: FCPS has repeatedly attempted to limit the scope of its FERPA responses, yet in the above, Andrew and Dawn agree that information in a chat room can be obtained via FERPA.

Additional Reading: Fairfax County Public Schools Trains Staff to Thwart FERPA Requests: Don't Put it in Writing 

4.8.20

Silverbrook Elementary School Principal Melaney Macking breached the privacy of one of my kids.

4.23.20

An Orange Hunt Elementary School teacher sent a group email to parents of students receiving special education services. In doing so, she violated the privacy of all the students and families, because school divisions are supposed to maintain the privacy of who is receiving special services.

FCPS argued that, because the email addresses and the email itself didn't include specific names, that it did not violate privacy. However, anyone with a PTA directory, classroom phone tree, and so on, would be able to sort out which email belongs to which family, and thus personally identifiable information was released.

May 2020

Toward the end of the 2019-20 school year Silverbrook Elementary School created a public sign-up sheet for medication pick up.

The sign-up form was accessible by anyone with the link, which turned it into a public list of children taking medication.

Related Reading: "Dear Silverbrook ES: A Public List of Students Who Take Medicine is Not a Good Idea".

6.25.20

VDOE issued a Letter of Findings in which it found FCPS in noncompliance related to FERPA regulation again. VDOE specifically stated:

"LEA failed to provide Complainant/Parent an opportunity to inspect and review Student's education record within regulatory timelines."

6.26.20

A day after being notified that VDOE found FCPS in noncompliance again, Jane Strong, director of the Office of Special Education Procedural Support, sent an email that states:

"We need to have a meeting to discuss our FERPA procedures and consider whether we will change our SOP."

South County High School teacher Tina Wrubluski was included on the email. Almost a year later, on 5.21.21, Tina breached the privacy of more students. This came just four days after SCHS Principal Gary Morris and Due Process & Eligibility Coordinator Dawn Schaefer met with a representative of the U.S. Department of Education, Student Privacy Policy Office (SPPO). Among other things, they spoke about the confidentiality breaches for which FCPS is at fault.

Click on the image below to view it at a larger size.

Related Reading: "South County High School Breaches Student Confidentiality Again"

August 2020

FCPS provided a parent spreadsheets related to over two dozen students attending Willow Oaks Elementary School. One spread sheet students who have 504 plans and another is titled "Health Conditions" and shares students’ ID numbers, their classes, their grades, their gender, and their health conditions. Read: FERPA Violation: Willow Springs Elementary School Students' Privacy Violated - Special Education Action

9.11.20

Hours after news outlets were already covering the story, FCPS announcement, that "ransomware was placed on some of [FCPS'] technology systems."

FCPS later admitted that the hackers Maze stole private information from FCPS. Drew Wilder of NBC News Channel 4 in Washington, D.C., confirmed that some of the stolen information included "personal information that includes letters regarding disciplinary actions against 15 different students and their grades".

June through October 2020

FCPS and two law firms with which it works, Sands Anderson and Blankingship & Keith failed to secure personally identifiable information on seven occasions in just a four-month period during 2020.

During this period, four due process complaints were filed on behalf of four different children. Their parents requested that their children's full records be provided. They didn't request unredacted information about other children (or adults). However, that's what they received.

Related Reading: "Fairfax County Public Schools, Sands Anderson, and Blankingship & Keith Breach Privacy During Due Process".

Family #1

FCPS counsel Sands Anderson provided the family numerous unredacted documents related to children attending Willow Springs Elementary School, to include personally identifiable information about students with 504s and students with health conditions.

Related Reading: FERPA Violation: Willow Springs Elementary School Students Privacy Violated

Family #2

FCPS counsel Blankingship & Keith sent information related to a subpoena to the wrong family.

Family #3

FCPS gave this family information about students receiving special education services, who are in the class of 2023 at Robinson Secondary School.

The list provides full names, student identification numbers, classes, interventions, recommendations, and class teachers and periods for the students.

Related Reading: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special Education

Family #4

This one is related to a due process complaint I filed.

Between the time I filed the complaint and when the hearing officer submitted her final decision, the following breaches occurred:

• Former Blankingship & Keith lawyer Wesley Allen sent me thumb drives that supposedly held my son complete record. He later recalled the thumb drives because he said the included unredacted information about other students. After being called out on this breach, Wesley referred to himself as a "conduit", which I interpreted as him throwing FCPS under the bus.

• Former Blankingship & Keith lawyer Wesley Allen contacted me about a student who is not one of my children.

• FCPS, via Blankingship & Keith, provided personal home addresses, emails, and phone numbers for FCPS staff within its evidence books.

• FCPS Dawn Schaefer forwarded me a transcript for another family due process pre-hearing conference.

August 2020

FCPS breached the privacy of over two dozen students attending Willow Oaks Elementary School. FCPS provided a FCPS parent documents related to her child and the mother found two spreadsheets listing personally identifiable information about children. One spread sheet students who have 504 plans and another is titled "Health Conditions" and shares students’ ID numbers, their classes, their grades, their gender, and their health conditions. Read: FERPA Violation: Willow Springs Elementary School Students' Privacy Violated - Special Education Action

9.11.20

FCPS announced that it had been hacked and that Maze stole private information from FCPS, to include "letters regarding disciplinary actions against 15 different students and their grades."

October 2020

Dawn Schaefer, FCPS's coordinator of Due Process and Eligibility, provided a parent a link to numerous documents, many of which are about students other than her own.

The documents includes a spreadsheet that lists over 70 students attending Robinson Secondary School, who receive special education services. In addition to identifying the students as students who are in the special education program, the spreadsheet provides the first and last names of the students, their student ID numbers, their classes, and their teachers. Read: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special Education

After the breach was made public on this site (I redacted personally identifiable information about the students), FCPS contacted at least one of the families about the breach.

10.7.20

Kelly O'Connell, a FCPS procedural support liaison in OSEPS, breached the privacy of student. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches

10.27.20

Dawn Schaefer, then-coordinator for due process and eligibility in OSEPS, breached the privacy of student and the student's family. Read: FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches

11.9.20

Robinson Secondary School released the names, ID numbers, and recommendations for students receiving special education.

Read: Robinson Secondary School Privacy Breach: FCPS Released Names, ID Numbers of Students Receiving Special Education 

1.25.21

FCPS has a history of training staff to avoid putting information in writing, to prevent parents from obtaining it. While this isn't necessarily a cut-and-dry violation, the intention is to prevent access to information. Withholding of FERPA responsive information is a FERPA violation.

January 25, 2021, FCPS held a training session with special education lead teachers. At about the 00:35:20 mark, FCPS procedural support liaison Dawn Azennar advised participants:

". . . when your PSL comes to you, and kind of talks about a student, and you want to think about that continuum of services, you probably wanted to have that conversation a little earlier, rather than waiting to the last minute of the school year. So, I just think that early planning, that frequent communication with the receiving school is going to be important——and minimizing how much you put in e-mail, too. That’s another good thing to remember. Have the conversations on the phone or verbally."

2.2.21

FCPS has a history of training staff to avoid putting information in writing, to prevent parents from obtaining it. While this isn't necessarily a cut-and-dry violation, the intention is to prevent access to information. Withholding of FERPA responsive information is a FERPA violation.

February 2, 2021, FCPS held a training session with special education department chairs. At about the 00:38:24 mark, Alice Lima-Whitney and FCPS PSL Michelle Waller advised participants:

Alice Lima-Whitney: "So we went through this really, really quickly and, um, I want to remind you that all of the resources for you to look at this information, how to access it, suggestions for what and what to enter are all, um, linked here. And then lastly, I want to mention that anything that is added to the, um, worksheets is, um, accessible via FOIA or FERPA, so make sure that everything that you’re, um, putting into the sheets is specific to literacy progress, um, or needs. . . ."

Michelle Waller: "Okay, it looks like we don’t have any questions at this time. So Alice, we’d like to thank for presenting information on the Plist. Um, you already mentioned that anything that’s typed in here can be, uh, requested by the parent through FERPA or FOIA, so remind your school teams, please, that, um, of that information."

Additional Reading: Fairfax County Public Schools Trains Staff to Thwart FERPA Requests: Don't Put it in Writing 

5.6.21

Jane Strong, director of the Office of Special Education and Procedural Support breached a student's privacy when she emailed six documents related to the student to individuals who should not have received them. This student's privacy was previously violated when Dawn Schaefer forwarded me a due process hearing transcript related to the student.

Related Reading: "Oops! . . . They Did It Again!; Fairfax County Public Schools Continues to Breach Student Privacy" and "Fairfax County Public Schools, Sands Anderson, and Blankingship & Keith Breach Privacy During Due Process"

5.17.21

South County High School (SCHS) Principal Gary Morris and Due Process & Eligibility Coordinator Dawn Schaefer met with a representative of the U.S. Department of Education, Student Privacy Policy Office (SPPO). Among other things, they spoke about the confidentiality breaches for which FCPS is at fault, and for which the Virginia Department of Education (VDOE) has repeatedly found FCPS in noncompliance.

5.21.21

Just four days after FCPS spoke with USDOE SPPO, SCHS staff member Tina Wrubluski violated the privacy of numerous students when she shared her computer screen during an IEP meeting. Although numerous people kept trying to obtain her attention, Tina continued working away, making document folders related to specific students available for viewing.

Related Reading: "South County High School Breaches Student Confidentiality Again"

6.2.21

The Student Privacy Rights Advisor for the U.S. Department of Education Student Privacy Policy Office (SPPO), who spoke with FCPS on 5.17.21, emailed me that FCPS was found in noncompliance and that FCPS assured her that FCPS staff had received FERPA training:

"We therefore find the that the District take specific actions, these actions include training staff.  Specifically, the District failed to obtain prior written consent before disclosing education records to another parent. We also have evidence that the District does not have a policy that would violate FERPA on a regular basis.  The District has required school officials complete a FERPA training to ensure that the scope and limitations of FERPA are adhered to. The District completed such training on November 12, 2019, which satisfies the requirements of this Office.  Concluding, this Office has received assurance from the District, therefore, we are closing the investigation as the District has completed the required corrective actions."

I made the advisor aware of the breaches that took place after the 11.12.19 training, to include the breach that occurred four days after she spoke with FCPS on 5.17.21.

Click on the image below to view it at a larger size.

6.24.21

June 24, 2021, Dawn Azennar, a procedural support liaison, sent an email and a letter about a FCPS student to the wrong person (a FCPS parent in this case). Although the student isn't mentioned by name, there's a fair amount of information that would make tracking down the student and family doable. I've deleted the student's birthday and the name of the student's previous school in the document below.

Craziness: This isn't the first time FCPS has accidentally emailed this same parent. Just over two month's ago FCPS sent the parent an internal email in which FCPS admitted fault in relation to an investigation the Office of Civil Rights (OCR) initiated after I filed an OCR complaint. (Read "Office of Civil Rights Opens Investigation of Fairfax County Public Schools - Special Education Action".)

Related Reading: "Oops! . . . They Did It Again!; Fairfax County Public Schools Continues to Breach Student Privacy"

6.29.21

June 29, 2021, Fairfax County Public Schools (FCPS) breached the privacy of thousands of students attending South County High School, Hayfield Secondary School, Edison High School, West Potomac High School, Lake Braddock Secondary School, and FCPS Online Campus. The breach includes the students' names, their FCPS identification numbers, their FCPS email addresses, the schools at which they are enrolled, the names of their parents and/or guardians, and the email addresses of their parents and/or guardians.

June 29, 2021, FCPS provided me a thumb drive with documents it stated were in response to FERPA requests I submitted. The thumb drive includes 12 unredacted reports with personally identifiable information related to students and their families. I did not request these reports or any of the personally identifiable information.

I went back through the thumb drive provided by FCPS and found another FERPA Violation.

Related Reading: "Fairfax County Public Schools Breaches Privacy of Thousands of Students; FERPA Noncompliance Continues" and "But Wait, There's More: Fairfax County FERPA Violations Continue"

September 2021

FCPS breached the privacy of a Chesterbrook Elementary School student and family. FCPS included an unredacted document in its response to another parent's FERPA request and that parent sent it to me.

The document is a student's care card. Each year FCPS asks parents to submit a care card. The cards request home, parent, and contact information, as well as medical issues, prescription medications, medical professionals the child is seeing, and so on.

Related Reading: "Fairfax County Public Schools Violated Privacy of Chesterbrook ES Student and Family"

9.10.21

FCPS breached the privacy of staff and students in its response to a FOIA request.

Related Reading: "Fairfax County Public Schools Leaked Its Own Legal Invoices"

9.13.21

FCPS breached the privacy of staff and students in its response to a FOIA request.

9.30.21

FCPS sued me and Debra Tisler after I published redacted versions of some of the documents released in FCPS's 9.11.21 and 9.13.21 FOIA responses, and then led the public to believe its lawsuit was a preventative measure to stop additional dissemination of personally identifiable information related to children and personnel files. Although the 1,316 pages released did breach the privacy of students and staff, the majority of the documents were not related to students and personnel files. On this date, a scheduling judge ordered that the documents not be disseminated and I was forced to remove documents already published, even though they were not PII documents about children and personnel. Within the first two weeks, FCPS spent over $115,000 on this lawsuit.

Related reading: "Update on Fairfax County School Board’s Legal Action Against Parents" and "Fairfax County School Board Spent Over $115,000 on Lawsuit it Tried to Make Disappear; More Legal Invoices to Come"

10.8.21

Lori Hershey, a FCPS central office staff member violated the privacy of a student when she forwarded a home instruction acknowledgement letter for the student to the wrong family. The family to whom the wrong letter was sent was never advised to whom the letter related to their own child was sent.

Related Reading: "FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches" and "FCPS at Fault for Two More Privacy Breaches; Released Mental Health Information About Almost 60 Thomas Jefferson High School Students"

10.28.21

Thomas Jefferson High School violated the privacy of almost 60 students when it sent a failed "mail merge" to the parents of the students, with a letter stating the parents were "in receipt of this letter because you indicated on the school health form that your child has an attention deficit or other mental health condition of concern."

Related Reading: "FCPS Office of Special Education Procedural Support Has a History of Privacy Breaches" and "FCPS at Fault for Two More Privacy Breaches; Released Mental Health Information About Almost 60 Thomas Jefferson High School Students"

11.16.21

Debra Tisler and I prevailed in court after FCPS sued us.

Related Reading: "Parents and First Amendment Prevail; Judge Rules Against Fairfax County School Board" and "What is Fairfax County Public Schools Trying to Hide? These 1,316 Pages of Clues Provide Answers"

11.26.21

VDOE found FCPS in noncompliance for FERPA violations related to FCPS's 9.10.21 and 9.13.21 breaches and stated:

". . . we are concerned that continuing complaints in this area could signal larger issues in the school division's response to matters concerning FERPA or an issue with insufficient training and/or procedures. Additional actions addressed through the state educational agency’s general supervision authority will be forthcoming."

Related Reading: "Fairfax County Public Schools Found in Violation of FERPA; Virginia Department of Education Refuses to Find FCPS at Fault for Systemic Noncompliance"

2022

While parents continued to contact me about FCPS FERPA violations, none were willing to step forward and share the records. They feared FCPS would retaliate against them.

2023

FCPS continued to contact me about FERPA violations, but they aren't willing to speak out, due to fear of retaliation.

Unfortunately, rather than addressing its noncompliance and working with all the individuals who have made FCPS aware of the noncompliance, FCPS has chosen to employ scare tactics, blame others, push out false information, while at the same time continuing to breach the privacy of students.

March 2023

FCPS released unredacted records for the 2022-23 math and reading SOL for 74 students and the reading records for 36 students. Both the math and reading records include the full names of the students, their scaled scores on the assessments, breakdowns of correct and incorrect answers, and the levels of the questions asked of the students (high, medium, or low). The reading records include the students’ state testing identifiers, the school’s name, and the delivery group for the students, too.

Related Reading: Fairfax County Public Schools Continues to Violate FERPA; FCPS Released Personally-Identifiable Information for 110 More Students

October 2023

FCPS failed to secure the privacy of over 35,000 students. For over a decade, FCPS never provided me access to in-person inspect and review of my kids records. After it lost a state complaint, I found three things:

1. FCPS included unredacted information for more than 35,000+ students within my own kids' educational records.
2. Although FCPS included unredacted information for over 35,000 students within my own kids' educational records, it failed to include records from all of 2022 and 2023, as well as other years, for my own kids.
3. Although I'd complained for years that some of the copies FCPS had provided me with were inaccessible, FCPS ignored me. After filing a state complaint, VDOE stated that a review of the files indicated nothing was wrong with them. And yet, the very files I complained about, which I finally inspected in the educational records were inaccessible. Neither the FCPS paralegal in the room the entire time with me, nor the FCPS IT expert he brought in could open three of the four I'd complained the most vigorously about. The IT expert said the three were saved incorrectly as shortcuts and the files weren't actually on the discs. One of the four wasn't in the educational record at all. In addition, there were recordings I'd never had access to before, as well as other recordings that were on discs that were blank or not even formatted for recording. And yet, in response to multiple state complaints, FCPS had maintained it had provided copies of all responsive records, that there was nothing wrong with the records it provided. In addition, VDOE never inspected the thumb drive I'd previously been given and never did a review of the recordings in the file. Instead, it seems it took FCPS at its word.

Additional Reading:

"Exclusive: Virginia’s Fairfax Schools Expose Thousands of Sensitive Student Records", By Linda Jacobson of The 74 Million

"What's New in Fairfax County Public Schools? Legal Invoices, Court Cases, Noncompliance, Closed Meeting Minutes, Toxic Emails, and the Failure to Secure the Privacy of 35,000+ Students"

10.30.23

FCPS failed to fully redact PII for a Centreville High School student. FCPS emailed me and VDOE this record within its response to a state complaint I filed. FCPS was late to submit this portion of its response to VDOE because, allegedly, FCPS was redacting the records in advance.

FCPS and VDOE have been made aware of the breach.

FCPS has provided no indication regarding whether or not it contacted the parents of the student whose privacy it breached.

11.14.23

FCPS' Robinson Secondary School emailed report cards to the wrong person—to someone other than the parent.

FCPS' response? FCPS takes privacy seriously and will be providing more training to staff.

 

SEA-STARS: FCPS Intentionally Disabled Access Tracking

July 20, 2020, a due process hearing officer requested information about FCPS' Special Education Administrative System for Targeting and Reporting Success (SEA-STARS) program, "specifically SEA-STARS' ability to capture and maintain logs of specific data such as login information, record access and changes to student data and FCPS retention of such log records over time.

Among other things, FCPS advised the hearing officer:

"SEA-STARS is a secure Commercial off the Shelf (COTS) product that was acquired as a result of a competitive process from Edupoint Systems, Inc. (Edupoint) and utilizes the Synergy Special Education System (SES) platform developed and owned by Edupoint. . . .

"The Synergy SES product does include the ability to track login information, record access, and changes to student data in a very detailed way. FCPS tested this functionality more than ten years ago and found that due to the volume of transactions and the associated overhead generated on the SEA-STARS servers, this functionality would seriously degrade the operational performance of the system, largely making the system unusable for authorized users. In addition, this functionality is not required under the Individuals with Disabilities Education Act (IDEA) or the Family Educational Rights and Privacy Act (FERPA). The decision was made that logging would not be enabled in the FCPS SEA-STARS system. There has been no change to this decision over the years, and logging has never been enabled in the FCPS SEA-STARS production environment."

Sec. 300.614 of IDEA requires a RECORD OF ACCESS:

"Each participating agency must keep a record of parties obtaining access to education records collected, maintained, or used under Part B of the Act (except access by parents and authorized employees of the participating agency), including the name of the party, the date access was given, and the purpose for which the party is authorized to use the records."

So, in addition to repeatedly violating the privacy of its students and staff over and over and over again, FCPS isn't tracking access to sensitive information related to children receiving special education.

*After going through this so many times, I realized that FCPS doesn't send out notices of breaches, a record of someone having access to their child's information, until after I or other parents make FCPS aware of the breach.

To date, I've been made aware of more breaches of other parents being provided information about children other than their own.

Am I worried about hackers accessing FCPS' system?

Yes.

Am I surprised?

No.

If your own team is at fault for repeat confidentiality breaches (in addition to other repeat noncompliance in other areas), it stands to reason there are holes all over your system.

Please join me in asking Superintendent Reid to finally address FCPS FULLY securing the private information of its staff and students.