Personal information of hundreds of Fairfax County public school students was mistakenly posted on the school system’s Web site, exposing their student identification numbers, birth dates, home addresses and phone numbers in what parents described as a breach of privacy.
The data, for 685 students who participated in a county arts enrichment program in July, was posted in a single document listed as “Sample Schedule” on the summer program’s Web site. A parent who discovered the document last week told The Washington Post about it Friday. The document was removed from the Web site Saturday morning, according to county school officials.
Fairfax schools spokesman John Torre confirmed that the information was inappropriately posted on the school system’s Web site and said it was online for about 24 hours.
“It shouldn’t have been up there at all,” Torre said. “It was mistakenly posted. We want to apologize to the families for what occurred.”
The public posting of student data occurred at a time of widespread concern about data security and debate about how much privacy individuals can expect in the digital age. School systems collect large amounts of personal data about hundreds of thousands of families in the Washington area, which makes data exposures particularly troubling to parents.
Caroline Hockenberry has a son in eighth-grade who took part in the 2013 Institute for the Arts session, and personal data, including courses he took during the summer program, appeared in the document posted on the county Web site. Hockenberry said it was disturbing that the information was left online for anyone to see.
“I can’t believe they did this. This is a huge error,” Hockenberry said. “That's something they are always educating the kids about, not revealing that personal information online and being very careful. They are the schools, and they should be protecting their identities.”
Torre said the school system sent a letter to parents Monday afternoon to inform them about the mistaken disclosure. He said that most of the data posted online are technically “directory information” under federal Family Educational Rights and Privacy Act guidelines but he that the document should not have been put into the public realm.
The mistake happened just weeks after Loudoun County student information was posted online in error. Some of that data, left unsecured on a software company Web site, included school evacuation plans and student locker combinations. And last summer, a Fairfax Health Department employee’s laptop — containing medical records for about 2,000 county students — was stolen.
Some parents whose children’s data were exposed in Fairfax said they go out of their way to ensure that they do not post much about their children online, as a matter of safety.
“I do worry about my daughter’s name, address and date of birth falling into the wrong hands,” said Cassi Wiseman, whose daughter is a seventh-grader at Rocky Run Middle School. “That's information that we guard, and I’d like to think that Fairfax County would guard that as well.”
Mark Sitko, the father of an Oakton high school junior, said that parents should be concerned that online predators might find the data.
“Who knows, in this day and age?” Sitko said. “You don’t want that sort of information out there.”
In their letter to parents, Fairfax county school administrators accepted responsibility for releasing the information online. The school system “is committed to safeguarding student privacy and confidential data and we have taken steps to ensure that this type of mistake does not occur again,” the letter read.