The Washington PostDemocracy Dies in Darkness

D.C. accidentally uploads private data of 12,000 students

School buses. (iStock)

The private information of about 12,000 D.C. public school students was accidently uploaded to a publicly accessible website, the District’s Office of the State Superintendent of Education announced Thursday in an internal memo.

The information, which was online for several hours Tuesday, has been taken down.

Officials said someone in the office uploaded the data to a public D.C. Council account at Dropbox — the online service offers large amounts of digital storage space — ahead of a council oversight hearing on the education department.

All 12,000 students, who attend public and charter schools in kindergarten through 12th grade, are part of the Individualized Education Program, which provides tailored education plans for students with special needs.

The information included each student’s identification number, race, age, school, disabilities and any services he or she receives.

“I am deeply disappointed by this situation,” Hanseul Kang, the state superintendent of education, wrote in a letter to colleagues Tuesday. “Our families deserve to know that their students’ personal information is being kept confidential and secure in the education system.”

The superintendent’s office is a separate agency than D.C. Public Schools and oversees standardized tests, federal grants and compliance with federal laws.

Patience Peabody, a spokeswoman for the office, said her office had determined that one person downloaded the document from the website. That person was part of a community organization that has verbally agreed to delete the document, Peabody said.

“Our legal department is now in touch with them to sign off legally that they will delete the file,” she said.

An investigation of the incident, with aims including who is responsible for the data upload, is underway, Peabody said.

The state superintendent’s office created a hotline to address students’ families as well as community concerns about the posting. No one had called the hotline as of Thursday afternoon, although Peabody said the office was working to publicize it.

This is not the first time the office has accidentally released sensitive student data.

In March, District officials released an Excel file in response to a Freedom of Information Act inquiry from the news website BuzzFeed that included audited enrollment data about individual students, and information about suspensions and expulsions.

D.C. government office released students’ personal data to a reporter

Personal information was redacted and the file was locked when it was sent, but education officials later realized that the file could be unlocked, which would make personal details available.

Personal information for special-education students in the District had also been publicly available online from 2010 through the beginning of 2015. The personal data was included in training documents for special-ed providers in 2010 and 2011 and was inadvertently posted to an internal website that was not secure, officials said at the time.

D.C. special-ed student information inadvertently posted online since 2010

“As you know, we have taken significant steps as an agency over the past 11 months to better protect our student data, but they are clearly not enough,” Kang wrote in Thursday’s letter.

Last month, D.C. Council member David Grosso (I-At Large), who chairs the education committee, introduced legislation that would, in part, require organizations that enter into contracts with the school system to establish security measures to protect student data.

Students or parents with concerns about the data posting can call the hotline at 202-481-3400.

*Clarification: The story has been updated to explain the difference between the Office of the State Superintendent of Education and D.C. Public Schools.