VUSD - Shouldn't our schools respect our privacy?

In response to the violation of trust by VUSD where they shared our information with Incorporate Vail AZ, I am sharing further information about the Federal and State Laws regarding this.  I am not an attorney so I invite you to read through this information and take action as you feel is appropriate.  I will include links to the agencies where you can file a complaint.  

By definition PII (personal identifiable information) is any information that directly identifies an individual.  This includes but is not limited to:  Name, Address, SSN, Telephone Number, Email address.

FERPA (Family Educational Rights and Privacy Act) is a Federal law that protects the privacy of student education records. 

Much has been stated about the FOIA request made by Rob Samuelson on behalf of Incorporate Vail AZ to Vail Unified School District including that this is an acceptable use to share directory data.  Not only is that inaccurate, it appears to violate Federal and State law.  Additionally, Mr. Carruth stated that other instances of sharing our information have occurred without our knowledge and without our consent.  Following is a summation of the district’s obligations from the FERPA regulations.

• REQUIRED to inform parents annually of their right to review their student’s education record

• REQUIRED to establish a process for parents to review and seek to amend their student’s record

• REQUIRED to inform parents annually of the types of PII that could be publicly released as school directory information

• REQUIRED to provide parents an opportunity to opt out of having any or all school directory information publicly disclosed

• REQUIRED to seek parental consent in advance for the disclosure of PII for any purpose not authorized in law (like to a PAC)

For those interested in reading it directly, it’s copied below for reference as 'Exhibit A'.

Now, I’ll summarize the AZ legislation:

• Arizona law incorporates FERPA.  (See A.R.S. § 15–141(A))

• AZ law incorporates the provisions in FERPA relating to the release and access to education records. 

• AZ also states that any collection, maintenance or disclosure of pupil records compiled in an educational database shall comply with FERPA A.R.S. § 15–1045(A).

• AZ law expressly states that PII maintained in an education database of pupil records is confidential and is NOT public record.   A.R.S. § 15–1045(A), (B)

Upon speaking with Mr. Carruth after the last VUSD Board Meeting on 11/14/2023, I went on a search to find the data privacy policy he referenced.

I did locate a line item in the Annual Registration referencing adherence to FERPA (Exhibit B). There is NO reference in that annual registration to the privacy policy NOR a detailed listing of the directory information that may be shared as is REQUIRED by the aforementioned laws.  Upon a further search across the district websites, I did finally find the VUSD Policy which is outdated (2021) (Exhibit C).

The VUSD policy states that the District staff may compile NON CONFIDENTIAL student directory information such as:

• Student’s name

• Student’s address

• Student’s telephone listing

• Student DOB

• Student Place of Birth

• Age, Height and Weight (Athletes)

• Dates of attendance

• Degrees/awards received

Nowhere in this policy does it state that PARENT, GUARDIAN, EMERGENCY CONTACT information may be shared.  

So, to reiterate, VUSD is not compliant with FERPA nor AZ State law which states VUSD is:  

• Required to inform parents annually of the types of PII that could be publicly released as school directory information

• Required to provide parents an opportunity to opt out of having any or all school directory information publicly disclosed

• Required to seek parental consent in advance for the disclosure of PII for any purpose not authorized in law (like to a PAC)

Upon reviewing the financials for IVA, I saw a few paid staff members referenced including two VUSD employees (Exhibit D). Those employees, Darcy Mentone and Stacy WInstryg, are part of the VUSD COMMUNICATIONS Department. Shouldn't they be well versed in these laws and how/when/where/why our data is accessed and used?

In addition to this conflict of interest, I also would assert that this is a violation of the VUSD employee handbook which states that an employee is not to use their position to influence an election.

Last, I present to you the FOIA request (Exhibit E) that Rob Samuelson submitted to VUSD. He not only requested the email addresses but our names AND addresses. He also falsely claimed that this information was NOT for commercial purposes but as a 'public interest'. A political campaign of ANY sort is not a public interest item but is exactly what is states A POLITICAL CAMPAIGN. This request should have been denied citing FERPA and AZ State Law.

I highly recommend that the impacted parents of VUSD who agree this was a violation of the law as well as our trust in VUSD, including those who were outside of the Prop 402 boundaries, file complaints with the agencies listed below.

Thank you!

File a FERPA Complaint:  ​​https://studentprivacy.ed.gov/sites/default/files/resource_document/file/EComplaint%20form%20FERPA_Updated_508_013123.pdf

Contact the AZ Attorney General to file a complaint:

Attorney General Information - Kris Mayes

AGInfo@azag.gov

(602) 542-5025

Exhibit A

§99.37 What conditions apply to disclosing directory information?

(a) An educational agency or institution may disclose directory information if it has given public notice to parents of students in attendance and eligible students in attendance at the agency or institution of:

(1) The types of personally identifiable information that the agency or institution has designated as directory information;

(2) A parent's or eligible student's right to refuse to let the agency or institution designate any or all of those types of information about the student as directory information; and

(3) The period of time within which a parent or eligible student has to notify the agency or institution in writing that he or she does not want any or all of those types of information about the student designated as directory information.

(b) An educational agency or institution may disclose directory information about former students without complying with the notice and opt out conditions in paragraph (a) of this section. However, the agency or institution must continue to honor any valid request to opt out of the disclosure of directory information made while a student was in attendance unless the student rescinds the opt out request.

(c) A parent or eligible student may not use the right under paragraph (a)(2) of this section to opt out of directory information disclosures to—

(1) Prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional email address in a class in which the student is enrolled; or

(2) Prevent an educational agency or institution from requiring a student to wear, to display publicly, or to disclose a student ID card or badge that exhibits information that may be designated as directory information under §99.3 and that has been properly designated by the educational agency or institution as directory information in the public notice provided under paragraph (a)(1) of this section.

(d) In its public notice to parents and eligible students in attendance at the agency or institution that is described in paragraph (a) of this section, an educational agency or institution may specify that disclosure of directory information will be limited to specific parties, for specific purposes, or both. When an educational agency or institution specifies that disclosure of directory information will be limited to specific parties, for specific purposes, or both, the educational agency or institution must limit its directory information disclosures to those specified in its public notice that is described in paragraph (a) of this section.

(e) An educational agency or institution may not disclose or confirm directory information without meeting the written consent requirements in §99.30 if a student's social security number or other non-directory information is used alone or combined with other data elements to identify or help identify the student or the student's records.

(Authority: 20 U.S.C. 1232g(a)(5) (A) and (B))

[53 FR 11943, Apr. 11, 1988, as amended at 73 FR 74854, Dec. 9, 2008; 76 FR 75642, Dec. 2, 2011]

Exhibit B

Exhibit C

Exhibit D

Exhibit E