A weekly “Internship Newsflash” newsletter sent out by the Department of Professional Practice (DoPP) to students on Sept. 10 contained a link to an Excel sheet that shared personal information of 628 students who had internships registered with the DoPP during Summer 2010.
The spreadsheet’s hidden columns could be expanded to view the students’ names, internship information, salaries and GPAs. Students identified that there was hidden information in the sheet when they saw that the cell numbers jumped from 56 to 541.
The release of student information is a breach of the Family Educational Rights and Privacy Act of 1974, commonly referred to as FERPA, which protects students from release of educational records and personal information without prior approval by the student. The data released, specifically GPAs, are covered under the section concerning educational records.
According to the DoPP, the breach of security was unintentional.
“[The data release] was a human error in the training and understanding of certain software. It was never our intention, obviously, to send out student data,” said Debbie Gulick, Executive Director of DoPP. “Our staff thought that in sending out an Excel document, that if you password protect a sheet, that information was hidden, but again, that was human error.”
Students expressed concern that such sensitive information was distributed to students across campus.
“It is pretty irresponsible to release that kind of information, mistake or no. I don’t care if you think the information is protected when you send these newsletters out. You should double and triple check first to see that our information [is] being properly protected,” said Allison Roberts, fourth-year ME major.
Once the DoPP was informed about the potential FERPA violation, the online link was disabled. The impacted students were contacted and informed that “sensitive” information “may” have been released to the public. Students reacted strongly to the unapproved release of their data. As of Sep. 22, nine official complaints had been made.
“I personally think it is an outrage. Shouldn’t a checkpoint have prevented something like this? It is a breach of trust with the internship office. I trust them with this kind of personal information and they misused it,” said Nathan O’Connor, fourth-year IE major.
“It’s obviously private information that I don’t want floating around,” said Melissa McCoy, third-year ChBE major. “[This incident] shows a lack of organizational responsibility and professionalism, especially since the DoPP is the face of the Institute. With all the support they have given me, I personally don’t question their competency, but it doesn’t make them look good to students.”
The DoPP has taken measures to prevent the further occurrence of breaches of data security.
“We had our Registrar come in that week and give a training of FERPA regulations… We also talked to the Office of Information Technology about data security and are working on some trainings for our staff to do as well as trainings on Microsoft Excel…. We are changing some of our internal processes. We hope to never again put ourselves in the position of releasing student data,” Gulick said.
FERPA is not legally actionable by students against the Institute for releasing data, but rather works on the principle of punishing universities that habitually breach the regulation by cutting government funding.
While a single unintended incident will not hurt Tech’s FERPA standing, there is valid concern for Tech to follow closely adhere to FERPA.
“We deeply regret that this happened and are sorry that any student data was released. I feel like we have thoroughly combed through our systems and processes to prevent this from happening again,” Gulick said.