Pennsylvanians recently learned of one of the largest security breaches of personal health information in modern history. A computer flash drive containing the names, addresses and personal health information of 280,000 Philadelphia-area Medicaid recipients was discovered missing, purportedly after a laptop was lost at a community health fair.
This potential exposure of millions of pieces of sensitive data illustrates the ease with which one small oversight, or one tiny computer drive, can spell instant-- and enormous -- vulnerability for millions of innocent Americans.
It underscores the caution with which government agencies must proceed when collecting private data on unsuspecting citizens. The potential for identity theft, discrimination and other misuse in the wake of one lost laptop or one unwitting employee error is mind-boggling. It is also why the Senate Education Committee and leaders in the higher education community have called upon the state Department of Education to suspend its latest student data collection program.
Known as PIMS (Pennsylvania Information Management System), the collection is designed to track students from "womb to workplace." The Department of Education envisions data collection three to five times a year, to include personally identifiable student information, such as name, address, birth date, family income, race, gender, disability status, courses taken, counseling received and grades earned.
In a letter to the state, officials at Penn State and the University of Pittsburgh called the scope of this data collection "unprecedented."
While many colleges are willing to provide aggregate-level data, they are understandably crying foul over demands to submit information at the individual level. When this system was first implemented, I joined college officials in asking department officials: "How will this data be used?" "Who will pay for its collection?" And "Who will be liable for breaches or errors?" Our questions were first ignored, then pushed aside with pleas to "Trust us."
While student records have traditionally been deemed confidential, PIMS turns that protection on its head. The PIMS manual lists guidelines which are insufficient to safeguard the privacy of intimate student data. They also fail to indemnify private colleges and universities from liability resulting from disclosures of confidential student information, because, unlike the Commonwealth, private colleges do not have legal immunity from lawsuits or criminal prosecution.
Adding to cost and liability concerns are usage issues. With no clear explanation of the end-use of PIMS data, it is impossible for policymakers to assess PIMS' costs versus benefits. The system appears to be the colossal collection of "data for data's sake." What is being tracked or analyzed remains unknown to us. Clearly, the state is putting the cart before the horse, stockpiling information now in case they want it later.
Underlying this debate is yet one more basic question: do state education officials have the authority to compile this Orwellian anthology? It seems to me that the state is overreaching its authority.
After holding a Senate Education Committee hearing on the PIMS system in October, I continue to question the state's statutory authority for the system. The legislative branch never granted the executive branch the authority to begin this massive data sweep. I believe no single state department should have the unilateral power to impose such a far-reaching mandate and to punish those who fail to comply.
Thus, I have asked the state to apply the brakes to this program until the many lingering questions can be answered. With a new governor poised to take the reins, I believe we must take a step back and introduce legislation that gathers information consistent with federal privacy laws and the minimum aggregate data collection mandated by the federal government. I absolutely will continue to oppose a mammoth compendium of individual data that "Big Brother" has no business collecting about our citizenry.
Information is a valuable commodity, with significant benefits and, concurrently, significant risks. It appears 1984 has arrived in 2010. As Americans demand smaller, less intrusive government, the state's cyber-spying on students via PIMS should be powered "off."