Yesterday, Congressmen Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), Co-Chairmen of the Bi-Partisan Privacy Caucus, released letters they received from three college testing and preparatory organizations — ACT, Inc. (response), College Board (owner of the SAT) (response part 1, part 2), and the National Research Center for College and University Admissions (response) — in response to inquiries regarding their data collection policies, practices and procedures.  The Congressmen sent these inquiries after taking notice of a May 13 Bloomberg News article describing tactics that colleges allegedly use to solicit and then reject applications from high school students in order to boost selectivity rates.

The responses describe the types of data that college testing and preparatory organizations typically collect, including personal information such as birthdates and social security numbers, demographic and financial information, and academic information, such as grade point averages and test scores.  These organizations generally sell all or some of this data to colleges, scholarship programs, and other educational opportunity programs. 

In their responses, the organizations describe, among other things, their own data storage practices and the data security protections that they require of purchasers of student data.  The responses indicate that none of the organizations is aware of any breaches involving such data; however, College Board reported that it was notified by at least one vendor that it uses for bulk e-mail services that the names and e-mail addresses of some students may have been exposed during an episode involving a third party’s unauthorized access of the vendor’s databases earlier this year.

According to Representative Markey, “The organizations that connect students with educational and career opportunities have a special responsibility to safeguard the personal information they collect about students, which could be a treasure trove for identity thieves and other fraudsters.  I appreciate the important services provided by these organizations.  At the same time, improvements in data stewardship should be made, including deletion of student data after a reasonable period of time to reduce the risk of breach.” 

Representative Barton said, “Every organization focused on the importance of helping universities and education programs connect with students who show an interest in educationally-related information. While the intentions behind these initiatives are good, I am left with a few more questions on the exact methods used by these organizations to protect student data.  As an advocate for privacy, I feel a sense of duty to ensure that our children’s personal information is secure on the Internet, and I am looking forward to continuing my dialogue with these organizations.”