An investigation into how Fairfax County Public Schools accidentally shared other students’ private information with a parent during a fall meeting has concluded, Superintendent Michelle Reid said in a letter to families Thursday.
The external review, conducted by the law firm Woods Rogers, found that the data breach occurred because the parent had access to old thumb drives with unredacted files, the school division said.
The county gathered the files in response to the parent’s previous Family Educational Rights and Privacy Act information request, and they were “unintentionally and unknowingly left within boxes accessible to the parent during her in‑person review, who copied the files and removed them from FCPS property,” according to the findings.
Reid didn’t disclose the number of students impacted by the incident in public messages about it, but said most of the information was in spreadsheets that had a student’s name “with few, if any, other details.”
The incident, the school division said, happened during an in-person meeting where the parent was reviewing their own child’s documents. The county said it occurred on or after Oct. 19.
The parent, who the county said has a blog, didn’t share students’ information, and blacked out student names, Reid said.
The parent and the parent’s attorney, Reid said, “have provided declarations under oath and penalty of perjury stating they have deleted and do not have any of the identifiable student information that was involved in this incident.”
She added that all families impacted by the breach were notified.
In response to the incident and external review, Virginia’s largest school system is planning to offer additional training for administrators, special education staff and staff within the Department of Special Services.
In a statement, the Fairfax County Special Education PTA said the breach impacted many of its members.
“We are aware that there is a significant history of FCPS unintentionally releasing other students’ information in FERPA &/or FOIA requests; there have been many such situations where FCPS has failed to notify impacted families of these breaches,” the statement said. “It is unacceptable that these breaches of student data and health information occur, and the egregious nature of the current breach shows that steps taken previously to reduce such breaches have not been effective.”