Oregon officials announced the completion of a vast database of student information, even as the state acknowledged a security lapse of personal data in another part of state government.

The Statewide Longitudinal Data System has been formally in the works since 2015, though the state has invested state and federal dollars in an expanded student database since 2009. The system has encountered a series of delays, but top state officials now say it is done, pending final validation and quality assurance steps.

The SLDS, as the database is called, pulls together information on Oregonians from public school databases, college and university registries, and the state’s employment department system, all with the goal of better analyzing how student education levels affect outcomes later in life. It’ll allow researchers access to a hundreds of millions of data points, and will offer a limited set of reports to the public.

Oregon education officials look at a "beta" version of the Statewide Longitudinal Data System in August 2018. 

Oregon education officials look at a “beta” version of the Statewide Longitudinal Data System in August 2018. 

Rob Manning/OPB

The database director at Oregon’s chief education office, Ben Tate, said information related to nearly 3.8 million people is in the database, including people who have attended public schools or colleges in Oregon in the last several years. Tate said the information from the employment department is more limited.

“As the goal of this system is to research and evaluate education outcomes, there is no need for us to store employment records for individuals who did not receive an education in Oregon,” Tate said in an email to OPB. 

The state has established four committees to supervise the database, led by an “executive committee” of top directors at the Oregon Department of Education, the Higher Education Coordinating Commission and the Department of Employment. Under those, there are three subcommittees, focused on data, research and privacy. SLDS developers have discussed adding data from other agencies in the years to come, such as the Oregon Health Authority or the Early Learning Division. 

Officials say they’re encrypting the data, so that users of the system can’t match individual students with personal, private information. The database is also intended to follow suppression guidelines, which conceal aspects of data queries which could identify a small number of students, and thus reveal personal identities.

Technology watchdogs in the state have been keeping tabs on the database as it’s been developed for potential gaps in privacy, security and legal safeguards. The Oregon Department of Education’s former chief information officer Susie Strangfield was forced out of her job last January, she says as retaliation for her questioning the database’s security and privacy protections. Reporting from OPB confirmed that Strangfield had been repeatedly raising concerns about the database, to the consternation of her supervisors. Strangfield filed notice in October of her intent to sue the state over her termination.

Tate said the state is testing the security of the database before it’s opened up to research uses. After that, he said, it’ll be tested every year.

“[W]e will conduct annual external tests to ensure the security of the system,” Tate said, calling such tests a “critical step.”

“We have had initial conversations with our agency partners on this topic and will soon begin the process of bringing on an external security vendor to conduct these tests,” Tate said.

Data worries flared this week elsewhere in state government, as the Department of Human Services acknowledged a breach involving the personal information of potentially hundreds of thousands of Oregonians.

OPB learned last summer that education officials conducted a forensic review, when a data file was discovered “not in adherence with operational protocols,” as ODE communications director Marc Siegel put it in an email. But Siegel said it was not a data breach, as “this potential operational protocol violation could not and did not impact the security of the data.”

When contacted by OPB last year as state leaders were looking to roll out the SLDS, district-level information officers were looking forward to seeing what it could do. District leaders are often looking to use data to improve education, as statistical trends have the potential to provide greater clarity or detail around achievement gaps in the state’s public schools. But government officials are also keenly aware of the data risks — which federal law enforcement in Oregon highlighted as recently as last year.