Confidential student information was unintentionally leaked in Naperville Central’s School Improvement Plan, which was released publicly on Friday, Sept. 20. It was removed on Tuesday, Sept. 24 around 3:35 p.m. when Central Times staff brought the breach to the attention of Principal Jackie Thornton.
The leak included student grades for both first and second semester of the 2023-24 school year across two documents, as well as additional protected data points on IEP and 504 status, eligibility for free and reduced lunch, dual language status and limited English proficiency status. Students’ full names and ID numbers were also included.
“That isn’t consistent with the quality of the work we do at Naperville Central, and our apology is sincere, as is our promise that it won’t happen again,” Thornton said.
The leak was limited to only Central Times staff reporting on the incident, according to District 203’s IT department. Though the School Improvement Plan is publicly available through BoardDocs, only emails with a District 203 domain (including students and faculty) were able to access the sensitive data.
“Upon notification, we directed all involved students to delete any copies of the data and emphasized the serious ramifications of sharing this information,” America Villalobos, communications specialist for District 203, wrote in a statement to the Central Times. “Our technology team conducted a thorough review, and we have strengthened our data privacy measures by auditing documentation permissions in compliance with all state and federal regulations, as well as Board of Education Policy 7:340 [on student records]. Additionally, these procedures were reiterated with staff on Wednesday, Sept. 25.”
The data included all 2,433 students at Central during the 2023-24 school year, from current sophomores in the Class of 2027 to graduated seniors from the Class of 2024. There were more than 31,000 lines of sensitive data across the two documents.
“None of us want this to happen again; none of us wanted this to happen in the first place,” Thornton said. “We were very right-on [with regard to] ‘how are we going to minimize the exposure and how are we going to rectify that?’”
According to legal experts, the publication of such information was in violation of the Family Educational Rights and Privacy Act of 1974, the Individuals with Disabilities Education Act, the National School Lunch Act and the Illinois School Student Records Act.
Under FERPA, schools are not allowed to disclose personally identifiable education records—including grades, classes taken and special education records—unless they obtain prior written consent from the student or their parents.
“The information that appears to have been released would be protected under FERPA, and so the release of that information, in a general sense, would violate FERPA,” government transparency lawyer Matt Topic said. “Unless that was part of a policy or practice, as opposed to just a mistake or an act of negligence, it’s unlikely the Department of Education would cut any of the district’s funding. It’s possible that if they were asked to look at this, they would remind the school district of the importance [of keeping] this information confidential.”
The Department of Education declined to comment on the specifics of District 203’s data leak.
“If we were to receive a complaint from a parent or eligible student alleging that his or her rights under FERPA were violated when a school official improperly disclosed information from their child’s or their education records, we would work with the school to achieve their voluntary compliance with FERPA’s requirements,” a Department of Education spokesperson told the Central Times. “We recommend that parents discuss any concerns that they have about such matters with their school administration.”
Although FERPA requires a “policy or practice” of student privacy violations to be enforced, the Illinois School Student Records Act prohibits any release, transfer, disclosure or dissemination of “school student records or information contained therein.”
“The Illinois School Student Records Act prohibits the release of school student records—which is most information concerning a student—and the kinds of information that seems to have been released would qualify as protected information under that statute,” Topic said. “Based on what I’ve seen, it would appear to be a violation.”
The leak also included the names and other personally identifiable information of all students who had 504 plans and IEPs. That information is confidential and protected under both IDEA and FERPA.
“As a member of the public, I should not be able to tell whether a certain student by name is enrolled for special education supports and services,” Jonathan Gaston-Falk, a staff attorney for the Student Press Law Center, wrote in a statement to the Central Times. “The district [was] out of compliance not only with FERPA but IDEA as well.”
The National School Lunch Act prohibits schools from disclosing any information about student eligibility for free and reduced lunches except to a limited number of government officials. Those records are also protected under FERPA.
More than a dozen administrators reviewed the School Improvement Plan ahead of its presentation at the Board of Education meeting on Monday, Sept. 23.
“We want to reaffirm our commitment to transparency and privacy following the recent incident involving the inadvertent exposure of sensitive student information linked to Naperville Central’s school improvement plan,” Villalobos wrote. “We take data security very seriously and sincerely apologize for this breach. As always, we are dedicated to regaining the community’s trust and ensuring that such incidents do not occur in the future.”
Since the incident, Central has “changed its practices” on student data collection. A statement released by Thornton on Wednesday, Sept. 25 at 10:16 a.m. encouraged teachers to “double check and ensure that your data files are also restricted to the small group of people that truly need that information.”
“We’ll never share a document in the same way again,” Thornton said. “I know [that] I personally am not using the Naperville general domain anymore for any document that I am creating or sharing, not even those that [don’t] include sensitive information. I reminded and will continue to remind our staff that it’s sometimes easy—especially when you’re in the work process and there’s a team of people that are working on the shared document—to use that instead of entering everybody’s names, but whenever there is sensitive information, we need to take the step to [protect] it.”
Editor’s note: this story has been updated with a statement from the U.S. Department of Education that was received after its original publication.