Update: I created a page that includes all requested information and who it was requested by.
Through a freedom of information request, I asked Katy Independent School District what they were tracking on our students. I was asked to withdraw my request due to security issues (they stated their concern of a SQL injection). I offered two solutions that would prevent any security issues. One being that they randomize the data to prevent my knowledge of the exact structure of the attributes. Two being that they write descriptions of each attribute, so I know what the attribute is tracking, without knowing the exact structure of the attribute.
If you are familiar with Excel, you understand the basics of a database. Columns and Rows. In the case of KISD, there are 300,000 columns.
What I’m asking for, is the top row seen in the above image: First-Name, Last-Name, Email, and so forth. That’s all I want.
I was told that knowing the exact structure is a security risk. I confirmed this with colleagues of mine, and offered two solutions to satisfy the security issue and the reasonable request to know what is being tracked.
This is what they don’t want to provide me (a simple guess at how it might look):
To be clear, I’m not asking them for the list of names like: Susan Smith, Jason Johnson, and Ruby Thompson, I’m asking literally for ‘First-Name’ – I don’t want the actual data, I just want to know what the attribute represents. I want to know whether they are tracking GPA, name, hair color, device id, blood type, parent income, ethnicity, violent acts, shoe size, or whatever else.
My first solution is to randomize the data, so I don’t know the exact structure, which would look something like this:
This way, the intent of the column is clear, but I don’t know the exact structure of the data. This could be generated by a script in minutes. My second solution of providing a description would be more time consuming, but would look like this:
Column 1: The first name of the student
Column 2: The last name of the student
Column 3: The email of the student.
This also satisfies my desire to understand what they are tracking, without having the exact structure of the attribute, thus, satisfying the security concerns.
The software provider KISD uses for database management is called PowerSchool Group, LLC. Their legal counsel has also contacted the Attorney General claiming that my request represents “a trade secret obtained from a person and privileged or confidential by
statute or judicial decision” – Really? The structure of a database is a trade secret? first-name, last-name, email, date-of-birth are trade secrets? They also state that “Additionally, Section 552.104(a) exempts information from disclosure when doing so,
“would give advantage to a competitor or bidder.” TEX. GOV’T CODE § 552.104(a).”
Again, I don’t know how knowing the database structure would give anyone a competitive advantage, but it does seem that KISD has not communicated my proposed solutions to either PowerSchool Group, or the Attorney General, which I find unacceptable.
You can read the documents for yourself: