The Poway Unified School District released to one parent in the district sensitive personal information about more than 36,000 children, in response to a public-records request.

The release was a mistake, as the parent asked for information about records containing her own name, and the district gave her much broader data sets containing the information about herself and others.

The data included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents, according to the woman who received the data, Gabriela Dow.

District officials confirmed the mistake in a statement to parents Monday afternoon, amid questions from The San Diego Union-Tribune.


“The information released did not include Social Security numbers,” the statement said. “However, it included directory information and district-based test scores, some of which are protected information under the Family Educational Rights and Privacy Act.”

Dow is a member of the district’s Educational Technology Advisory Committee, and submitted a broad records request on April 7 in that role. She sought information about organizational charts, technology initiatives, job descriptions and other items — plus any district records bearing her own name.

A month later, she received the documents she asked for, and much more — a spreadsheet containing 36,444 rows of data on information for everyone connected to the Poway district. Including parents, the data contained information about 70,000 people.

Parent occupations were listed, even in sensitive areas like the military, said Dow, who has been a critic of Superintendent John Collins.


“As a parent, I am very concerned,” said Jessica Xu, a Poway parent who serves on the committee with Dow. “I hope the district senior management and the board will take quick action to identify the source and scope of data breach and alert all parents timely.”

Dow gave the CDs containing the data to the District Attorney’s Office on May 9, to report the breach. The district attorney has received Dow’s complaint, a public information officer said, and the complaint is under review. The DA’s office declined further comment.

According to the district statement to parents, officials have “confirmed with the San Diego County District Attorney’s office the released information has been secured.”

The public records requests were handled by an outside attorney, William B. Shinoff. He did not reply to a request for comment.


Dow said she was uncertain why she was given so much information. As a parent, and a member of a committee, her name was present in multiple files, hence the amount of data that was sent to her.

Dow viewed the information on a computer that wasn’t connected to the Internet, she said, so she hopes that a hacker wasn’t able to access the information through her. Dow, a management consultant who has worked in the technology sector, said that it is reasonable to think that the information she was sent now exists somewhere in the dark web.

Dow said the data is not necessarily secured, contrary to the district’s statement.

“PUSD leaders have no understand of how data works,” she said. “That is a primary root of the security problems.”


Peter Scheer, executive director of the First Amendment Coalition, said that Poway doesn’t face any legal problems in releasing too much information under the California Public Records Act.

But the breach may cause problems under the provision of law cited by the district — the federal Family Educational Rights and Privacy Act, he said. The 1974 act prevents outside parties from obtaining identifiable information about a single student. Schools that violate the act risk losing their federal funding.

It remains unclear if families have been directly harmed by the release of the information. According to Dow, she did not misuse it or share it with anyone. As a result, Scheer was uncertain if a complaint would stand in court.

As a member of Poway’s technology board, Dow hoped to get the breach added to the group’s Monday night agenda, but it was too late under the state’s Brown Act governing open meetings.


“Although we cannot discuss the matter during Monday’s meeting,” Board of Education President Michelle O’Connor-Ratcliff said in an email to committee members on Saturday, “I believe committee members are free to discuss the topic outside of the meeting without violating the Brown Act since the requested topic does not have a direct link to education technology.”

Dow countered by saying that cybersecurity should be a concern of the committee.

Poway Mayor Steve Vaus, who has been a critic of the district in the past, said he was taken aback by the mistakes made.

“You know, this is the downside of the digital age,” Vaus said.