The Kentucky Department of Education (KDE) has reached a settlement with ACT for a $350,000 statement credit after it was discovered that information about Kentucky students who took the ACT was shared with postsecondary institutions, a violation of the contract between the two entities.

When students take the ACT, they are presented with the option of sharing their information with postsecondary institutions through ACT’s Educational Opportunity Service (EOS). This system allows postsecondary institutions to identify students they may wish to send information and possibly offer scholarships to upon application. However, since the ACT is a required test for Kentucky students and all data generated from the test is owned by KDE, any information entered in this section should have been filtered out of the system and not been made available in EOS for sharing.

According to ACT, this happened due to a system updating error, resulting in student information erroneously being included in the EOS database for postsecondary access.

Because of this error, certain data gathered through the ACT were obtainable by postsecondary institutions with access to the EOS database between 2017 and 2020.

This data includes:

  • First Name;
  • Middle Name;
  • Last Name;
  • Address, City, State, Province, Zip Code;
  • Email;
  • Birth Date;
  • Gender;
  • Race Ethnicity;
  • Race Details;
  • First Generation [College student];
  • GPA (as reported by the student to ACT);
  • Class Rank (as reported by the student to ACT);
  • High School Code;
  • High School Type;
  • College Types;
  • Denominational College;
  • College Activities;
  • College Major Interest; and
  • Career Interests.

“After ACT discovered this issue, we acted immediately and coordinated with the Kentucky Department of Education,” said Catherine Hofmann, ACT vice president of state and federal programs. “ACT has removed impacted student records from the EOS database so that your data will not be shared going forward.”

ACT also has identified the root cause of the issue and has corrected it. After investigation, ACT is not aware of any breach or misuse of the data, said Hofmann.

“ACT values and respects the privacy of your information and apologize for this issue. We regret any inconvenience this may have caused,” she said. 

Education Commissioner Jason E. Glass said he is disappointed this system error occurred, but is thankful for the cooperation of ACT in working with the department to correct the issue and alert the affected students. Once ACT discovered the error, it notified every postsecondary institution that accessed the data to immediately destroy the information.

It is important to note that the data shared erroneously by ACT was marked by students as information to share with colleges, added Glass.

“This was not a data breach or anything similar,” explained Glass. “No information was shared about our students that they didn’t agree to share themselves. However, the sharing of this data directly violated our contract with ACT, and we are happy to hear they have corrected the matter.”

ACT will begin notifying students who were affected and their families March 18.