Dear Dr. Ryan,
After reading through my Right-to-Know request and looking at the information provided, I wanted to finally follow up with an e-mail.
Related: Separation of teaching and testing
Some questions may not have fit the specific law; however, I was hoping that if there was information that could make these programs more transparent, you would have included that. When information is not provided because the phrasing of the question may not fit the parameters of the RTK law, it gives the appearance that school administrators are not fully transparent. While that may not be your rationale, some people will walk away with that impression.
At this time I will refrain from re-phrasing the questions to meet that threshold and leave it up to school board members, residents or parents, to pursue those answers if they are interested.
Any research conducted on children needs to follow the most basic ethical protocols and laws. Also based on your reply I’m unable to determine if data from Devereux Students Strengths Assessment (DESSA) are shared with education researchers.
Plymouth State and Antioch University are collecting data on SEL/ DESSA from various New Hampshire Schools. Their researchers indicated to me in past conversations that any informed consent must be handled by district administrators. FERPA was altered during the Obama administration removing the requirements to obtain informed parental consent when administrators share the data with education researchers. However, that does not mean that this is an opportunity to ignore other federal and state laws along with ethical guidelines governing data privacy and surveillance of students and their families.
I would think that school board members or parents would want to know if the data are sent to researchers outside the district. I found that privacy agreements were not signed by New Hampshire Universities and local schools, which leads me to believe that those in charge of this highly sensitive data are not making student-data privacy, a priority.
Question 8 indicated that no permission slip was required for students to be assessed using the DESSA. Parents may not be aware that their child has been assessed using a psychological evaluation. The questionnaire may be considered benign but Marc Kirsch, Director of Sales & Business Development at Aperture Education, confirmed that the DESSA was a psychological evaluation. Mental Health assessments, screenings, and treatment fall under ethical guidelines and state and federal laws. In addition, school policies and professional licensure requirements would also apply.
DESSA was designed to promote students’ social and emotional competence. During public hearings with the New Hampshire House Education Committee, members debated the merits of a Competency-Based Education law. The discussion centered around not wanting school districts measuring the dispositions of students. I attended those hearings and listened to representatives balk at the idea of measuring these kinds of behaviors. The focus was to be on work-study-practices, not their social and emotional behaviors, attitudes, and values. We are now seeing social and emotional competencies subjectively measured, the data collected, and teachers in charge of all of this.
While I certainly understand the need to support students emotionally, measuring and grading social and emotional behaviors, needs to be carefully analyzed. If the parents were not informed, how can they weigh in on whether they want their children to undergo a psychological evaluation? Where does their child’s PII data go? How will the data be secured? Is the data ever destroyed? There are so many questions that should be provided to parents.
It was a teacher in another New Hampshire school district who alerted me to her responsibility for inputting the DESSA data into the school computer. She was concerned that she was not qualified to measure subjective behaviors and she didn’t want her own children subjected to the same treatment. Eight hours of training does not give teachers the proper education and training that other mental health professionals have.
Child Psychologists have clinical training and must adhere to a Code of Ethics (https://www.apa.org/ethics/code/) that requires them to obtain informed consent from parents when assessing children. Child Psychologists would know when to invalidate assessment results under certain situations and with certain students —teachers will not.
DESSA was such a concern for a physician in New Hampshire that she wrote an article in the Wall Street Journal addressing her concerns: Have You Seen Junior’s Psych Profile ?( https://www.wsj.com/articles/have-you-seen-juniors-psych-profile-1494286467 )
Dr. Aida Cerundolo explained why it is important to acquire parental consent when using the DESSA. Medical and Mental Health professionals understand and follow the most basic ethical guidelines and laws. Parents should have the security of knowing school administrators will be looking out for their child’s privacy rights. Unfortunately, I’m not finding that to be the case in New Hampshire.
While I understand that school administrators and teachers do not have the education or training in the field of Child Psychology, if you are going to implement SEL tools, assessments, curriculum, etc. into the classroom, there needs to be a focus on privacy rights, especially with this sensitive data collected, stored and possibly shared.
Social Sentinel collects sensitive and personal information on students by monitoring their email and social media accounts.
Extremely sensitive information obtained through Social Sentinel on a student discussing suicide was included in a proposed school board agenda a short time ago. While the student’s identity was not included, it would not be hard to identify the student based on what was revealed. This is what prompted my original Right-to-Know Request. If school personnel do not understand the importance of data security and privacy, how can parents be assured that their child’s privacy rights are of the utmost importance? I hope that in the future, this is taken more seriously and includes meetings on laws, ethical codes, and school policies.
Social Sentinel is using the school official exception under FERPA. This allows them to access student data without consent. This also implies that the LEA could authorize the selling of student data.
The definition of anonymized or de-identified data is lacking. ie: student name is removed but DOB or Student ID, or other identifier is present. Data is easily re-identified. The district should request the deletion and destruction of ALL data, including de-identified data.
The district should also conduct a privacy and security audit of the provider and share the findings with parents. They allow the LEA’s third-party auditor to audit the security and privacy measures. This should include the data elements shared by the Provider.
While I do understand the desire to prevent some of the unknowns, this is a program that some parents have described as an invasion of privacy. With the amendment recently added to the New Hampshire Constitution:
“An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent,”
…this could be grounds for legal action by those whose personal information is being monitored, collected, stored, and shared.
Children have been exploited and, while your intentions may be good, having a policy in place lets parents know that you are committed to never exploiting their children for any reason. From the information you provided, it certainly appears that parents can legally challenge some of the decisions and practices as I’ve addressed in this email.
Ann Marie Banfield
From the Federal Every Student Succeeds Act:
TITLE IV—21ST CENTURY SCHOOLS
PART A—STUDENT SUPPORT AND ACADEMIC ENRICHMENT GRANTS
SEC. 4001. ø20 U.S.C. 7101¿ GENERAL PROVISIONS. (a) PARENTAL CONSENT.—
(1) IN GENERAL.—
(A) INFORMED WRITTEN CONSENT.—A State, local educational agency, or other entity receiving funds under this title shall obtain prior written, informed consent from the parent of each child who is under 18 years of age to participate in any mental-health assessment or service that is funded under this title and conducted in connection with an elementary school or secondary school under this title.
(B) CONTENTS.—Before obtaining the consent described in subparagraph (A), the entity shall provide the parent written notice describing in detail such mental health assessment or service, including the purpose for such assessment or service, the provider of such assessment or service, when such assessment or service will begin, and how long such assessment or service may last.
(C) LIMITATION.—The informed written consent required under this paragraph shall not be a waiver of any rights or protections under section 444 of the General Edu- cation Provisions Act (20 U.S.C. 1232g).
(2) EXCEPTION.—Notwithstanding paragraph (1)(A), the written, informed consent described in such paragraph shall not be required in—
(A) an emergency, where it is necessary to protect the immediate health and safety of the child, other children, or entity personnel; or
(B) other instances in which an entity actively seeks parental consent but such consent cannot be reasonably obtained, as determined by the State or local educational agency, including in the case of—
(i) a child whose parent has not responded to the notice described in paragraph (1)(B); or
(ii) a child who has attained 14 years of age and is an unaccompanied youth, as defined in section 725 of the McKinney-Vento Homeless Assistance Act (42 U.S.C. 11434a).
The Belmont Report was written by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. and says:
1. Respect for Persons. —
In most cases of research involving human subjects, respect for persons demands that subjects enter into the research voluntarily and with adequate information.
One special instance of injustice results from the involvement of vulnerable subjects. Certain groups, such as racial minorities, the economically disadvantaged, the very sick, and the institutionalized may continually be sought as research subjects, owing to their ready availability in settings where research is conducted. Given their dependent status and their frequently compromised capacity for free consent, they should be protected against the danger of being involved in research solely for administrative convenience, or because they are easy to manipulate as a result of their illness or socioeconomic condition.
The Belmont report affirms the importance of protecting persons with diminished autonomy, and that they enter into the research voluntarily and with adequate information. Since children do not have the capacity for free consent, it is critical that they not be exploited.
Ethical Principles of Psychologists and Code of Conduct
9.03 Informed Consent in Assessments
(a) Psychologists obtain informed consent for assessments, evaluations, or diagnostic services, as described in Standard 3.10, Informed Consent, except when (1) testing is mandated by law or governmental regulations; (2) informed consent is implied because testing is conducted as a routine educational, institutional, or organizational activity (e.g., when participants voluntarily agree to assessment when applying for a job); or (3) one purpose of the testing is to evaluate decisional capacity. Informed consent includes an explanation of the nature and purpose of the assessment, fees, involvement of third parties, and limits of confidentiality and sufficient opportunity for the client/patient to ask questions and receive answers.
(b) Psychologists inform persons with questionable capacity to consent or for whom testing is mandated by law or governmental regulations about the nature and purpose of the proposed assessment services, using language that is reasonably understandable to the person being assessed.
(c) Psychologists using the services of an interpreter obtain informed consent from the client/patient to use that interpreter, ensure that confidentiality of test results and test security are maintained, and include in their recommendations, reports, and diagnostic or evaluative statements, including forensic testimony, discussion of any limitations on the data obtained. (See also Standards 2.05, Delegation of Work to Others; 4.01, Maintaining Confidentiality; 9.01, Bases for Assessments; 9.06, Interpreting Assessment Results; and 9.07, Assessment by Unqualified Persons.)
New Hampshire State Law – How is SAU 16 complying with state statute RSA 189:66?
IV. The department and each local education agency shall make publicly available students’ and parents’ rights under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g, et seq., and applicable state law including:
(a) The right to inspect and review the student’s education records within 14 days after the day the school receives a request for access.
(b) The right to request amendment of a student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
(c) The right to provide written consent before the school discloses student personally identifiable data from the student’s education records, provided in applicable state and federal law.
(d) The right to file a complaint with the Family Policy Compliance Office in the United States Department of Education concerning alleged failures to comply with the requirements of FERPA.
2) Provide the documentation on the data and policy governance plan:
V. The department shall establish minimum standards for privacy and security of student and employee data, based on best practices, for local education agencies. Each local education agency shall develop a data and privacy governance plan which shall be presented to the school board for review and approval by June 30, 2019. The plan shall be updated annually and presented to the school board. The plan shall include:
(b) A review of all software applications, digital tools, and extensions and an assurance that they meet or exceed standards set by the department.
(c) Policies and procedures for access to data and protection of privacy for students and staff including acceptable use policy for applications, digital tools, and extensions.
(d) A response plan for any breach of information.
(e) A requirement for a service provider to meet or exceed standards for data protection and privacy.
Below RSA 189:68-a :
SCHOOL BOARDS, SUPERINTENDENTS, TEACHERS, AND
TRUANT OFFICERS; SCHOOL CENSUS
Student and Teacher Information Protection and Privacy
189:68-a Student Online Personal Information. –
I. For the purposes of this section:
(a) “Operator” means the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.
(b) “Covered information” means personally identifiable information or materials, in any media or format that meets any of the following:
(1) Is created or provided by a student, or the student’s parent or legal guardian, to an operator in the course of the student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for K-12 school purposes.
(2) Is created or provided by an employee or agent of the K-12 school, school district, local education agency, or county office of education, to an operator.
(3) Is gathered by an operator through the operation of a site, service, or application described in subparagraph (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.
(c) “K-12 school purposes” means purposes that customarily take place at the direction of the K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.
(d) “Online service” includes cloud computing services, which shall comply with this section if they otherwise meet the definition of an operator.
II. (a) No operator shall knowingly engage in any of the following activities with respect to their site, service, or application:
(1) Targeted advertising on the operator’s site, service, or application, or targeted advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator’s site, service, or application.
(2) Use of information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K-12 student.
(3) Sale, lease, rent, trade, or otherwise make available a student’s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.
(4) Disclosing protected information unless the disclosure is made to respond to or participate in judicial process.
(b) An operator shall:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.
(2) Delete a student’s covered information if the school or district requests deletion of data under the control of the school or district.
(c) Nothing in this section shall prohibit an operator from using de-identified student covered information as follows:
(1) Within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational products.
(2) To demonstrate the effectiveness of the operator’s products or services, including in its marketing.
(d) Nothing in this section shall prohibit an operator from sharing aggregated de-identified student covered information for the development and improvement of educational sites, services, or applications.
III. This section shall not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications.
IV. This section shall not limit Internet service providers from providing Internet connectivity to schools or students and their families.
V. This section shall not be construed to prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing
did not result from the use of covered information obtained by the operator through the provision of services covered under this section.
VI. This section shall not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software.
VII. This section shall not be construed to impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with this section by third-party content providers.
VIII. This section shall not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
IX. The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
Source. 2015, 128:1, eff. Jan. 1, 2016.
The Protection of Pupil Rights Amendment (PPRA)
The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature. Briefly, the law requires that schools obtain written consent from parents before minor students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation that reveals information concerning the following areas:
- Political affiliations;
- Mental and psychological problems potentially embarrassing to the student and his/her family;
- Sex behavior and attitudes;
- Illegal, anti-social, self-incriminating and demeaning behavior;
- Critical appraisals of other individuals with whom respondents have close family relationships;
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
- Religious practices, affiliations, or beliefs of the student or student’s parent*; or
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)
The No Child Left Behind Act of 2001 contains a major amendment to PPRA that gives parents more rights with regard to the surveying of minor students, the collection of information from students for marketing purposes, and certain non-emergency medical examinations. In addition, an eight category of information (*) was added to the law.
You may read more about the specific changes to the law by selecting here.
The Department will be updating the PPRA regulations to reflect these changes.