Embed Size (px)
Citation preview
1
Ethical Issues for School Psychologists When Using Technology - Handout
Dan Florell, Ph.D. Eastern Kentucky University
October 25, 2018ASPA Fall Conference
Learning Objective:1. Participants will be able to identify ethical standards that relate to using technology.2. Participants will be able to describe questions that should be asked prior to using particular technologies to
ensure the maintenance of client confidentiality and privacy.3. Participants will be able to describe common ethical pitfalls when using technology.
Laws and Digital Records Family Educational Rights and Privacy Act (FERPA)
o FERPA was enacted in 1974 and provides certain minimum privacy protections for educational records.
o FERPA was passed to protect the privacy of student educational records by regulating to whom and under what circumstances those records may be disclosed.
o FERPA applies to educational agencies and institutions that receive federal funds administered by the Secretary of Education.
The Protection of Pupil Rights Amendment (Hatch Amendment of 1978) o Applies to state or local education agencies that receive funding from the United
States Department of Education. o Specifically, it ensures the rights of students and parents surrounding the
collection and use of information for marketing purposes as well as information regarding certain physical exams.
Children’s Online Privacy Protection Act of 1998 (COPPA) o Empowers the FTC to regulate the operators of commercial websites or online
services targeted to children in the collection and use of personal information obtained from children. COPPA defines “personal information” to include • (1) a first and last name; (2) an address; (3) an e-mail address; (4) a
telephone number; (5) a Social Security number; or (6) any other identifier that the FTC may determine permits the physical or online contacting of a specific individual.
o If a website is directed at children or the operator knowingly collects personal information from children under 13, COPPA requires that the website obtain parental notice and consent.
Handouts prepared by: Dan Florell – Eastern Kentucky University
2
o COPPA-covered operators must:• Post “clear and comprehensive” online-privacy policy.• Give parents “direct notice” before collecting information from children
under 13.• Obtain “verifiable parental consent” before collecting such information.• Allow parents to review their children’s information and request that it be
deleted.• Allow parents to opt out of further collection, use, or sharing of
information pertaining to their child.• Maintain the confidentiality and security of any child’s information that is
collected.• Delete children’s information after it is “no longer necessary to fulfill the
purpose for which it was collected.”o Federal Trade Commission - under certain circumstances, “schools may act as the
parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.”
o Law requires parental notificationo FTC expects companies to publicly post a privacy policy that includes:
• Descriptions of what information is collected from children.• How information may be used and disclosed. • Contact information for any third parties that may also be collecting
information through the site, and more. o Schools expected to make such notices available to parents.
Health Insurance Portability and Accountability Act (HIPAA) o “Covered entity,” which is a health plan, healthcare clearinghouse, or any
healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.
o A school that is not covered by FERPA may be a covered entity if it provides health services for which it transmits health information electronically, such as submitting claims for payment from a health plan.
Health Information Technology for Economic and Clinical Health Act (HITECH) – Part D Privacy
o Requires HIPAA covered entities to report data breaches affecting 500 or more individuals to HHS and the media, in addition to notifying the affected individuals.
o This subtitle extends the complete Privacy and Security Provisions of HIPAA to business associates of covered entities.
o New rules for the accounting of disclosures of a patient's health information. It extends the current accounting for disclosure requirements to information that is used to carry out treatment, payment and health care operations when an organization is using an electronic health record (EHR).
Handouts prepared by: Dan Florell – Eastern Kentucky University
3
Privacy Technical Assistance Center (PTAC) - US Dept. of Educationo Offers guidance to school regarding the various laws regarding student privacy
and confidentiality (http://ptac.ed.gov ) Most tech ethics questions center on confidentiality and privacy and the impact it has on
the client’s well being.o Who owns the information?o Where is the information being stored?o How is the information being stored?o How long is that information going to be stored?o Who has access to the information?o What safeguards are in place?
Getting to This Point- Time of Flux and Change
o Crisis = Danger + Opportunity (Chinese)o Federal Funds – health care impact on school serviceso Electronic Leaks – Anthem and Equifaxo Ransomware - hospitals and schools are targets
Basic Risk Management- Standard of Care: Reasonable and Prudent- Psychologist (J. Younggren, 2013)
o Judicial: How similarly qualified practitioners would have managed the patient's care under the same or similar circumstances
o Must have and use the knowledge ordinarily possessed by members of the profession in good standing
o Ethical : As used in this Ethics Code, the term Reasonable means the prevailing professional judgment of psychologists
engaged in similar activities in similar circumstances, given the knowledge the psychologist had or should have had at the time.
- Keys to Success o Informed Consent – records including electronic transmission and storageo Appropriate consultation with otherso Good record keeping practices and strategies
- Risk Management o It can get you in trouble, if you “mess up”o Ignorance is not BLISS – “Standard of Care”o Professional ethics and technology do overlapo If in doubt – pause or ask a colleagueo Grad Student v school psychologists have the same requirements with the
exception of report modification by Supervisor.
Handouts prepared by: Dan Florell – Eastern Kentucky University
4
o Data management Storage – cloud/CD/DVD/external hard drive Lost data/computer/USB data stick Password protect it – folders and files (different from encryption)
o Copiers – may store your copieso E-mails are open and available to everyoneo Master files/reports – who can access?o “Other files” – not protected/computer access
- Steps to Protect Student Data o Conduct a structured analysis of various risks student data could experience.o Take measures to protect against these security riskso Protection is a moving target which needs regular updatingo Basics:
Mobile devices All data is encrypted Lock device with password Set into lock mode if few seconds go by Limit information kept on mobile devices Backup regularly to secure device
o Take advantage of built-in safeguards in EHR programs. Eg. Administrator limiting access to information based on need to know.
o Maintain minimal clinical recordso Long term record storage issues – format, type of storage, and how find record.
Technical Competence - School Psychologists be part of decision making process about technology- Develop school policies about technology, assessment, and records management- Develop consent forms for parents and teachers about technology and data management- Monitor business agreements between software companies and schools; 3rd Party Vendors- Keep hardware and software updated; & know how- Protect data and records; encryption- Be knowledgeable about new laws, regulations, and ethical principles
Tech Ethics Overview- APA and NASP do NOT have specific guidelines for ethical use of technology.- General APA Ethical Guidelines apply to technology as well; hard to keep up with
changes but must demonstrate an effort to comply.o APA General Principles
Privacy and Security, Competence Confidentiality Nonmaleficence Informed Consent Safety (self-disclosure)
Handouts prepared by: Dan Florell – Eastern Kentucky University
5
o APA covers many different aspects including loss of data; having written policies and social media with clients (see also APA Guidelines for Telepsychology, 2013).
NASP- NASP General Principle :
o Data protection; testing materials updatedo “Need to Know” provisions and electronic accesso Be involved in developing district policies development on technology; be clear
of your concerns if issues arise (paper trail)- Issues to Consider :
o Relationship with a client ("like"?)/be my friendo Learning about clients online/they learn about you onlineo Must have personal practice guidelines about disclosureo More training about technology is needed and keeping up to date will be a
challengeo Policies on technology failure; accidental disclosure; e-mail, storage of
information (cloud)o Need to define professional roles vs. personal roles in social media
- The NASP Principles in the Preamble state that “we must protect all students from reasonable foreseeable risk of harm.”
- Principle II – Professional Competence and Responsibilityo Standard II, 3.2, - use assessment techniques and practices that the profession
considers to be responsible, research-based practice. We have to have up-to-date instruments and appropriate normative data. If using computer-assisted assessments, computer scoring and/or interpretation programs, they must be accurate and valid.
o Standard II.4 – Responsible School-Based Record Keeping, Standard II. 4.1 notes: “Parents … are notified of electronic storage and
transmission of personally identifiable school psychological records and the associated risks to privacy.”
Standard II. 4.5 - release of information to outside agencies. This has typically been done with a signed release (good practice), but that does not address the HIPAA guidelines for releases.
o Standard II.4.6 - “to the extent that school psychological records are under their control, school psychologists ensure that only those school personnel who have legitimate educational interests in a student are given access....”
o Standard II.4.7 – protection with password or encryption. The other area that is clearly addressed is “records are not lost due to equipment failure.” e.g. hard drive crash.
o Standard II.4.9 states “school psychologists ... work to establish district policies regarding the storage and disposal of school psychological records that are consistent with law and sound professional practice.”
Handouts prepared by: Dan Florell – Eastern Kentucky University
6
- Standard III — Honesty and Integrity in Professional Relationshipso Standard III.3.3 states that “one cannot alter a report or record of another
professional without their permission. The exemption is for those supervising graduate students.”
- Standard IV — Responsibility to Schools, Families, Communities, the Profession, and Society
o Standard IV.- 5.2 includes institutional research board (IRB) oversight. These are conditions about which graduate students are informed in their studies, but may fall behind in during field practice. Security of records, appropriate data collection, informed consent, record/protocol storage, etc. are essential under these standards.
o Standard IV.- 5.5 concerns making research data available if needed for conclusions reported in publications or presentations. Backing up data sets to a safe place may protect you here
- Digital records include – written notes, digitized/scanned files or report, e-mail, text/SMS messages, audio files, and video files.
HIPAA - Privacy Rule intentional disclosure of PHI & Security Rule unintentional or malicious disclosure or loss of record (only electronic records). No mandated protection methods under the law. "reasonableness" feature under ethics.
- Examples: passwords, digital signatures, firewalls, data encryption, encryption over public networks, backup systems, and disaster recovery plan.
- Check email address before responding
Parents Concerns (Future of Privacy Forum, 2016)- Parents comfortable with properly protected electronic education record being created for
their children (71%) - Parents more likely to support collecting and using data in electronic record if:
o Know school required to ensure security (82%)o School required to use electronic education record only for education purposes
(84%). - Parents have security and privacy concerns, primarily that:
o Child’s electronic education record could be hacked or stolen (84%)o Electronic education record could be used against their child by college or
employer (68%). o Nearly all parents (94%) believe they should be informed with whom and for
what purpose their child’s record is being shared.
Handouts prepared by: Dan Florell – Eastern Kentucky University
7
Sample Language to Use• Reference IDEA, FERPA, and HIPAA
– HIPAA language may be optional• Section
– Type of Information We Collect and How We Collect It• Includes definition of Personally Identifiable Information
– Effective Date and Changes to Privacy Notice– Outline Parent Rights re: Child Records
• List types and location of information• List whom information has been shared with• Ask to limit what we share• Request communication method• Other use of information and withdraw of consent• Filing a complaint
– Uses of records by district– When share information without prior consent– Type of Information We Collect and How We Collect It– Includes definition of Personally Identifiable Information
Home-School Communication• Convenience : Make it easy for parents to get information in way most convenient.• Push, not search : Don’t make parents search for information, push it out to them.• Personalized, not standardized : Give parents information appropriate and applicable for
their child, class, grade level, and school.• Timeliness : Make sure information being communicated is timely and current.• Realization of busyness : Realize parents are busy and need communications to be
concise, to the point, and relevant.• High impact/high ROI information : Make sure information providing is actionable for
parents and important for them to know.
• Communication Preferences – Teacher to parent - 74% e-mail, 45% face-to-face, 39% text, and 32% phone call.– School to parent - 73% e-mail, 62% phone message, 45% text, and 26% online
newsletters.• Social Media
– Family use – most use Facebook with descending use in YouTube, Instagram, Video message, Snapchat, and Twitter.
Email – Students and Families- Situations
o Counseling relationshipo Counseling vs. administrative e-mailso Checking e-mail
- General rule o E-mail communication must support the working alliance between school
psychologist, student and family to promote trustHandouts prepared by: Dan Florell – Eastern Kentucky University
8
- Must list o Acknowledge e-mail is not confidentialo Ensure e-mail platform is encrypted and password protectedo Determine what information will be ok to disclose in e-mailo Acknowledge one will never forward student or family e-mailo Determine policy for recording e-mail in student record/have school policyo Ask student and family about privacy of their e-mail accounts and who has access
E-mail - Typically least protected for student confidentiality HIPAA Best Practice Recommendations (Oliver, Oct 2013):
o Use only sanctioned email providerso Email to only one recipient at a timeo Notify parents prior to using email o Recommend parent provide personal over work email o Verify recipient email address prior to sendingo Include “Unintended Recipient Directions”o Limit confidential info to attachments only o Utilize password protection on documents o Tag email communities as “Confidential”o Utilize “Expiration” feature (5 days)o Mask personal identifiable information
Sample e-mail confidential disclaimero Confidentiality Warning: This e-mail contains information intended only for the use of
the individual or entity named above. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited. The sender does not accept any responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this e-mail. If you have received this e-mail in error, please immediately notify us by return e-mail. Thank you.
Texting- Many students and families prefer this mode due to ease of communication- Similar issues regarding e-mail- Short Message Service (SMS) is not encrypted, secure of HIPAA compliant- Stop texting students and families until policies are in place- Encrypt all mobile devices- Develop text usage policy- Develop a “ Statement of Understanding” for text-using students and families- Explore secure text messaging solutions
o Eg. Signal, TigerText, Telegram, Wickr
Handouts prepared by: Dan Florell – Eastern Kentucky University
9
“Discoverable” Information – records, text/SMS, e-mails, computer use history, personal information/profile, electronic transmissions (Skype), web sites, Twitter, blogs, social networks, and voicemail.
- Bring Your Own Device (BYOD) – have separate accounts on computer (use Administrator function to do) and have a work and personal cell phones. Otherwise devices that are work/personal are considered work.
Passwords:- Don’t be obvious- Don’t use existing online passwords- Don’t use a regular word- Mix cases, number, and punctuation- Change passwords regularly - Don’t share password or write down- Create hierarchy of passwords- Caps/case do count too; have unique password for EACH account- Some servers do not allow symbols; insert CAPS in middle or end- Thieves will use your “forgot password” access
Security Questions- Another layer of protection- Misspell the street you grew up on or your first boy/girlfriend.- Use street name of your best friend and you know!- Security question hints to make it harder to guess.
Storage of Records in Cloud- Differences among companies about how long the data can be stored and what
information can be used by companies.- Look for privacy statements on websites- G-Suites for Education
o FERPA / COPPA / HIPAA complianto If stay in G-Suites, outside Google account noto School owns data and no ads to studentso Encryption when Gmail and Drive data on moveo Privacy policy available
Terms of Service & Privacy Policies- Someone needs to read both Terms of Service and Privacy Policies of services being
used.o Browser extension called Terms of Service; Didn’t read is available to give gist of
what user is agreeing to.
Encryption - important for files, folders, and hard drives and USB/SD. - 128 bit ok - 256 bit preferred- HIPAA – not apply to schools
o Personal Health Information (PHI)Handouts prepared by: Dan Florell – Eastern Kentucky University
10
o Word processing files transmitted electronicallyo E-mail between psychologist and patient
- At least password protect it. - Do not email file to yourself! - Decide what needs to be encrypted
o Folders and files with PII top priorityo District policies on employee encryptiono Check with district IT
- Encryption Program Types o Processing individual files and folderso Virtual Disk Drive
- Encrypting a Word Document (128 bit encryption)o Click on File tab and click on Info option.o Screen will open and now Protect a Document box will be available.o Clicking on Protect a Document box gives option to Encrypt with Password.o Give a password for the document and verify it.
- Decrypting a Word Documen to Click on File tab and click on Info option.o Screen will open and now Protect a Document box will be available.o Clicking on Protect a Document box gives option to Encrypt with Password.o Remove password that is typed here, then Save file.
- Steps can be completed for Excel in same manner except will be Protect a Workbook.- Encryption Services
o AxCrypt Premium Secure files and folder Secure files on cloud servers
o CertainSafe Digital Safety Deposit Box Secure files stored on server Files broken apart and stored on separate servers and encrypted
o Folder Lock Encrypts files or locks them Allows shredding of files
- File Drives o Before encrypting folders or hard drives, the school district IT department should
be consulted. There may be blocks put on school computers so encryption software cannot be installed. W
o Whole hard drive encryption is likely to slow down speed of computer so it is advisable to focus on encrypting individual folders that contain student information rather than the whole drive.
o Microsoft Windows operating systems - whole drive encryption as option through BitLocker and allows folder encryption.
- Disks/Drives – BitLocker (Windows); - Encrypting Jump Drives
o Kanguru drives
Handouts prepared by: Dan Florell – Eastern Kentucky University
11
https://www.kanguru.com/secure-storage/defender-secure-flash- drives.shtml
o SanDisk SecureAccess 3.0 (Complimentary encryption) http://kb.sandisk.com/app/answers/detail/a_id/2399/~/sandisk-
secureaccess-3.0-support-information-and-download-page - Words of Warning
o Pick a good passwordo Pick a way to remember passwordso Encrypted Excel or Word fileo Check with school district regarding encryption policy.o Don’t put password of encrypted document in same e-mail in which document is
attached.
Cloud Computing- Education data breaches and ransomware are increasingly common and increasing.- Lack of encryption on part of cloud third party vendors- Cloud Storage – sharing
o Sookasa; nCrypted Cloud; Veracrypt- Encrypting in the Cloud – Boxcrytor (all OS + Mobile)
o Can link to cloud drives (only 1 for free version) Examples – Dropbox, Google Drive, One Drive
o Put files into boxcryptor folder which is linked to cloud storageo Drag and drop files to encrypt and store.o Within boxcryptor, able to open and close like usual.o If try to access outside program for cloud, access is denied.o Right click, Show in BoxCryptor and able to open.o Option to provide others access with e-mail address
- Cloud Storage Services o Sample companies – Iron Mountain, ADrive & Carbonite
- Assessment – trend is to changing software and instruments to cloud platformo Examples include Pearson Q Global & Assess, MHS, PAR iConnecto Need to ask questions regarding ethical issues of scoring and storage of results.o These systems will also have smartphone apps associated with them.
Tech Ethics Questions to Ask- Most tech ethics questions center on confidentiality and privacy and the impact it has on
the client’s well being.o Who owns the information?o Where is the information being stored?o How is the information being stored?o How long is that information going to be stored?o Who has access to the information?
o What safeguards are in place? Handouts prepared by: Dan Florell – Eastern Kentucky University
12
o Which has greater security capabilities?o What are the vulnerabilities of the cloud?o Is there incident detection/response?o Look at security monitoring
How will you exercise control over data? What are potential legal concerns? Does it comply with FERPA?
Cloud Assessment- Pearson
o Q Global – includes some assessments including WISC-V, WIAT-III, WPPSI-IV, WAIS-IV
Over 30 measures are available Administer measures on screen Scores automatically and provides a report
o Saves time but not necessarily moneyo Increased flexibility in administration and scoring (cross battery allowed)o Practitioner owns the datao Information stored on servers in Toronto and back-ups in Vancouvero HIPAA and HITECH Complianto Recent issues with data disclosures and lack of access.
Ethics issues of school psychologists response FERPA violations Parent notification
- Hougton Mifflin – Riverside –controversy regarding storage of records indefinitely and user can’t delete information.
o Data can be used in research once de-identified- MHS - rating scale cloud scoring and e-mail of rating scales- PAR – iConnect administer instruments, interpret results, and examine client assessment
o Saves time but not necessarily moneyo Increased flexibility in administration and scoring (cross-battery not allowed)o HIPAA Complianto Update – not store data on servers once instrument scored
Cloud Storage Best Practices- Steps for school employees to follow:
o Check with your IT department before using apps or software.o Don’t keep or share student data any more than you have to.o Don’t share personally identifiable information about students in email.o Don’t use actual student data for training purposes.o Keep your devices secure.
Schools and Cloud Computing – Infinite Campus and AIMsweb examples - Most school districts have in-house servers restricted to use only in district- States have embraced state-wide cloud systems
Handouts prepared by: Dan Florell – Eastern Kentucky University
13
o 95% of districts rely on cloud services for data mining related to student performance, support for classroom activities, student guidance, data hosting, and special services like cafeteria payments and transportation planning
- FERPA and Cloud o Contractually identify cloud vendor as a “school official” under “direct control”
of the education institutiono Five principles for schools to follow:
Maintain control of student data Expressly prohibit the mining of student data for advertising and
marketing purposes Enter into a comprehensive agreement covering all of the cloud services
provided to the education institution Consider how providers may use anonymized data Conduct due diligence into the cloud service provider’s practices with
respect to student data - COPPA Issues
o Information on children under 13 do the following:o Provide parental notice of their information practiceso Obtain prior parental consent for collection, use, and/or disclosure of personal
information from childreno Empower parents, upon request, to review the personal information from their
childreno Provide a parent with the opportunity to prevent further use of personal
information that has already been collected or the future collection of personal information from that child
o Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information
- To the extent that data analytics services collect information directly from school children or enable the tracking of school children based on their interactions with the cloud service, COPPA obligations would apply
- Fordham Law Center (2013) – findings of schools and cloud serviceso 25% of districts inform parents of their use of cloud services o 20% of districts fail to have policies governing the use of online serviceso 25% of the agreements specify the purpose for disclosures of student information,
fewer than 7% of contracts restrict the sale or marketing of student information by vendors, many allow vendors to change the terms without notice
o The majority of cloud service contracts do not address parental notice, consent, or access to student information
o School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency
- National Education Policy Center – Asleep at the Switch Report
Handouts prepared by: Dan Florell – Eastern Kentucky University
14
o Decision makers should not rely on industry self-regulation to protect children’s privacy and the quality of their education. Instead, legislators and policymakers should create clear policies backed by strong, enforceable, sanctions that:
Prohibit schools from collecting student personal data unless rigorous, easily understood safeguards for the appropriate use, protection, and final disposition of those data are in place.
Hold schools, districts, and companies with access to student data accountable for violations of student privacy.
Require algorithms powering education software to be openly available for examination by educators and researchers.
Prohibit adoption of educational software applications that rely on algorithms unless a disinterested third party has examined the algorithms for bias and error; and valid data have shown that the algorithms produce intended results.
Require independent third-party assessments of the validity and utility of technologies, and the potential threats they pose to students’ well-being, to be conducted and addressed prior to adoption.
- School Psychologists and Cloud Computing o School psychologist often mandated to use school cloud services for records.o Many districts are violating FERPA and COPPA issues regarding student
information disclosure in general.o What about protected populations being served?o School psychologists are responsible for protecting this data.
Resources:Parent Toolkit for Student Privacy – Parent Coalition for Student Privacy (5/17)
- https://www.studentprivacymatters.org/toolkit/ Protecting Privacy in Connected Learning Toolkit – COSN (6/17)
- http://www.cosn.org/focus-areas/leadership-vision/protecting-privacy
Contact the Presenter- Dan Florell – Eastern Kentucky University
o [email protected] o Twitter: @schoolpsychtecho Facebook: “Like” MindPsio Web: www.mindpsi.net
Handouts prepared by: Dan Florell – Eastern Kentucky University
