Tietosuojavaltuutetun toimisto (Finland) - 6064/163/20: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
 
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 67: Line 67:
}}
}}


Personal data of pupils were visible to an unnecessarily wide group of people through MS Office 365 address book used in organising primary education. The DPA found the city organising the education violating multiple GDPR provisions.
The Finnish DPA found a city in Finland responsible for organising primary education infringing multiple GDPR provisions, as personal data of pupils were made visible to an unnecessarily wide group of people through MS Office 365 e-mail address book.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A guardian complained to the DPA about widespread visibility of pupils' personal data in the address book of an e-mail system used in primary education organised by the city. The personal data that was shown were a pupil’s name, role, email address, school and grade level. The guardian viewed that the pupils’ personal data were displayed to an unnecessarily large group for the purposes of organising education. The personal data of the pupils were visible in all primary and secondary schools in the city.
A guardian complained to the DPA about the widespread visibility of pupils' personal data through the address book of MS Office 356 e-mail system that was used in primary education organised by the city. The personal data in question were a pupil’s 1) name, 2) role, 3) email address, 4) school and 5) grade level. The guardian argued that the personal data of pupils were visible to an unnecessarily large group for the purposes of organising education. The personal data of the pupils were visible in all primary and secondary schools in the city.


The controller, which was the city organising the education, stated that it has a legal obligation to provide primary education. The controller argued that the implementation of Microsoft Office 365 service is essential for organising primary education and the teaching digital skills in schools, in line with the national curriculum for primary education. Additionally, the controller argued, for example, that the visibility of the data is necessary as identification of the recipient before sending a message ensures data protection, integrity and confidentiality of the communication. The controller considered the risk of a messages going to the wrong person when sending emails to be greater than the risk of the name being visible to others. The controller also presented that messaging between pupils in different schools occur for between optional subjects, hobby and skills groups and interdisciplinary learning units required by the curriculum.
The controller, which was the city organising the education, stated that it has a legal obligation to provide primary education. The controller argued that the implementation of MS Office 365 service is essential for organising primary education and to teach digital skills in schools in line with the national curriculum for primary education.  


The guardian stated in their response, inter alia, that they are not opposed to the use of digital tools in education, but the city had not justified why the personal data of minor children should be visible to all users in all schools in the city, which they argued to be the case.
Additionally, the controller argued, for example, that the visibility of the data in question is necessary, as identification of the right recipient before sending a message ensures data protection, integrity and confidentiality of the communication. The controller considered the risk of a messages going to the wrong person, when sending emails, to be greater than the risk of the information being visible to others. The controller also presented that messaging between pupils in different schools may occur for organising elective subjects, hobby and skills groups, and interdisciplinary learning units required by the curriculum.
 
The guardian stated in their response to the controller, inter alia, that they are not opposed to the use of digital tools in education, but that the city had not justified why the personal data of minors should be visible to all users in all schools in the city.


=== Holding ===
=== Holding ===
The DPA decided that the controller had violated Articles 5(1)(a), 5(1)(c), 5(1)(f) GDPR, and [[Article 25 GDPR#2|Article 25(2) GDPR]] when it made the personal data of pupils available in the address book of the e-mail system, so that the data were visible to the pupils, students, and staff of all primary and secondary schools in the city. The DPA viewed that the controller did not demonstrate the appropriateness and necessity of such wide visibility of its pupils' personal data for the purpose of organising primary education.
The DPA decided that the controller had violated [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 5 GDPR|5(1)(c),]] [[Article 5 GDPR|5(1)(f) GDPR]], and [[Article 25 GDPR|Article 25(2) GDPR]] when it made the personal data of pupils available in the address book of the e-mail system, so that the data were visible to the pupils, students, and staff of all primary and secondary schools in the city. The DPA viewed that the controller did not demonstrate the appropriateness and necessity of such wide visibility of its pupils' personal data for the purpose of organising primary education.


In light of the principle of minimisation under Article 5(1)(c), the DPA did not consider the controller’s arguments sufficient enough when the controller deemed the current practice was necessary to be in contact between persons attending different primary schools, as well as, between primary school pupils and secondary school students when it comes to the implementation of multidisciplinary learning units in accordance with primary education curriculum, and the activities of elective subjects, hobby groups, and skills groups. Or when the controller deemed it the current practice necessary because teachers need to communicate with the students they teach, which may be in different schools to themselves.
In light of the principle of minimisation under [[Article 5 GDPR|Article 5(1)(c) GDPR,]] the DPA did not consider the controller’s arguments sufficient enough when the controller deemed the current practice was necessary to be in contact between persons attending different primary schools, as well as, between primary school pupils and secondary school students when it comes to the implementation of multidisciplinary learning units in accordance with primary education curriculum, and the activities of elective subjects, hobby groups and skills groups etc., nor when the controller deemed the visibility of data necessary because teachers need to communicate with the students they teach, which may be in different schools to themselves.


The DPA viewed that it is not necessary for all pupils to be in contact with others outside their own school. Additionally, the DPA emphasized that the fact that if the system used does not allow to technically limit the visibility of personal data, is not a basis to process personal data more than what is necessary in tasks related to providing primary education. The DPA also viewed that placing the personal data visible in the address book in all other schools in the city, was against the principle of confidentiality under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], and emphasied that in particularly when it was children’s data. Lastly, the DPA viewed that [[Article 25 GDPR#2|Article 25(2) GDPR]] requires the controller to use such it-solutions that are appropriate for the nature of the activities.
The DPA viewed that it is not necessary for all pupils to be in contact with others outside their own school. Additionally, the DPA emphasised that the fact that if the system used does not allow to technically limit the visibility of personal data, is not a basis to process personal data more than what is necessary in tasks related to providing primary education. The DPA also viewed that placing the personal data visible in the address book in all other schools in the city, was against the principle of confidentiality under [[Article 5 GDPR|Article 5(1)(f) GDPR]], and emphasied that in particularly when it was children’s data in question. Lastly, the DPA viewed that [[Article 25 GDPR|Article 25(2) GDPR]] requires the controller to use such it-solutions that are appropriate for the nature of the activities.


Firstly, the DPA issued a reprimand to the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. Secondly, the DPA issued an order to the controller pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] to bring the processing operations into compliance with the provisions of the GDPR.  
The DPA issued a reprimand to the controller under [[Article 58 GDPR|Article 58(2)(b) GDPR]] and an order to the controller pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]] to bring the processing operations into compliance with the provisions of the GDPR.  


Additionally, DPA emphasized that the controller should re-evaluate the availability of personal data of pupils in primary education in the email address book it uses. The controller should ensure that it no longer processes the data of its pupils in the address book of the e-mail system in such a way that they are visible outside its own school, unless there are grounds for a wider visibility in the context of organisation of education. The availability of the pupils' data in the e-mail address book must also be necessary and justified for organising primary education.
Additionally, DPA emphasized that the controller should re-evaluate the availability of personal data of pupils in primary education in the email address book it uses. The controller should ensure that it no longer processes the data of its pupils in the address book of the e-mail system in such a way that they are visible outside its own school, unless there are grounds for a wider visibility in the context of organisation of education. The availability of the pupils' data in the e-mail address book must also be necessary and justified for organising primary education.

Latest revision as of 11:36, 26 April 2023

Tietosuojavaltuutetun toimisto - 6064/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 04.08.2020
Decided: 21.03.2023
Published: 31.03.2023
Fine: n/a
Parties: City X (Board for Growth and Learning)
National Case Number/Name: 6064/163/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (Finland) (in FI)
Initial Contributor: n/a

The Finnish DPA found a city in Finland responsible for organising primary education infringing multiple GDPR provisions, as personal data of pupils were made visible to an unnecessarily wide group of people through MS Office 365 e-mail address book.

English Summary

Facts

A guardian complained to the DPA about the widespread visibility of pupils' personal data through the address book of MS Office 356 e-mail system that was used in primary education organised by the city. The personal data in question were a pupil’s 1) name, 2) role, 3) email address, 4) school and 5) grade level. The guardian argued that the personal data of pupils were visible to an unnecessarily large group for the purposes of organising education. The personal data of the pupils were visible in all primary and secondary schools in the city.

The controller, which was the city organising the education, stated that it has a legal obligation to provide primary education. The controller argued that the implementation of MS Office 365 service is essential for organising primary education and to teach digital skills in schools in line with the national curriculum for primary education.

Additionally, the controller argued, for example, that the visibility of the data in question is necessary, as identification of the right recipient before sending a message ensures data protection, integrity and confidentiality of the communication. The controller considered the risk of a messages going to the wrong person, when sending emails, to be greater than the risk of the information being visible to others. The controller also presented that messaging between pupils in different schools may occur for organising elective subjects, hobby and skills groups, and interdisciplinary learning units required by the curriculum.

The guardian stated in their response to the controller, inter alia, that they are not opposed to the use of digital tools in education, but that the city had not justified why the personal data of minors should be visible to all users in all schools in the city.

Holding

The DPA decided that the controller had violated Articles 5(1)(a), 5(1)(c), 5(1)(f) GDPR, and Article 25(2) GDPR when it made the personal data of pupils available in the address book of the e-mail system, so that the data were visible to the pupils, students, and staff of all primary and secondary schools in the city. The DPA viewed that the controller did not demonstrate the appropriateness and necessity of such wide visibility of its pupils' personal data for the purpose of organising primary education.

In light of the principle of minimisation under Article 5(1)(c) GDPR, the DPA did not consider the controller’s arguments sufficient enough when the controller deemed the current practice was necessary to be in contact between persons attending different primary schools, as well as, between primary school pupils and secondary school students when it comes to the implementation of multidisciplinary learning units in accordance with primary education curriculum, and the activities of elective subjects, hobby groups and skills groups etc., nor when the controller deemed the visibility of data necessary because teachers need to communicate with the students they teach, which may be in different schools to themselves.

The DPA viewed that it is not necessary for all pupils to be in contact with others outside their own school. Additionally, the DPA emphasised that the fact that if the system used does not allow to technically limit the visibility of personal data, is not a basis to process personal data more than what is necessary in tasks related to providing primary education. The DPA also viewed that placing the personal data visible in the address book in all other schools in the city, was against the principle of confidentiality under Article 5(1)(f) GDPR, and emphasied that in particularly when it was children’s data in question. Lastly, the DPA viewed that Article 25(2) GDPR requires the controller to use such it-solutions that are appropriate for the nature of the activities.

The DPA issued a reprimand to the controller under Article 58(2)(b) GDPR and an order to the controller pursuant to Article 58(2)(d) GDPR to bring the processing operations into compliance with the provisions of the GDPR.

Additionally, DPA emphasized that the controller should re-evaluate the availability of personal data of pupils in primary education in the email address book it uses. The controller should ensure that it no longer processes the data of its pupils in the address book of the e-mail system in such a way that they are visible outside its own school, unless there are grounds for a wider visibility in the context of organisation of education. The availability of the pupils' data in the e-mail address book must also be necessary and justified for organising primary education.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Visibility of students' personal data in the address book of the e-mail system used by the teaching organizer

Keywords: children's personal information
schools
data minimization

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 6064/163/20

Decision of the Deputy Data Protection Commissioner

Thing

Visibility of students' personal data in the e-mail address book used by the teaching organizer

Registrar

City (Growth and Learning Board)

The applicant's requirements with justification

On August 4, 2020, the guardian initiated a case at the data protection commissioner's office related to the visibility of students' personal data in the address book of the email system in basic education organized by the city. According to the applicant, the address book shows the student's name (possibly all first names), role (student) as well as the student's educational institution and his/her e-mail address. The information is visible to the students of all the city's schools, the guardians who help them and the school staff. In the applicant's opinion, the students' information is visible to an unnecessarily large group in terms of the organization of the teaching, which causes significant risks of misuse for the processing of the students' personal data and the procedure is otherwise offensive considering that it is about minor children.

The applicant states that the registrar uses the Microsoft Office365 service (hereinafter the O365 service) at the school, where it would be possible to limit the visibility of students' information in the e-mail address book based on the instructions of the system supplier in educational institutions by class. However, according to the applicant, the organizer of the lesson has not limited visibility and the guardians do not have the possibility to limit visibility either. According to the material attached to the request for action on August 7, 2020, users of the system can also see content created and shared as a result of use.

The applicant states that he was in contact with the school on April 6, 2020 and with the city's data protection officer on April 22, 2020. According to the applicant's understanding, parents have a legal obligation to record information in the register of their child's own educational institution, but not to share their child's personal information so widely.

The registrar's report and additional report

According to the report given by the registrar on August 27, 2021, the city has a statutory obligation to organize basic education. The city has implemented the O365 service, which is essentially related to the organization of basic education and the teaching of digital skills in schools in accordance with the basic education curriculum. The city follows the guidelines given by the Board of Education, e.g. access control, authentication, non-repudiation and identification. According to the additional explanation given by the controller on October 31, 2022, the content set of the Finnish National Board of Education's Data security and protection in schools defines the data security and data protection of educational activities as being based on confidential communication and reliable identification and authentication of parties.

The registrar states in his report that in the e-mail service used in basic education, all users form one unified group of teachers and students. Users see each other's school and role (teacher or student) as indirect identification, and name and name-based e-mail address as direct identification. According to the registrar's further explanation, the address field also indicates the class level, but does not specify the class. Further investigation by the registrar shows that the information of students in basic education appears in the e-mail address book in all educational institutions providing basic education in the city, which include 22 elementary schools, 8 unified schools, 4 middle schools and 2 special schools. In addition, the information of students in basic education is displayed in 7 educational institutions that provide upper secondary education. All grade levels have the same information visible.

The registrar's report states that teachers and students use the e-mail service for mutual communication and that e-mail communication is also taught at school. There are several students with the same name in the schools and sometimes also teachers, in which case it is necessary to identify the recipient before contacting. Contacts also take place between teachers working in different schools and students studying in different schools, e.g. between optional subjects, hobby groups and skill groups and the multidisciplinary learning entities required by the curriculum. By combining the e-mail address based on the name in the directory service and the school, the aim is to ensure proper identification of the person and the sender will be informed if the recipient does not exist. At the same time, the amount of identification data stored in the system is moderated. To identify the recipient before sending the message, data protection is ensured and the integrity and confidentiality of the communication is ensured. The data controller considers that a greater data protection risk is that when sharing files and access rights and when sending e-mail, the messages go to the wrong person, rather than the fact that the name is visible to others. According to the report, the procedure follows the instructions of the Board of Education.

The registrar states in the supplementary report that, also in terms of technical data protection and information security, the notification of the student's school and grade level has been deemed necessary, so that the Teacher in Charge and the school's IT manager can be reached quickly if the situation so requires. If disruptive behavior is detected online, it is important that the teacher or instructor and information management experts are able to intervene in the situation in a multiprofessional manner. In these situations, the person must be reached quickly, even though technical data security means that his user account can be closed as soon as the case is identified in the information administration. Especially with children, it is necessary to go through the causes and consequences of the event together.

Pedagogically looking at the matter, the registrar states that the teacher must be able to seamlessly identify the students in the O365 environment, which is why it is necessary for the service to display at least a name and/or an e-mail address based on the name. In the registrar's additional explanation, it is stated that a single teacher can teach several grade levels and that the teachers of the unified school teach students of the city's upper secondary schools in addition to primary education students. In the M365 environment used by the city, Teams groups are automatically formed based on the students' choices, and in addition, teachers form such groups from the user directory as needed in connection with their teaching. Interdisciplinary learning units that are closely related to the current curriculum usually include extensive collaboration between grade levels and schools in the M365 environment, and students can set up Teams for schoolwork and school-related hobby activities.

According to the registrar's report, it is important in teaching work that all students have a consistent opportunity to use work tools that are essential for teaching, which ensures equal learning and strengthens digital competence. In the additional explanation of the registrar, it is specified that one of the main tasks of teaching is to provide the skills to function in society. Digital skills and competence have been raised as a key goal in the curriculum. In order to promote this goal, the city wants to provide a supported online environment for students, teachers and counselors and for each user an online identity that entitles them to use the online environment, which is intended for the students' school work and the teachers' and counselors' professional work.

The report shows that the city buys e-mail services from an external service provider for the Growth and learning service area. The city has found out from Microsoft and the service provider the possibility of limiting the visibility of name and email address information to within one school. According to the registrar's report, the e-mail service does not have the possibility of such functional limitations, and the service provider does not guarantee the functionality of the service if unit-specific technical limitations are made to the user data. Based on the technical report, the students' information could be hidden if the user IDs in the main directory were series of numbers, and name or class information would not be generated in any visible fields, but then cooperation situations within the school or class would be awkward, even impossible. It is not recommended to adopt such a procedure on a large scale. According to the registry keeper's report, the restrictions on the availability of the address book raised by the guardian are not technically applicable to the cloud environment.

According to the controller's further investigation, making user restrictions between schools, for example, would be technically possible if the directory services were limited to the e-mail service and the local directory service connected to it, but the M365 service is a large, constantly developing entity, to which new features and even services are regularly introduced, not all of which support limiting visibility in the same way . Local changes to user data and visibility in individual services can lead to unforeseen consequences between digital services and usability, because the services are developed as a whole. According to the registrar's report, it is not possible to comprehensively assess the effects, so local restrictions are not recommended and there are currently no supported solutions for making restrictions.

The registrar states that the risks raised by the complainant are possible, but efforts have been made to prevent their occurrence. The online identity is intended for students' school work and teachers' and instructors' professional work. The city's data network usage rules and commitments prohibit disruptive behavior, misuse of data and harassment of other users. These issues are taught under the guidance of the teacher in schools and the issues are also reviewed at parents' evenings. Related training has also been organized for teachers and other actors, guidelines and advance preparedness have been developed, and environmental information security and data protection have been audited.

The registrar says that he has found out how other cities have limited the visibility of basic education students' personal data between schools. In most of the cities that responded, a name-based e-mail address of the same format as the registrar's is used. In some cities, a pseudonymized address structure is used, but even in these cities, with the exception of certain exceptional situations, name information is displayed in connection with it, and nowhere is name information technically limited to only one school's internal information. In the further investigation, the registrant considers it necessary to provide technical instructions for the implementation of refinements and limitations, if the national instructions are refined.

The applicant's equivalent

The guardian gave his answer on 8.2. and 14 November 2022. The applicant states in his first reply that the display of the students' information in the e-mail address book used by the education organizer is primarily about ensuring the implementation of the data protection of minor children. It is also about risk management, to which the city has not shown commitment through its activities and has not carried out the relevant measures. The city mentions that the O365 service is "essentially related to the organization of education" and at the same time justifies the use of an individual purchase service with the obligation of the data controller to organize basic education. The applicant states that simply preparing a data protection statement does not indicate the correctness of the operating models. The knowledge that cities generally operate in the same way is not a reason for negligence in organizing data protection. If the operating model is really this comprehensive nationwide, a position must be taken on the matter from a data protection point of view. The applicant draws attention to the Norwegian Board of Education's guide, which states that "data protection concerns when it is possible to collect or otherwise process (even public) personal data.

According to the applicant, the platform between the students and teachers of all the schools in the city (more than 10,000 people in the city) is fundamentally weakly justified. The processing of personal data should be related to a real, justifiable need. According to the applicants, there is no other basis for sharing contact information between people studying and working in different grades and school levels or towns, apart from the mentioned optional subjects or different teaching groups. The exchange of information in these situations is successful, according to the applicant's understanding, in such a way that at the beginning of the section or course, the necessary contact information is asked and recorded without listing the information of all students to all thousands of users. The registrar has justified the visibility of student information in the e-mail address book by the need for information of individual teachers, teachers of unified schools and teachers of upper secondary schools, but does this mean teachers working within the same building and how often student information is actually needed in other schools and educational institutions. The applicant also refers to the instruction of the Board of Education.

The applicant states that he is not against the use of digital tools and the O365 environment in education, but the city has not justified why the personal data of minor children should be visible to all users in all schools of the city, which is what this matter is about. Unnecessarily broad visibility of student data enables unwanted access, e.g. via messages or Teams online calls. According to the applicant's response, the city focuses too much on the e-mail system and the format of the e-mail address. It is extremely understandable that you want to avoid incorrect e-mails by investing in recognisability. The applicant agrees that, for example, an e-mail address in the form of first name.surname is a better option in terms of usability and recognizability than a pseudonymized identifier, e.g. a combination of letters and numbers. Educating and instructing students is also important, but the processing of personal data must still comply with data protection regulations.

The applicant states that he has provided the data controller with Microsoft's instructions on using the service in a school environment and creating user groups (see the source "Separating users in Office 365 using Address Book Policies" and the "Address Book Policies" instructions). The applicant states that the guidelines should be implemented to implement data protection. In addition, it should be assessed whether the city has the right to introduce systems where it is impossible to comply with data protection even with the help of technology experts. The applicant also draws attention to Article 32, Section 2 of the Data Protection Regulation regarding the security of the processing, which obliges to take into account the risks arising from the processing. The applicant sees risks as sending e-mail to the wrong person, copying and handing over e-mail lists/usernames to outsiders, using leaked information in hacking attempts, and inappropriate communication or bullying. The password practices or skills of users (especially children) should also be taken into account when assessing the risk. According to the applicant, making digital skills and competences a central goal of the curriculum requires that the responsible persons also have the means, skills and competences to realize the goal.

The applicant draws attention to the fact that the larger a group that openly combines and interacts with different age groups is formed, the more it requires trust towards other users. In this case, trust should not have to be placed only on service users who do not know each other, but on the controller. The applicant asks how the city is able to ensure that students representing different age groups act in accordance with the instructions and who is responsible in situations of abuse. More precise demarcation and protection of personal data groups and their visibility reduces the damage resulting from a possible data protection violation.

On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The data protection regulation is specified in the national data protection act (1050/2018). The processing of personal data may also be affected by other legislation applicable to the activity. The Basic Education Act (628/1998) provides for the organization of basic education, which is the subject of the case.

A legal issue

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned Data Protection Regulation (EU) 2016/679, the Data Protection Act and the Basic Education Act. The matter concerns the processing of students' personal data in the address book of the e-mail service used to organize basic education. The matter must be resolved:

1. Has the data controller complied with Article 5 subsection a (principle of legality and reasonableness), subsection c (principle of data minimization) and subsection f (principle of confidentiality) of the data protection regulation, as well as the provisions of Article 25 paragraph 2, when the students' personal data in the e-mail address book used by the organizer of basic education are visible in all elementary schools and high schools in the city;

2. Should the data controller be given a notice in accordance with Article 58, subsection 2, subsection b of the Data Protection Regulation, if the processing operations have been in violation of the provisions of the Data Protection Regulation and

3. Should the data controller be given an order in accordance with Article 58, paragraph 2, subsection d of the Data Protection Regulation to bring the processing activities into compliance with the provisions of the Data Protection Regulation, if necessary in a certain way and within a certain deadline.

Decision and reasons of the Deputy Data Protection Commissioner

Decision

The registrar (organizer of basic education) has not complied with Article 5(1)(a) (lawfulness and reasonableness), subsection (c) (minimization) and subsection (f) (confidentiality) of the Data Protection Regulation in the processing of its students' personal data, nor with the provisions of Article 25(2) when it has set the personal data of its students available in the address book of the e-mail system they use, so that the information is visible in all elementary schools and high schools in the city. The address book shows the student's first and last name, role (student), email address, and the student's school and class. The registrar has not been able to demonstrate the appropriateness and necessity of such wide visibility of its students' information in the organization of basic education.

The deputy data protection commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the data protection regulation, because the processing of students' personal data in the address book of the e-mail system has been in violation of the data protection regulation.

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the Data Protection Regulation to bring the processing operations into compliance with the provisions of the Data Protection Regulation. The registrar must reevaluate making the personal data of students in basic education available in the e-mail address book they use. The registrar must make sure that it no longer processes its students' information in the e-mail system's address book in such a way that it is visible outside its own school, unless there are grounds for wider visibility related to the situation and the organization of teaching. Having students' information available in the e-mail address book must also be necessary and justified within the school itself in terms of organizing basic education.

The order is not given to pseudonymize the data, but to limit the availability of the students' data to a limited group. The decision does not concern making the email addresses of the school staff available in the address book of the email system.

Reasoning

Registrar

The matter at hand is related to the organization of basic education, where the city is the organizer of basic education and the data controller in the processing of the personal data of its students. The registrar's responsibility is regulated at a general level in Article 24 of the Data Protection Regulation, which is interpreted together with other regulations on the registrar's obligations. From the report given by the registrar, it appears that the city buys e-mail services from an external service provider for the Growth and learning service area. The controller may use the services of external service providers in its operations, but the controller is responsible for the processing of personal data in accordance with the data protection regulation.

Requirements of legality, reasonableness and data minimization and confidentiality

Article 5(1)(a) of the Data Protection Regulation stipulates that personal data must be processed in accordance with the law and appropriately (principles of legality and reasonableness). According to paragraph 1(c) of the same article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimization). According to Article 5, paragraph 1, subsection f of the Data Protection Regulation, personal data must be processed in a way that ensures the appropriate security of personal data, including protection against unauthorized and illegal processing and against accidental disposal, destruction or damage using appropriate technical and organizational measures (integrity and confidentiality).

The case at hand concerns the display of students' personal information in the address book of the e-mail used by the organizer of basic education for all other users of the same e-mail. The address book shows the students' names (another name can also be displayed), role (student), email address, and the student's school and grade level. According to the report given by the registrar on October 31, 2022, the city has 22 elementary schools, 8 unified schools, 4 middle schools and 2 special schools that provide basic education. In addition, there are 7 high schools in the city. In addition to his own school, the information of students in elementary education is displayed in the e-mail address book for pupils, students and employees of all other elementary schools and high schools in the city.

The controller states in his statement on August 27, 2021 that the use of the O365 service is essentially related to the organization of basic education and the teaching of digital skills in schools in accordance with the basic education curriculum. According to the registrar's report, teachers and students use the e-mail service for mutual communication and students are taught e-mail communication. Schools have several students with the same name and sometimes also teachers, so it is necessary to identify the person before making contact. Contacts also take place between teachers working in different schools and students studying in different schools, e.g. between optional subjects, hobby groups and skill groups and the multidisciplinary learning entities required by the curriculum. According to the data controller, combining a name-based e-mail address and school ensures proper identification of the person before sending the message, so that the message is not sent to the wrong recipient, and at the same time data protection is implemented. According to the registrar, even when evaluating the matter pedagogically, the teacher must be able to clearly identify the students in the service.

The Deputy Data Protection Commissioner draws attention to the principle of minimization laid down in Article 5, Paragraph 1, Subsection c of the Data Protection Regulation. According to paragraph 39 of the preamble of the Data Protection Regulation, personal data should be sufficient and essential and limited to what is necessary for the purposes of their processing. According to it, personal data must be processed only if the purpose of the processing cannot reasonably be achieved by other means. The European Data Protection Board has also issued practical instructions on this principle. According to these instructions, you should first find out whether the processing of personal data is necessary at all. The processing of personal data is expressly advised to be avoided whenever possible. In addition, it has been separately emphasized that the personal data being processed must be relevant for the purpose of the processing in question. All processed personal data should also be necessary to achieve a separately defined purpose. The processing of certain personal data would only be permitted if the purpose of the processing cannot be achieved in other ways.

According to the Deputy Data Protection Commissioner, it is clear that communication tools can be used and taught to use them in the organization of basic education. The confidentiality of communication must also be guaranteed. According to the registrar's report, in the organization of basic education, communication may also be necessary between those studying in different basic schools and also between those in basic education and upper secondary education, when it comes to the implementation of multidisciplinary learning units according to the basic education curriculum and the operation of optional subjects, hobby groups and skill groups. In addition, teachers need to communicate with the students they teach, and the students may be in different schools than themselves. The Deputy Data Protection Commissioner notes that these situations do not, however, apply to all students in different grades of basic education. According to the registrar's explanation, the basic education student's information is entered into the email system's address book when the student starts basic education, and the appearance of the students' information in the address book is similar for basic education grades 1-9.

The deputy data protection commissioner draws attention to the fact that an e-mail message can also be sent to the recipient based on an address obtained in advance and the communication will not be blocked, even if the recipient's address does not appear in the e-mail address book. If the sender of the message does not know the recipient's name, even the address book does not ensure that the message is sent to the correct recipient. If a message is sent to an address that is not the recipient's address, the message will not be delivered, and the sender will be notified. The use of the address book also does not completely exclude incorrect communication even when it comes to recipients with the same name. The appearance of a wide address list in the e-mail address book can, of course, in itself reduce the risk of sending errors to the wrong recipient caused by human errors (such as typos). At the same time, the procedure creates risks for the processing of students' personal data. Sending a message to the correct recipient is partly ensured by the fact that the recipient's name appears in the email address, even if the email address does not appear in the address book of the email system.

The registrar also justifies his procedure by the fact that in the e-mail system used to organize basic education, it is not technically possible to limit the visibility of students' personal data in the address book to within one school. The controller also states that the service it uses is a large, constantly developing entity, to which new features and even services are regularly introduced. Not all new features or services support visibility restriction equally.

The Deputy Data Protection Commissioner states that school teachers can process information about their students that they need in their work. The students, on the other hand, need to process the contact information of the students with whom they are required to communicate in school work. The Deputy Data Protection Commissioner notes that the data controller has not presented reasons why it is necessary for the organization of basic education that all students' information appears in the e-mail address book used by the organizer of basic education in all elementary schools and high schools in the municipality. Not all students have the necessary communication with people outside their own school. The fact that it is not technically possible to limit the visibility of students' personal data in the e-mail used by the data controller is not a reason to process students' personal data more widely than what is required by the tasks related to the organization of basic education. Such a procedure leads to an unnecessarily extensive processing of students' personal data, which is not appropriate for the tasks of the controller.

The Deputy Data Protection Commissioner therefore considers it unnecessary to process students' personal data in terms of the organization of basic education, that the information of all students in basic education is visible in all other basic schools and high schools in the city in addition to his own school. In terms of the purpose of the processing, the processing of data that is unnecessary is also not appropriate in terms of the tasks of the organizer of basic education. The Deputy Data Protection Commissioner considers that such extensive visibility of basic education student's data is contrary to Article 5(1)(a) and (c) of the Data Protection Regulation. The deputy data protection commissioner also draws attention to the fact that the requirements of reasonableness and data minimization must also be taken into account in the student's own school. The registrar must therefore assess whether it is necessary for the organization of teaching that the information in the student's e-mail address book is always visible to all e-mail users even in his own school.

The deputy data protection commissioner draws attention to the fact that the processing of children's personal data is an issue in the organization of basic education. According to paragraph 38 of the preamble of the Data Protection Regulation, efforts must be made to protect the personal data of children in particular. Children may not be very well informed about the risks, consequences, relevant protective measures or their own rights related to the processing of personal data. Risks may arise in accordance with section 75 of the preamble of the Data Protection Regulation when processing the personal data of vulnerable natural persons, especially children.

In this case, the principle of confidentiality laid down in Article 5, paragraph 1, letter f of the Data Protection Regulation should also be taken into account. Personal data must be processed in accordance with section 39 of the preamble of the Data Protection Regulation in such a way as to ensure the appropriate security and confidentiality of personal data. In the evaluation of the measures regarding the security of the processing required according to Article 32, paragraph 1 of the Data Protection Regulation, the risks of varying probability and severity arising from the processing of personal data to the rights and freedoms of the data subject must be taken into account. The security of personal data processing requires appropriate measures, the purpose of which is to guarantee the proper implementation of the data processing task. The deputy data protection commissioner considers that making student information available in the address book of the e-mail system in all other elementary schools and high schools in the city is also against the principle of confidentiality, taking into account that the matter is about the processing of children's information.

Disclosure of student information

Article 86 of the Data Protection Regulation enables the right to publicize official documents and the right to protection of personal data according to the Data Protection Regulation to be reconciled. According to Section 28 of the Data Protection Act, the provisions on public authorities' activities are applied to the right to receive information and other disclosure of personal data from the authority's personal register. Paragraph 3 of Section 16 of the Act on the Publicity of Public Authorities' Activities (621/1999, Publicity Act) concerns the disclosure of public information from the authority's personal register, e.g. in electronic format. The condition for handing over information is that the recipient has the right to store and use such information according to the provisions on the protection of personal data. The grounds for disclosure of confidential information are laid down in Section 26 of the Publicity Act.

According to the registrar's report, the information of basic education students that appears in the e-mail system's address book is public information, unless the provision of information reveals a fact that would otherwise be kept secret. In this regard, the registry keeper says that he follows the instructions of the Board of Education regarding the determination of the disclosure and confidentiality of information. The Deputy Data Protection Commissioner states that the evaluation of the public disclosure and confidentiality of information is based on the Publicity Act and the Deputy Data Protection Commissioner does not have the authority to assess the matter. However, the data protection regulation applies to the processing of information that is considered to be public, if it concerns the processing of personal data. The case at hand concerns the processing of personal data.

The Deputy Data Protection Commissioner states that making the students' personal data visible in the e-mail address book also involves handing over the students' personal data to third parties, which is only possible on legal grounds. Even if there is a basis referred to in section 16, subsection 3 of the Publicity Act, the disclosure of information also requires that data protection principles be taken into account. The deputy data protection commissioner considers that making student information available in the address book of the e-mail system used by the primary education organizer so that it is visible in all elementary schools and upper secondary schools in the city is contrary to the data protection regulation's principle of reasonableness, the principle of data minimization and the principle of confidentiality. Therefore, the Deputy Data Protection Commissioner considers that the data controller has not complied with Article 5, Paragraph 1, Subsections a, c and f of the Data Protection Regulation.

Built-in and default data protection and proof obligation

Article 25 of the Data Protection Regulation provides for built-in and default data protection. The controller must implement appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Paragraph 78 of the preamble of the Data Protection Regulation states that when developing, planning, choosing and using information systems, it must be taken into account that the data controller must be able to fulfill his data protection obligations.

According to Article 5(2) of the Data Protection Regulation, the data controller is responsible for it and must be able to prove that Article 5(1) of the Data Protection Regulation has been complied with. The controller must be able to demonstrate that the data protection regulation has been effectively complied with. The implementation of the measures must take into account the risk to the rights and freedoms of natural persons.

The deputy data protection commissioner draws attention to the fact that built-in and default data protection requires the data controller to use IT solutions that are suitable for the nature of the activity when organizing the basic education. The characteristics of the information system cannot be used to justify the legality of the processing of basic education students' personal data. The deputy data protection commissioner states that the data controller has not been able to demonstrate that data protection principles and built-in and default data protection have been followed in the case at hand.

About the case at hand

In the case at hand, the provisions regarding the processing of personal data laid down in Article 25, paragraph 2 and Article 5, paragraph 1, subparagraphs a, c and f of the Data Protection Regulation, and the demonstration of their compliance, are relevant. In the organization of basic education, an e-mail system must be used in its operations that enables compliance with data protection regulations in the processing of students' personal data.

The Deputy Data Protection Commissioner deems it appropriate to give the data controller a notice in accordance with Article 58(2)(b) of the Data Protection Regulation, because the processing of students' personal data in the address book of the e-mail service used by the organizer of basic education has been based on the grounds described in more detail above in Article 5(1)(a), (c) and (f) and Article 25(2) of the Data Protection Regulation against. The deputy data protection commissioner also gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the data protection regulation to bring the processing operations into compliance with the provisions of the data protection regulation. The registrar must make sure that the visibility of the students' data in the e-mail address book is necessary and appropriate for the organization of basic education, and the visibility of the students' data will be changed accordingly.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019).

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was made by deputy data protection commissioner Heljä-Tuulia Pihamaa.

Supervision of the deputy data protection officer

It appears from the privacy statement on the Microsoft Office 365 electronic working environment on the city's website that the O365 service can transfer personal data outside the EU/EEA area. At this stage, the data controller is informed and the data controller's attention is drawn to the fact that another data controller has been given guidance on the transfer of personal data to third countries in connection with the data protection commissioner's decision. In this respect, the Deputy Data Protection Commissioner directs the data controller to familiarize himself with the guidance given in the decision dnro 1509/452/18 issued by the Data Protection Commissioner on 30 December 2021. This matter regarding the transfer of personal data to third countries is still pending at the data protection commissioner's office and will be resolved in the near future in connection with the aforementioned matter.

In this decision, the Deputy Data Protection Commissioner has not evaluated the grounds for processing students' personal data in the e-mail system of the basic education organizer or in other digital services used by the data controller. The controller has assessed in the reports provided that the processing of personal data in the e-mail system would be based on Article 6, Section 1, Subsections a and c of the Data Protection Regulation. In this regard, the Deputy Data Protection Commissioner also draws the data controller's attention to the Data Protection Commissioner's decision no. 1509/452/18.

The security ban is regulated in the Act on the Population Information System and the Certificate Services of the Digital and Population Information Agency (661/2009). This decision does not assess how the security ban granted to the student affects the creation of an email address and the visibility of the address.

In its report, the registrar has asked for guidance on how to implement limiting the visibility of the address book. In connection with another matter, the Deputy Data Protection Commissioner has received information from the data controller that in a certain city the address book is completely hidden and the students' information will therefore not appear in the address book when basic education is organized for other e-mail users. The Deputy Data Protection Commissioner notes in this context as a general observation that teachers and students usually have the opportunity to make their own personal address books.

In the case, issues related to the protection of files created by students have also been brought up, which the deputy data protection commissioner has not clarified in more detail in connection with the handling of this case. The deputy data protection commissioner draws the controller's attention to the obligation to protect personal data and to the fact that the data protection regulation obliges the controller to ensure that sufficient instructions have been given for the processing of personal data and that the processing of personal data is monitored.

This guidance of the Deputy Data Protection Commissioner cannot be changed by appeal.