Persónuvernd (Iceland) - 2021101909: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20211019...")
 
 
(2 intermediate revisions by one other user not shown)
Line 61: Line 61:
}}
}}


The Icelandic DPA held that the processing of incorrect information about the attendance of a child by a school violates [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]].  
The Icelandic DPA held that a school violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] by processing incorrect information about the attendance of a child. However, since the inaccuracies were rectified within 12 hours, no further actions were necessary.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 1 October 2021, the Icelandic DPA received a complaint from the father of a child, who is the data subject. The complaint alleged that the Principal of the school where the data subject was studying deliberately entered the wrong attendance record of the data subject. It was alleged that this was done to influence proceedings in a visitation case, whether the mother and father of the data subject were against each other in litigation. The complaint also stated that the Principal was related to the mother of the data subject and that the attendance record was corrected by the school only after it was pointed out by the father.
On 1 October 2021, the Icelandic DPA received a complaint from the father of a child. The child is the relevant data subject in the case at hand. The complaint alleged that the principal of the data subject's school deliberately entered the wrong attendance record. It was alleged that this was done to influence proceedings in a visitation case, where the parents of the data subject were engaged in court proceedings against each other. The complaint also stated that the principal was related to the mother of the data subject and that the attendance record was corrected by the school only after it was pointed out by the father.


In reply before the DPA, the school stated that the wrongful entry in the attendance record was by mistake. The school stated that access to attendance records is restricted and only the supervising teacher, office manager, and the Principal have access. It was also stated that the attendance record was corrected as soon as it was brought to the notice of the school.  The school stated that logs of all actions on the attendance systems are maintained and a monthly report is sent out to parents so that they can comment on the registration of attendance concerning their child.  
In its reply to the DPA, the school stated that the wrongful entry in the attendance record had been done by mistake. The school stated that access to attendance records is restricted and only the supervising teacher, office manager, and the principal have access. It was also stated that the attendance record was corrected as soon as it was brought to the notice of the school.  The school stated that logs of all actions on the attendance systems are maintained and a monthly report is sent out to parents so that they can comment on the registration of attendance concerning their child.  


=== Holding ===
=== Holding ===
The DPA held that as per [[Article 4 GDPR|Article 4 GDPR]], the school is the controller. However, the DPA said that it does not have the jurisdiction to decide whether the Principal fed in the wrong attendance record on purpose. Nevertheless, for the processing of personal data to be lawful, it should be covered within the grounds mentioned in [[Article 6 GDPR|Article 6 GDPR]].  
The DPA held that, pursuant to [[Article 4 GDPR|Article 4 GDPR]], the school is the controller. However, the DPA said that it does not have the jurisdiction to decide whether the principal fed in the wrong attendance record on purpose. Nevertheless, for the processing of personal data to be lawful, it should be covered within the grounds mentioned in [[Article 6 GDPR|Article 6 GDPR]].  


The DPA stated that Iceland has a law on the attendance of schoolchildren where school managers and teachers have certain obligations. As per Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data, and also [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], it is the responsibility of the controller to have data accuracy.  
The DPA stated that Iceland has a law on the attendance of schoolchildren which created obligations for school managers and teachers. As per Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data and [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], it is the controller's responsibility to ensure data accuracy.  
That the school violated Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data, and also [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] as the attendance record was not accurate. However, as the same was rectified within 12 hours, there is no requirement of giving any further directions.  
As the attendance record was not accurate, the school violated Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data and [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] . However, as the inaccuracy was rectified within 12 hours, there is no requirement of any further directions.  


== Comment ==
== Comment ==

Latest revision as of 13:08, 5 October 2022

Persónuvernd - 2021101909
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(d) GDPR
Article 8 Act on Data Protection and the Processing of Personal Data
Type: Investigation
Outcome: Violation Found
Started: 01.10.2021
Decided: 21.09.2022
Published: 21.09.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 2021101909
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (Iceland) (in IS)
Initial Contributor: gauravpathak

The Icelandic DPA held that a school violated Article 5(1)(d) GDPR by processing incorrect information about the attendance of a child. However, since the inaccuracies were rectified within 12 hours, no further actions were necessary.

English Summary

Facts

On 1 October 2021, the Icelandic DPA received a complaint from the father of a child. The child is the relevant data subject in the case at hand. The complaint alleged that the principal of the data subject's school deliberately entered the wrong attendance record. It was alleged that this was done to influence proceedings in a visitation case, where the parents of the data subject were engaged in court proceedings against each other. The complaint also stated that the principal was related to the mother of the data subject and that the attendance record was corrected by the school only after it was pointed out by the father.

In its reply to the DPA, the school stated that the wrongful entry in the attendance record had been done by mistake. The school stated that access to attendance records is restricted and only the supervising teacher, office manager, and the principal have access. It was also stated that the attendance record was corrected as soon as it was brought to the notice of the school. The school stated that logs of all actions on the attendance systems are maintained and a monthly report is sent out to parents so that they can comment on the registration of attendance concerning their child.

Holding

The DPA held that, pursuant to Article 4 GDPR, the school is the controller. However, the DPA said that it does not have the jurisdiction to decide whether the principal fed in the wrong attendance record on purpose. Nevertheless, for the processing of personal data to be lawful, it should be covered within the grounds mentioned in Article 6 GDPR.

The DPA stated that Iceland has a law on the attendance of schoolchildren which created obligations for school managers and teachers. As per Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data and Article 5(1)(d) GDPR, it is the controller's responsibility to ensure data accuracy. As the attendance record was not accurate, the school violated Article 8 Section 4 of the Act on Data Protection and the Processing of Personal Data and Article 5(1)(d) GDPR . However, as the inaccuracy was rectified within 12 hours, there is no requirement of any further directions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information about a child at a primary school

Case no. 2021101909

21.9.2022

Personal data protection ruled in a case where a complaint was made about the processing of a child's personal information by a school. More specifically, a complaint was made about the registration of a child's attendance into the Mentor computer system, but the complainant believed that incorrect information had been entered about the child.

The conclusion of the Personal Protection Agency was that the school's processing of the child's personal information did not comply with the provisions of the Act on Personal Protection and Processing of Personal Information.



Ruling

about a complaint about the processing of a child's personal information by [school] in case no. 2021101909:

i
Procedure



On October 1, 2021, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal data during the attendance registration of his child by the principal of [school] (hereinafter the school).

Personal protection invited the school to comment on the complaint by letter, dated February 21, 2022, and the school's answers were received on March 24, 2022. By letter, dated On April 26, 2022, the complainant was presented with the school's answers. On May 17, 2022, Personal Protection received the complainant's response letter.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

___________________

The complainant relies on the fact that on September 22, 2021, outside normal working hours, the school's principal entered the wrong attendance record for his child into the Mentor computer system. The complainant believes that the wrong registration of attendance was carried out on purpose, with the purpose of influencing the magistrate's official duties in handling a visitation case, while the school principal is related to the child's mother by family ties. The complainant also believes that the wrong attendance registration was only corrected due to a suggestion from him about the registration.

The school believes that the specified attendance registration, which was carried out on the evening of September 22, 2021, took place by mistake. The procedure is in force at the school that only supervising teachers, together with the office manager, take care of the attendance registration of students in Mentor. However, the principal has access to all the school's students, since the principal is responsible for the school and is responsible for responding to insufficient school attendance according to the school's rules on school attendance. The supervising teacher of the complainant's child became aware, on the morning of September 23, 2021, that an incorrect attendance registration had been made for the child the night before and the office manager corrected the registration immediately, or at 9.20 on 23 September 2021. The school relies on children's attendance registrations being carried out in accordance with paragraphs 19 and 3. Article 30 Act no. 91/2008 on elementary schools, as well as regulation no. 1040/2011 on the responsibility and obligations of the school community in primary schools. Therefore, the processing of the child's personal information was based on item 3. Article 9 Act no. 90/2018.

The school's response also states that access to information in the Mentor computer system is limited by access control, so every employee of the school who has access to Mentor must log into the system with a password and all actions are recorded (logged) in the system. In accordance with the school's rules on school attendance, students' attendance is visible in Mentor and sent to parents and guardians monthly, and they are given the opportunity to comment on attendance registration. In this way, it is easy to ensure the reliability of personal information and correct incorrect information as the case may be.

II.
Conclusion
1.
Guarantor

The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. As is the case here, the school is considered to be the party responsible for the processing operation in question, as it is generally understood that the party responsible is the organization or company concerned and not individual employees, be it managers or general employees.

2.
Lawfulness of processing and outcome

The complainant mainly relies on the fact that the incorrect registration of attendance by the school's principal was carried out on purpose, with the purpose of influencing the magistrate's official duties when handling a visitation case. However, the school has claimed that the attendance registration was carried out by mistake on the part of the school principal. In light of this, it should be noted that Personal Protection does not have the grounds to take a position on whether the school's principal has carried out the wrong attendance registration on purpose or by mistake. It is therefore not possible to take a further position on the complainant's plea.

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. When assessing whether such authorization exists, it may be necessary to refer to other laws.

In Article 19 Act no. 91/2008 on elementary schools states that parents are responsible for their children's education and must monitor their progress in cooperation with them and their teachers. [...] If there is a failure in the school attendance of a child who is required to attend school, without illness or other valid reasons, the school principal shall seek solutions and decide on improvements. Furthermore, he must inform the child protection authorities about the case. In paragraph 3 30 of the same law states that primary schools must have a comprehensive policy on how to prevent physical, mental or social violence from taking place in school work. Schools must also have a plan for the implementation of the notification obligation according to the Child Protection Act, on how to respond to cases of bullying, other violence and social isolation. The plan shall, among other things, enforced by each school setting its own school rules. In school rules, i.a. stipulates general interactions, communication, punctuality, study and healthy lifestyles. The school rules shall also state how the school intends to respond to violations thereof, cf. also regulation no. 1040/2011, on the responsibility and obligations of members of the school community in primary schools.

According to the above, it is clear that school administrators and teachers in primary schools have certain obligations, i.a. in relation to school attendance, punctuality and practice of primary school children. In the opinion of the Personal Protection Authority, the registration of a child's presence in the Mentor computer system can therefore rely on section 3. Article 9 Act no. 90/2018, provided that other provisions of the law are observed. In particular, point 4 comes into consideration here. Paragraph 1 Article 8 Act no. 90/2018 that when processing personal information, care must be taken to ensure that it is reliable and updated as necessary; Personal information that is unreliable or incomplete, based on the purpose of its processing, must be deleted or corrected without delay.

As stated above, the school has realized that the specified attendance registration for the complainant's child, which was carried out on the evening of September 22, 2021, was incorrect. For that reason, it must be considered that the attendance registration complained about did not comply with the reliability requirement of section 4. Article 8 Act no. 90/2018. According to paragraph 2 Article 8 Act no. 90/2018, cf. Paragraph 2 Article 5 regulation (EU) 2016/679, the responsible party is responsible for ensuring that the processing of personal data always complies with the provisions of paragraph 1. Article 8 of the law.

In light of the above, it is the conclusion of the Data Protection Authority that the school's specified registration of personal information about the complainant's child did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, on reliable processing, cf. also Regulation (EU) 2016/679. For that, however, it should be considered that the presence registration was corrected about 12 hours later, regardless of who initiated the correction of the registration. There is therefore no reason, as is the case here, to direct instructions for improvements to the school.

Ruling:

The school's registration of personal information about child [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679, on reliability in the processing of personal data.

Privacy, 21 September 2022

Helga Sigríður Þórhallsdóttir                           Edda Þuríður Hauksdóttir