IP - 07121-1/2020/638: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |IP - 07120-1/2020/290 |- | colspan="2" style="padding: 20px; background-color:#ffffff"...")
 
No edit summary
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |IP - 07120-1/2020/290
! colspan="2" |IP - 07121-1/2020/638
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
|-
|-
|Authority:||[[IP (Slovenia)]]
|Authority:||[[IP (Slovenia)]][[Category:IP (Slovenia)]]
|-
|-
|Jurisdiction:||[[Data Protection in Slovenia|Slovenia]]
|Jurisdiction:||[[Data Protection in Slovenia|Slovenia]][[Category: Slovenia]]
|-
|-
|Relevant Law:||[[Article 58 GDPR|Article 58 GDPR]]
|Relevant Law:||[[Article 58 GDPR|Article 58 GDPR]][[Category:Article 58 GDPR]]
 
Article 49(1)(g) ZVOP-1
Article 49(1)(g) ZVOP-1


Article 2 ZInfP
Article 2 ZInfP
[[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]
[[Category:Article 6(1)(c) GDPR]]
[[Article 7 GDPR#3|Article 7(3) GDPR]]
[[Category:Article 7(3) GDPR]]
[[Article 13 GDPR|Article 13 GDPR]][[Category:Article 13 GDPR]]
Article 48 of the Labor Relations Act (ZDR-1)
|-
|-
|Type:||Advisory opinion
|Type:||Advisory opinion
Line 17: Line 28:
|Outcome:||Non-binding
|Outcome:||Non-binding
|-
|-
|Decided:||22.4.2020
|Decided:||17.4.2020
[[Category:2020]]
|-
|-
|Published:||n/a
|Published:||n/a
Line 25: Line 37:
|Parties:||anonymous
|Parties:||anonymous
|-
|-
|National Case Number:||07120-1/2020/290
|National Case Number:||07121-1/2020/638
|-
|-
|European Case Law Identifier:||n/a
|European Case Law Identifier:||n/a
Line 31: Line 43:
|Appeal:||n/a
|Appeal:||n/a
|-
|-
|Original Language:||Slovenian
|Original Language:||Slovenian[[Category:Slovenian]]
|-
|-
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1520 IP (SI)]
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1509 IP (SI)]
|}The Slovenian DPA (IP) issued a non-binding opinion about apps which would track the state of health and the movements of confirmed patients with SARS-CoV-2. The IP opined that a DPIA would be mandatory and that EU member states should coordinate their actions regarding such apps.
|}
 
The Slovenian DPA (IP) issued a non-binding opinion regarding the processing of personal data of teachers and pupils when new technologies are used in order to offer or participate in a lesson. The IP opined that data controllers (i.e. schools) should seek for an adequate legal basis and pay attention in particular to their information obligation, the security of personal data, possible data transfers to the US and the principle of data minimisation.  
 
==English Summary==
==English Summary==
===Facts===
===Facts===
The IP was asked about the compliance of a planned remote monitoring application for patients with SARS-CoV-2 infection confirmed.
The IP was asked about the records kept by schools and teachers regarding the communication with students and their parents. Issues arised due to different reasons, such as when teachers had to call parents from their private numbers because they would not respond to the professional e-mails, and the fact that they should keep a weekly record of their correspondence.    


The patient would give their consent, the app would require their identification, associated diseases and daily report of body temperature, blood pressure, blood oxygen saturation, heart rate, blood sugar and other symptoms. The app would alert the patient in case of discrepancies and their data would be available to healthcare staff who could contact the patient. The Ministry of Health would decide on mandatory quarantine and notify the patient and if the patient gave their consent to the location monitoring, the application would also monitor its movement and deviations from the permitted message to the patient and medical staff.
===Holding===
===Holding===
The IP advised that first and foremost a DPIA is mandatory, which would describe clearly the technical parameters in the light of the purpose pursued and the principle of proportionality. The IP drew also attention to the principle of transparency. It found that the proposed app would most likely require an adequate legal basis in the national law. It strongly recommended the Slovenian legislator take specific measures about such apps, following the development at EU level and coordinating with other member states.
The IP first clarified that it can only give a general opinion and that it also addressed the questions to the Ministry of Education. It also clarified that the opinion does not address any aspect of employment context. 
 
It found that such processing may be based on Article 48 of the Labor Relations Act (ZDR-1) as long as it is necessary and a private number may be used by a teacher only upon agreement with the employer. Working from home due to the pandemic outbreak inevitably leads to broader use of new technologies. Recordings have become necessary.
 
As for the processing of teachers' personal data, the IP found that teachers could withdraw their consent at any time according to Article 7(3) GDPR with regard to these recordings. For this reason is important to understand whether recordings should be considered to fulfill a "work obligation" according to ZDR-1. It is, thus, necessary that data controllers (i.e. schools) establish appropriate retention periods, provide adequate security for the processing of personal data and inform individuals of certain mandatory information as foreseen in Article 13 GDPR. All information should be given in a clear and transparent manner.   
 
As for the processing of pupils' personal data, the IP found that consent is not the appropriate legal basis. For this exceptional situation the only appropriate legal basis would be Article 6(1)(c) GDPR since the processing is necessary to fulfill legal obligations of the controller. The legal obligation is defined by various national laws in the field of primary and secondary education. The IP is of the opinion that the Ministry of Education should provide a consistent legal basis for school and common guidance.          
 
Consideration should also be given to the security of personal data and its transfer to third countries, as well as to the principle of data minimisation. The IP specifically emphasizes that the controller of personal data must maintain security at all stages of processing and in accordance with Article 32 GDPR. As for the data transfers to third countries, the IP states that many providers of the modern technologies are US based, so the data controllers should always check the list of the EU-US Certified Privacy Shield.    
 
==Comment==
==Comment==
''Share your comments here!''
''Share your comments here!''
==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.<pre>
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.
Date: 04/22/2020
 
Title: Remote Patient Monitoring Application (mHealth-covIT)
<pre>
Number: 07120-1 / 2020/290
Date: 04/17/2020
Subject matter: Definition of OP, Modern technologies, Specific types, Legal bases, Telecommunications and mail, Health personal information
Title: Personal Data Processing and Teacher Reporting and Keeping Records of Teaching and Distance Learning
Number: 07121-1 / 2020/638
Subject matter: Employment relations, Informing an individual, Legal bases, Education, Personal data protection
Legal act: Opinion
Legal act: Opinion


On April 8, 2020, we received your personal data protection questions from the Information Commissioner (IP) regarding a planned remote monitoring application for patients with SARS-CoV-2 infection confirmed.
Thank you for your questions regarding the provision of additional professional assistance at mainstream elementary school and decision-making lessons, and for keeping records regarding communication with students and their parents, as such is intended to be the responsibility of the competent ministry.
 
The dilemmas that you raise in terms of personal data protection are:
 
1. Some parents are not responsive to your work email, and you are required to obtain feedback from them about their work for the school. Therefore, you are forced to call them from your private telephone number to their private number (which they otherwise provided to the school records). Due to the distance and obstacles to reimbursement in the given circumstances, it would be difficult to make contact from the school office telephone or. impracticable.
 
2. You must keep a record of your communication with parents and children on a weekly basis. You are asking what information can this record contain? At your discretion, it could include information that you communicated with your parents (yes / no), date and time of communication, duration of communication, and mode of communication (internet, telephone, other). However, you do not believe that the content of personal correspondence, including pictures and videos of children, should be easily provided without parental consent.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
 
IP initially emphasizes that beyond the inspection process, it cannot judge specific processing of personal data, nor can it evaluate and comment on the specific way of conducting and organizing distance education in terms of the adequacy and security of processing of personal data. The following is a general opinion on the bases for processing personal data and data security, which we have also addressed to the Ministry of Education, Science and Sport from the point of view of the use of various applications. The opinion covers both the processing of personal data of teachers and pupils. However, IP should not provide opinions on the employment aspects of the obligations and organization of teachers' work during these epidemic times.
 
Processing personal data of teachers
 
We make it clear that IP can only give an opinion on the processing of personal data, but not on other aspects of privacy interventions, copyright, organization of school work, teachers' work responsibilities, etc. that may arise in connection with the implementation of distance learning.
 
Any processing of personal data must have an appropriate and legal legal basis. These are set out in Article 6 (1) of the General Regulation and are for the public sector to which educational institutions such as primary and secondary schools belong:
consent in the case of non-performance of public tasks (point (a)),
conclusion or performance of a contract (point (b)),
law (point (c)),
performance of a public task (point (e) in relation to the fourth paragraph of Article 9 of PDPA-1).
 
According to the IP, only record keeping and related processing of personal data of a pedagogical worker, such as the collection, publication and storage of videos of his teaching hours may be allowed under the provision of Article 48 of the Labor Relations Act (Official Gazette RS, No. 21/13 , as amended), provided that such processing is necessary for the exercise of the rights and obligations arising out of the employment relationship or in relation to the employment relationship. In such a case, the employer is obliged to prove that such is the employee's personal data that he needs in the context of the employment relationship. In any case, an employee is not obliged to use a personal telephone unless they have agreed with the employer (in this case, the ZDR-1 also provides for adequate compensation for the use of his / her home work resources).
 
In an emergency situation due to the Coronary Virus Epidemic (COVID-19), the use of new technologies, techniques and methods that are also linked to the work of home teachers is inevitable. The Information Commissioner certainly does not object to the use of information technology in the educational process and believes that especially in the current situation, the wise and proportionate use of information technology is indispensable for the implementation of a quality and stimulating educational process and for ensuring the effective fulfillment of teachers' work responsibilities.
 
According to the Information Commissioner, many teachers already use this type of teaching. However, the IP believes that the training method of recording teachers should not be based on their possible consent, as this would not provide adequate continuity and quality of work, and teachers could refuse to use technological solutions that actually enable distance education. Finally, under Article 7 (3) of the General Regulation, teachers could also withdraw their consent at any time and the recordings should be deleted immediately, regardless of the potential consequences for the educational process and the equal treatment of pupils. For this reason, too, we consider it necessary to understand the use of recording in the provision of distance education as a fulfillment of a work obligation under Article 48 of the ZDR-1.
 
In the light of all of the above, it is imperative that personal data controllers (ie schools) establish appropriate retention periods, provide adequate security for the processing of personal data, inform individuals of certain mandatory information referred to in Article 13 of the General Regulation and also address any copyright issue (the latter not otherwise falls within the competence of the Information Commissioner).
With regard to information for individuals in accordance with Article 13 of the General Regulation, it should be emphasized that the controller of personal data must provide in a clear and transparent manner basic information concerning the processing of personal data, such as information about who processes personal data, the contact details of the controller, for what purposes it processes data, how long it retains and other information required by that provision.
 
Processing of personal data of pupils / students
 
The process of distance education has been designed by some teachers to require students to use modern information technologies, often involving the processing of personal data. Children should use a variety of online communication tools for distance education, including tools with video call function and related forms of participation, or students / students have to record the completion of a given task and record the teacher with a teacher's instruction.
 
In processing personal data of children for the purposes of providing distance education, IP emphasizes that the classical consent of an individual (or legal representative of a child) is not the appropriate or appropriate legal basis on which such processing of personal data should take place. It is essential that distance education is a public-law exercise of an educational institution, not an activity for which parents, as legal representatives of children, can give free consent - as is traditionally given at the beginning of the school year on a prepared form (for example, posting photos in the school almanac, etc.). Of course, a very special situation is the collection of personal data, for which the law itself, for example. The Elementary School Act (Article 95) stipulates that this personal information is collected only in agreement with the parents of the pupils (in certain cases, except when the pupil is in danger in the family and needs to be protected). Such are, for example, information on pupils' mobility and morphological characteristics or information on pupils requiring assistance and counseling. The law (Article 95 of the Primary School Act) also stipulates that counselors are obliged to protect this information as a professional secret. As professional secrecy, this information is also obliged to be protected by other professionals to whom the data have been transmitted because of the nature of their work.
For the processing of personal data of children in the online environment in the current state of emergency when distance education is taking place, according to the IP, in the framework of the above (the exception is data where, in addition to the law, consent is required by law), the only appropriate legal basis is 6 ( 1) (c) of the General Regulation, since processing is necessary to fulfill the legal obligation applicable to the controller. The legal obligation is broadly defined by the laws in the field of primary and secondary education, including the Primary School Act (Official Gazette of the Republic of Slovenia, No. 81/06 - UPB, as amended and supplemented), the Law on Grammar Schools (Official Gazette of the Republic of Slovenia, No. 1/07 - UPB, as amended and supplemented) and the Vocational and Technical Education Act (Official Gazette RS, No. 79/06, amended and supplemented), which define the obligation of schools to provide the intended forms of education, and the duty of pupils and students to fulfill their school responsibilities. Teachers' work responsibilities are further defined in the Organization and Financing of Education Act (Official Gazette of the Republic of Slovenia, No. 16/07 - UPB, as amended), which also stipulates in Article 119 “the collection and processing of data concerning by doing educational and other work. "
 
Due to the exceptional circumstances of the COVID-19 virus prevention measures, which have temporarily altered the educational process, the Information Commissioner is of the opinion that the Ministry of Education, Science and Sport should provide this legal basis with a uniform guidance to schools. The IP has already called for this.
 
Consideration should also be given to addressing concerns regarding the security of personal data and the release to third countries (to which we define below). In addition, schools or teachers should be reminded of the principle of the minimum amount of data, according to which no more personal data may be processed than is strictly necessary to carry out the educational process (principle of minimizing personal data).
 
Your assessment, according to what you state, is therefore completely correct and correct, namely that in the case of reporting work with students who need help and counseling (when it comes to collecting the data referred to in point 4 of paragraph 1 of Article 95 of the Act elementary school) to report weekly on your communication with parents and children should be sufficient to report e.g. about communicating with your parents (yes / no), the date and time of the communication, the duration of the communication and the method of communication (internet, telephone, other). However, the school should, in the circumstances, determine how the documentation of student work is stored and how you work remotely. In doing so, the school should bear in mind that certain information is only collected with the consent of the parents, such as the parents. family and social history; developmental history; expertly interpreted results of diagnostic procedures; information on professional assistance or counseling procedures; documentation regarding the process of directing a student with special needs (this includes, of course, your correspondence and other materials that you obtain in the given distance working conditions); expert opinions of other institutions: centers for social work, health institutions, counseling centers or educational counseling centers. In any case, it does not seem appropriate, in this respect, to automatically and on a weekly basis provide all personal correspondence, including pictures and videos of children without the consent of their parents or parents, from the point of view of secrecy of correspondence. appropriate professional justifications and other legal bases. Namely, the school or the individual teacher must check the fulfillment of their tasks in a way that is least intrusive to the right to the protection of personal data and privacy of the child. The thing about securing data and how it is handled in the circumstances is how the school makes sure that all personal data (especially sensitive) is properly secured and that unauthorized persons are unaware of it. He cannot give specific instructions on how to implement IP in the opinion.
 
Especially with regard to the security of the processing of personal data and the removal to third countries.
 
With regard to the security of personal data, IP specifically emphasizes that the controller of personal data must protect it appropriately at all stages of processing. The first paragraph of Article 32 of the General Regulation states that, taking into account the latest technological developments and the costs of implementation, the nature, scale, circumstances and purposes of processing, as well as the risks to the rights and freedoms of individuals differing in likelihood and seriousness, adequate technical and organizational measures to ensure an adequate level of risk-based security.
 
Ensuring the security of personal data can be particularly problematic when using online tools that teachers use at their discretion and preferably without prior consideration of ensuring the security of personal data. That is why we believe that the use of individual tools should be properly considered and, if possible, the choice of tools should be standardized. However, IP cannot and should not judge individual tools in terms of relevance and, above all, processing security in an opinion.
 
Most of the most well-established tools for online communication enable t.i. end-to-end encryption, but not necessarily in all cases (this is not likely to be guaranteed, for example, if the call is made (partly) through a regular telephone line and not through a data transmission ) and not necessarily the default setting, and there are differences between applications in other aspects of security and privacy. Therefore, IP recommends that, before using these aspects, the data controller (or even your ministry, when making appropriate recommendations) consult with your IT colleagues before using it.
 
An overview of the various aspects of security and privacy in online communication applications is available here: https://www.securemessagingapps.com/


The patient would have given his or her usual consent before the investigation. I would also enter the required ID information in the application: personal name, address, ZZZS number and telephone number. The patient would indicate associated diseases and risks in the application. I would inject daily into the application: body temperature, blood pressure measured, blood oxygen saturation, heart rate, blood sugar and other symptoms (eg vomiting). The application would alert the patient to the discrepancies and the data would be available to healthcare staff who could contact the patient in case of discrepancies.
Attention should also be paid to the possible transfer of personal data to third countries, as many providers of such solutions come from the US. We recommend that you check that the solution provider is on the EU-US Certified Privacy Shield list: https://www.privacyshield.gov/welcome. You can read more about exporting data to third countries on our web site https://www.ip-rs.si/protection-personal-data/obligations-management/transfer-private-data-in-third-state-and- international organizations / release-of-personal-data-in-the-us / and generally in the Information Commissioner's infographics: https://www.ip-rs.si/fileadmin/user_upload/Pdf/infografike/Download_of_Personal_data_in_the_steps.pdf.
If the patient received a decision from the Ministry of Health on mandatory quarantine and gave their consent to the location monitoring in the application, the application would also monitor its movement and deviations from the permitted message to the patient and medical staff.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter: the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1), and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your questions.
First of all, it should be pointed out that (as explained in more detail in IP Opinion No. 07120-1 / 2020/288 to the Ministry of Health regarding the establishment of such applications available on our website: www.ip-rs.si/ vop /) In the light of the experience of some other countries, it is imperative, first of all, to order an impact assessment with clear technical parameters of the application against the objectives pursued and in the light of the principle of proportionality (only the elements you cite are not sufficient) ). Some of the elements to be addressed are mentioned in the IP Opinion. In particular, we draw attention to the need for care in terms of transparency about what personal data the application will actually process, for what purposes (these should be narrowly and clearly defined), where they will keep who will be the controller of that data, on what legal basis, how that data will be stored, for how long and how the data will be deleted.
Please note that in this opinion, due to the absence of directional issues and lack of information, we cannot identify all the specific aspects of the proposed solution (eg who is the data controller, the role of the service provider, the specific content and validity of the consent, patient information, concrete use of data (original , secondary), location and time of data retention, mode of data transfer, access rights of employees and service provider, minimum data principle, patient risk, system technical security…), but only to the question of the principle admissibility of the proposed solution in terms of the legal basis for processing data. We conclude that this is a mobile application on a patient-owned mobile phone.
1. Provision of telemedicine monitoring of a patient's medical condition shall be admissible in the light of the legal bases on the part of the healthcare provider, provided that:
- the patient is adequately informed of all aspects of the processing of personal data,
- that the patient is not compelled to (only) monitor this state of health, and
- that the patient's appropriate consent is given if, in addition to the purpose of providing regular medical care, personal data is collected and used for any other purpose that would not be covered by any of the grounds referred to in points (b) to (j) of the second paragraph of Article 9. General data protection regulations.
Against this background, the proposed application would most likely require an adequate legal basis in the national regulation.
The above rules also depend on who is the controller of the personal data or whether the patient primarily processes the data for personal use.
2. The conditions regarding the monitoring of the patient's quarantine location in connection with the processing of the information provided by the healthcare provider or other public sector operator from the legal basis are admissible under the conditions as defined in IP Opinion No. 07120-1 / 2020/288, which we suggest you to familiarize yourself with.
Given the many risks posed by such applications, IP expresses concern that any individual healthcare provider would undertake the design of such applications. Accordingly, the IP strongly recommends and urges that Slovenia take measures based on applications and tracking of individuals for invasiveness and interfering with their rights, to follow the development of the theme at EU level and to coordinate with other members through dedicated forums and networks regarding technical solutions.
Justification:
The IP is of the opinion that technology can certainly make a constructive contribution to curbing the COVID19 epidemic, but only taking into account the legal framework for privacy and personal data protection. We also support the understanding that it is essential to coordinate actions within the EU Member States when developing technologies and approaches, as diverse or uncoordinated initiatives by individual Member States cannot be effective. At the same time, the Republic of Slovenia must pursue the high level of respect for fundamental rights as required by the Slovenian Constitution and advocate such solutions at EU level. An epidemic should not be a reason to nullify constitutional principles. At this point, we point out that the European Commission (hereinafter referred to as the EC) has just published recommendations on COVID 19 epidemic containment technologies, identifying solutions that can be effective in this context (including in terms of various applications that can more or they achieve their goals less effectively) and regarding the safeguards that must be put in place to protect the rights of individuals.
The EC plays a special role in agreeing on effective EC measures within the EU-based eHealth Network, of which Slovenia is also a member, where the Slovenian authorities can also play a constructive role in finding effective, proportionate and urgent technical solutions. In this context, we are also involved in the involvement of the European Personal Data Protection Authorities, which work within the European Data Protection Board. The committee is also expected to issue a unified opinion on the COVID-19 mobile restriction applications we can provide to you in the coming days. According to a communication from the European Commission, it intends to adopt guidelines on 15 April 2020 for compliance with the legal framework for the protection of personal data in the development of various applications.
Accordingly, the IP strongly recommends and urges that Slovenia take measures based on applications and tracking individuals for invasiveness and interfering with their rights, to follow the development of the theme at EU level and to coordinate with other members through dedicated forums and networks regarding technical solutions. , which are effective and pursue the goal of minimizing interference with the rights of individuals to achieve the common goal of limiting the COVID 19 epidemic while respecting fundamental rights. The development of technological solutions can only contribute to these goals, given the high level of protection of fundamental rights of individuals.
</pre>
</pre>

Revision as of 13:35, 27 April 2020

IP - 07121-1/2020/638
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 58 GDPR

Article 49(1)(g) ZVOP-1

Article 2 ZInfP

Article 6(1)(c) GDPR

Article 7(3) GDPR

Article 13 GDPR

Article 48 of the Labor Relations Act (ZDR-1)

Type: Advisory opinion
Outcome: Non-binding
Decided: 17.4.2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 07121-1/2020/638
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Slovenian
Original Source: IP (SI)

The Slovenian DPA (IP) issued a non-binding opinion regarding the processing of personal data of teachers and pupils when new technologies are used in order to offer or participate in a lesson. The IP opined that data controllers (i.e. schools) should seek for an adequate legal basis and pay attention in particular to their information obligation, the security of personal data, possible data transfers to the US and the principle of data minimisation.

English Summary

Facts

The IP was asked about the records kept by schools and teachers regarding the communication with students and their parents. Issues arised due to different reasons, such as when teachers had to call parents from their private numbers because they would not respond to the professional e-mails, and the fact that they should keep a weekly record of their correspondence.

Holding

The IP first clarified that it can only give a general opinion and that it also addressed the questions to the Ministry of Education. It also clarified that the opinion does not address any aspect of employment context.

It found that such processing may be based on Article 48 of the Labor Relations Act (ZDR-1) as long as it is necessary and a private number may be used by a teacher only upon agreement with the employer. Working from home due to the pandemic outbreak inevitably leads to broader use of new technologies. Recordings have become necessary.

As for the processing of teachers' personal data, the IP found that teachers could withdraw their consent at any time according to Article 7(3) GDPR with regard to these recordings. For this reason is important to understand whether recordings should be considered to fulfill a "work obligation" according to ZDR-1. It is, thus, necessary that data controllers (i.e. schools) establish appropriate retention periods, provide adequate security for the processing of personal data and inform individuals of certain mandatory information as foreseen in Article 13 GDPR. All information should be given in a clear and transparent manner.

As for the processing of pupils' personal data, the IP found that consent is not the appropriate legal basis. For this exceptional situation the only appropriate legal basis would be Article 6(1)(c) GDPR since the processing is necessary to fulfill legal obligations of the controller. The legal obligation is defined by various national laws in the field of primary and secondary education. The IP is of the opinion that the Ministry of Education should provide a consistent legal basis for school and common guidance.

Consideration should also be given to the security of personal data and its transfer to third countries, as well as to the principle of data minimisation. The IP specifically emphasizes that the controller of personal data must maintain security at all stages of processing and in accordance with Article 32 GDPR. As for the data transfers to third countries, the IP states that many providers of the modern technologies are US based, so the data controllers should always check the list of the EU-US Certified Privacy Shield.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 04/17/2020
Title: Personal Data Processing and Teacher Reporting and Keeping Records of Teaching and Distance Learning
Number: 07121-1 / 2020/638
Subject matter: Employment relations, Informing an individual, Legal bases, Education, Personal data protection
Legal act: Opinion

Thank you for your questions regarding the provision of additional professional assistance at mainstream elementary school and decision-making lessons, and for keeping records regarding communication with students and their parents, as such is intended to be the responsibility of the competent ministry.

The dilemmas that you raise in terms of personal data protection are:

1. Some parents are not responsive to your work email, and you are required to obtain feedback from them about their work for the school. Therefore, you are forced to call them from your private telephone number to their private number (which they otherwise provided to the school records). Due to the distance and obstacles to reimbursement in the given circumstances, it would be difficult to make contact from the school office telephone or. impracticable.

2. You must keep a record of your communication with parents and children on a weekly basis. You are asking what information can this record contain? At your discretion, it could include information that you communicated with your parents (yes / no), date and time of communication, duration of communication, and mode of communication (internet, telephone, other). However, you do not believe that the content of personal correspondence, including pictures and videos of children, should be easily provided without parental consent.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.

IP initially emphasizes that beyond the inspection process, it cannot judge specific processing of personal data, nor can it evaluate and comment on the specific way of conducting and organizing distance education in terms of the adequacy and security of processing of personal data. The following is a general opinion on the bases for processing personal data and data security, which we have also addressed to the Ministry of Education, Science and Sport from the point of view of the use of various applications. The opinion covers both the processing of personal data of teachers and pupils. However, IP should not provide opinions on the employment aspects of the obligations and organization of teachers' work during these epidemic times.

Processing personal data of teachers

We make it clear that IP can only give an opinion on the processing of personal data, but not on other aspects of privacy interventions, copyright, organization of school work, teachers' work responsibilities, etc. that may arise in connection with the implementation of distance learning.

Any processing of personal data must have an appropriate and legal legal basis. These are set out in Article 6 (1) of the General Regulation and are for the public sector to which educational institutions such as primary and secondary schools belong:
consent in the case of non-performance of public tasks (point (a)),
conclusion or performance of a contract (point (b)),
law (point (c)),
performance of a public task (point (e) in relation to the fourth paragraph of Article 9 of PDPA-1).

According to the IP, only record keeping and related processing of personal data of a pedagogical worker, such as the collection, publication and storage of videos of his teaching hours may be allowed under the provision of Article 48 of the Labor Relations Act (Official Gazette RS, No. 21/13 , as amended), provided that such processing is necessary for the exercise of the rights and obligations arising out of the employment relationship or in relation to the employment relationship. In such a case, the employer is obliged to prove that such is the employee's personal data that he needs in the context of the employment relationship. In any case, an employee is not obliged to use a personal telephone unless they have agreed with the employer (in this case, the ZDR-1 also provides for adequate compensation for the use of his / her home work resources).

In an emergency situation due to the Coronary Virus Epidemic (COVID-19), the use of new technologies, techniques and methods that are also linked to the work of home teachers is inevitable. The Information Commissioner certainly does not object to the use of information technology in the educational process and believes that especially in the current situation, the wise and proportionate use of information technology is indispensable for the implementation of a quality and stimulating educational process and for ensuring the effective fulfillment of teachers' work responsibilities.

According to the Information Commissioner, many teachers already use this type of teaching. However, the IP believes that the training method of recording teachers should not be based on their possible consent, as this would not provide adequate continuity and quality of work, and teachers could refuse to use technological solutions that actually enable distance education. Finally, under Article 7 (3) of the General Regulation, teachers could also withdraw their consent at any time and the recordings should be deleted immediately, regardless of the potential consequences for the educational process and the equal treatment of pupils. For this reason, too, we consider it necessary to understand the use of recording in the provision of distance education as a fulfillment of a work obligation under Article 48 of the ZDR-1.

In the light of all of the above, it is imperative that personal data controllers (ie schools) establish appropriate retention periods, provide adequate security for the processing of personal data, inform individuals of certain mandatory information referred to in Article 13 of the General Regulation and also address any copyright issue (the latter not otherwise falls within the competence of the Information Commissioner).
With regard to information for individuals in accordance with Article 13 of the General Regulation, it should be emphasized that the controller of personal data must provide in a clear and transparent manner basic information concerning the processing of personal data, such as information about who processes personal data, the contact details of the controller, for what purposes it processes data, how long it retains and other information required by that provision.

Processing of personal data of pupils / students

The process of distance education has been designed by some teachers to require students to use modern information technologies, often involving the processing of personal data. Children should use a variety of online communication tools for distance education, including tools with video call function and related forms of participation, or students / students have to record the completion of a given task and record the teacher with a teacher's instruction.

In processing personal data of children for the purposes of providing distance education, IP emphasizes that the classical consent of an individual (or legal representative of a child) is not the appropriate or appropriate legal basis on which such processing of personal data should take place. It is essential that distance education is a public-law exercise of an educational institution, not an activity for which parents, as legal representatives of children, can give free consent - as is traditionally given at the beginning of the school year on a prepared form (for example, posting photos in the school almanac, etc.). Of course, a very special situation is the collection of personal data, for which the law itself, for example. The Elementary School Act (Article 95) stipulates that this personal information is collected only in agreement with the parents of the pupils (in certain cases, except when the pupil is in danger in the family and needs to be protected). Such are, for example, information on pupils' mobility and morphological characteristics or information on pupils requiring assistance and counseling. The law (Article 95 of the Primary School Act) also stipulates that counselors are obliged to protect this information as a professional secret. As professional secrecy, this information is also obliged to be protected by other professionals to whom the data have been transmitted because of the nature of their work.
For the processing of personal data of children in the online environment in the current state of emergency when distance education is taking place, according to the IP, in the framework of the above (the exception is data where, in addition to the law, consent is required by law), the only appropriate legal basis is 6 ( 1) (c) of the General Regulation, since processing is necessary to fulfill the legal obligation applicable to the controller. The legal obligation is broadly defined by the laws in the field of primary and secondary education, including the Primary School Act (Official Gazette of the Republic of Slovenia, No. 81/06 - UPB, as amended and supplemented), the Law on Grammar Schools (Official Gazette of the Republic of Slovenia, No. 1/07 - UPB, as amended and supplemented) and the Vocational and Technical Education Act (Official Gazette RS, No. 79/06, amended and supplemented), which define the obligation of schools to provide the intended forms of education, and the duty of pupils and students to fulfill their school responsibilities. Teachers' work responsibilities are further defined in the Organization and Financing of Education Act (Official Gazette of the Republic of Slovenia, No. 16/07 - UPB, as amended), which also stipulates in Article 119 “the collection and processing of data concerning by doing educational and other work. "

Due to the exceptional circumstances of the COVID-19 virus prevention measures, which have temporarily altered the educational process, the Information Commissioner is of the opinion that the Ministry of Education, Science and Sport should provide this legal basis with a uniform guidance to schools. The IP has already called for this.

Consideration should also be given to addressing concerns regarding the security of personal data and the release to third countries (to which we define below). In addition, schools or teachers should be reminded of the principle of the minimum amount of data, according to which no more personal data may be processed than is strictly necessary to carry out the educational process (principle of minimizing personal data).

Your assessment, according to what you state, is therefore completely correct and correct, namely that in the case of reporting work with students who need help and counseling (when it comes to collecting the data referred to in point 4 of paragraph 1 of Article 95 of the Act elementary school) to report weekly on your communication with parents and children should be sufficient to report e.g. about communicating with your parents (yes / no), the date and time of the communication, the duration of the communication and the method of communication (internet, telephone, other). However, the school should, in the circumstances, determine how the documentation of student work is stored and how you work remotely. In doing so, the school should bear in mind that certain information is only collected with the consent of the parents, such as the parents. family and social history; developmental history; expertly interpreted results of diagnostic procedures; information on professional assistance or counseling procedures; documentation regarding the process of directing a student with special needs (this includes, of course, your correspondence and other materials that you obtain in the given distance working conditions); expert opinions of other institutions: centers for social work, health institutions, counseling centers or educational counseling centers. In any case, it does not seem appropriate, in this respect, to automatically and on a weekly basis provide all personal correspondence, including pictures and videos of children without the consent of their parents or parents, from the point of view of secrecy of correspondence. appropriate professional justifications and other legal bases. Namely, the school or the individual teacher must check the fulfillment of their tasks in a way that is least intrusive to the right to the protection of personal data and privacy of the child. The thing about securing data and how it is handled in the circumstances is how the school makes sure that all personal data (especially sensitive) is properly secured and that unauthorized persons are unaware of it. He cannot give specific instructions on how to implement IP in the opinion.

Especially with regard to the security of the processing of personal data and the removal to third countries. 

With regard to the security of personal data, IP specifically emphasizes that the controller of personal data must protect it appropriately at all stages of processing. The first paragraph of Article 32 of the General Regulation states that, taking into account the latest technological developments and the costs of implementation, the nature, scale, circumstances and purposes of processing, as well as the risks to the rights and freedoms of individuals differing in likelihood and seriousness, adequate technical and organizational measures to ensure an adequate level of risk-based security.

Ensuring the security of personal data can be particularly problematic when using online tools that teachers use at their discretion and preferably without prior consideration of ensuring the security of personal data. That is why we believe that the use of individual tools should be properly considered and, if possible, the choice of tools should be standardized. However, IP cannot and should not judge individual tools in terms of relevance and, above all, processing security in an opinion.

Most of the most well-established tools for online communication enable t.i. end-to-end encryption, but not necessarily in all cases (this is not likely to be guaranteed, for example, if the call is made (partly) through a regular telephone line and not through a data transmission ) and not necessarily the default setting, and there are differences between applications in other aspects of security and privacy. Therefore, IP recommends that, before using these aspects, the data controller (or even your ministry, when making appropriate recommendations) consult with your IT colleagues before using it.

An overview of the various aspects of security and privacy in online communication applications is available here: https://www.securemessagingapps.com/

Attention should also be paid to the possible transfer of personal data to third countries, as many providers of such solutions come from the US. We recommend that you check that the solution provider is on the EU-US Certified Privacy Shield list: https://www.privacyshield.gov/welcome. You can read more about exporting data to third countries on our web site https://www.ip-rs.si/protection-personal-data/obligations-management/transfer-private-data-in-third-state-and- international organizations / release-of-personal-data-in-the-us / and generally in the Information Commissioner's infographics: https://www.ip-rs.si/fileadmin/user_upload/Pdf/infografike/Download_of_Personal_data_in_the_steps.pdf.