Persónuvernd (Iceland) - Case no. 2021030666
Persónuvernd - Case no. 2021030666 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5 GDPR Article 6(1)(c) GDPR Act no. 92/2008 |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 23.11.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Case no. 2021030666 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA held that a school administrator did not breach the GDPR when sharing the teaching evaluation of a data subject with other staff in a meeting, as the administrator could base the processing on Article 6(1)(c) GDPR and did not share the data with any unauthorized parties.
English Summary
Facts
There was a dispute as to whether a controller, a school administrator, was allowed to refer to the results of a teaching evaluation concerning the data subject's teaching at a meeting, in which other school staff was present. The data subject argued that the controller had breached the GDPR when it shared information about the results of the teaching evaluation without consent. Such teaching evaluations were highly confidential and only the controller and the relevant teacher should have received a copy and discussed the results of the evaluation.
The controller replied that the data subject was invited to the meeting for the purpose of discussing complaints of a parent regarding the data subject's behavior and assessment towards the students. No unauthorized parties had attended the meeting and all participants were bound by the statutory duty of confidentiality of government officials or employees regarding what was discussed. The controller also referred to the fact that the case only concerned the verbal communication of personal data, which was based on memory at the time. Therefore, it would not constitute "processing" of personal data in the sense of the GDPR.
The controller further elaborated that teaching evaluation is an important part of the school's dashboard on teacher performance and necessary for quality management. The purpose of it is, among other things, to achieve the goals laid down in Icelandic law on secondary schools, to ensure that the school's activities are in accordance with the applicable regulations, the main curriculum and to increase the quality of learning and school work and to ensure that students' rights are respected and that they receive the services they are entitled to.
Holding
The DPA first assessed whether the case fell within the scope of the GDPR. It mentioned that according to Article 4(2) GDPR "processing" means " means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The DPA concluded that the oral transmission of personal information, on its own, generally does not fall under the scope of the law. However, it also noted that, in the present case, the information discussed during the meeting must have originated from a digital or recorded form (i.e., the teaching evaluation). From this fact alone, the DPA concluded that processing must have taken place and that the case, consequently, fell within the scope of the GDPR.
Secondly, the DPA analysed whether the personal data was lawfully processed. The DPA described that lawful processing must be based on a legal basis of Article 6 GDPR and follow the principles of Article 5 GDPR. The DPA noted that based on the legal obligations of the controller in its duty to operating a secondary school, it is necessary to process personal data for the day-to-day operation of the secondary school. This also includes including that task to provide specific employees with information about the results of teacher evaluations. Consequently, the processing was lawful based on the legal basis of Article 6(1)(c) GDPR. Moreover, the DPA was also of the opinion that the controller did not share personal data of the data subject with unauthorized parties. Therefore, the complaint was rejected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing of personal information by an educational institution Case no. 2021030666 23.11.2022 In general, oral communication of personal information does not fall under the scope of the Personal Protection Act. The information must be in some form in electronic or recorded form. In this case, personal information was communicated orally at a meeting, but since the information originated in teaching evaluations that are stored in the school's registration systems, it was considered that personal information was being processed. However, all the recipients of the information worked within the same responsible party, so it was not considered that there was a sharing of information. ---- Personal data protection ruled in a case where a complaint was made about the processing of personal data by an educational institution. More specifically, a complaint was made that the results of the teaching evaluation concerning the complainant's teaching at the school had been reviewed at a meeting, but there was a dispute as to whether it had been permitted to review it in front of those present at the meeting. The conclusion of the Personal Protection Agency was that it would have been permissible to report on the results of the teaching evaluation at the meeting and therefore comply with the law on personal protection and processing of personal information. Ruling about a complaint about the processing of personal data by [educational institution X] in case no. 2021030666: i Procedure On March 11, 2021, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him by [educational institution X] (hereinafter X). More specifically, a complaint was made that the then [administrator X], at a meeting on April 9, 2019, explained to the attendees the result of a teaching evaluation that concerned the complainant's teaching at the school. Personal protection sent the complainant a letter dated April 25, 2022, where more information was requested from him about the sharing of said personal information and a response was received from the complainant's lawyer by letter, dated 20 June s.á Subsequently, Personal Protection invited [X] to comment on the complaint by letter, dated 27 June s.á., and the school's answers were received by letter, dated 9 September s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. The processing of the case has been delayed due to the heavy workload at Personal Protection. ___________________ There is a dispute as to whether the then [administrator X] was allowed to refer to the results of the teaching evaluation regarding the complainant's teaching at the school at a meeting on April 9, 2019, in which there were present, in addition to the complainant and the then [administrator X], [administrator Z] and [employee Y] at [X]. The complainant believes that the then [administrator X] has breached his confidentiality and thereby breached privacy laws when he shared information about the results of the teaching evaluation regarding the complainant's teaching to the participants at the meeting without his consent. The complainant refers to the fact that such teaching evaluations are highly confidential and only [administrator X] and the relevant teacher should receive a copy of the results of the teaching evaluation. [X]'s response letter states that the complainant was invited to the meeting for the purpose of discussing complaints that the then [parent X] had received regarding the complainant's behavior and assessment towards the students. On behalf of [X], the then [administrator X] and [administrator Z] attended the meeting. It was also recommended that [employee Y] attend the meeting. [X] refers to the fact that no unauthorized parties attended the meeting and all participants were bound by the statutory duty of confidentiality of government officials or employees regarding what was discussed, cf. Article 18 Act on the Rights and Obligations of Government Employees, no. 70/1996. [X] also refers to the fact that it was only a verbal communication of personal information, which was based on the memory of [administrator X] at the time, and therefore not a processing of personal information in the sense of section 4. Article 3 Act no. 90/2018 in question. [X] also refers to the fact that teaching evaluation is an important part of the school's dashboard on teacher performance and, in general, on teaching methods and teachers' behavior towards students. Teaching evaluation is thus part of quality management and evaluation of the success and quality of school work. The purpose of teaching evaluation is, among other things, to achieve the goals laid down in Article 40. Act no. 92/2008, on secondary schools, to ensure that the school's activities are in accordance with the provisions of the law, regulations, the main curriculum and to increase the quality of learning and school work and to ensure that students' rights are respected and that they receive the services they are entitled to according to the law. The processing of teaching evaluations is part of the school's internal evaluation, which the school must carry out on a regular basis, according to the provisions of Article 41. law on secondary schools. With reference to that, [X] is based on the fact that the processing of personal information that appears in teaching evaluations is based on section 3. Article 9 Act no. 90/2018, cf. c-point 1. paragraph Article 6 of regulation (EU) 2016/679. It is also based on the fact that [manager X] is allowed to assign [other managers] of the school a task where they work with the results of the teaching evaluation of the school's teachers. Is it the role of [manager X] as [...] to decide how the organization's tasks and tasks are carried out and by whom. In [X]'s opinion, access or information that [administrator X] provides to certain employees of the school regarding the teaching evaluation of other employees, in connection with their jobs or projects within the same responsible party, is neither independent processing nor sharing of personal information. [X] further refers to the fact that the complainant himself sent the then [administrator X] and [administrator Z] an e-mail dated March 27, 2019, where, among other things, he shared the extract of his teaching evaluation and thus the complainant himself informed the then [administrator Z] about the unique results of the teaching evaluation on his own initiative before the meeting on April 9, 2019. II. Conclusion 1. Scope Scope of law no. 90/2018, on personal protection and the processing of personal data, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic, cf. Paragraph 1 Article 4 of the law. Then the term processing is defined in number 4. Article 3 of the Act as an operation or series of operations where personal data is processed, whether the processing is automatic or not, such as collection, recording, classification, system binding, retention, adaptation or modification, retrieval, inspection, use, communication by forwarding, distribution or other methods to make the information available, linking or syndication, access restriction, deletion or destruction. From the above, it can be concluded that the oral transmission of personal information, on its own, generally does not fall under the scope of the law, but that the information must somehow be in a digital or recorded form. In the case it is known that the then [administrator Z] and [employee Y] at the school were given information about the results of the teaching evaluation for the complainant's teaching. The only thing that can be determined from the facts of the case is that the information originated in a specific teaching evaluation that is preserved in the school's registration systems. All the recipients of the information worked within the same responsible party and it is therefore not considered a sharing of personal information, cf. more detailed discussion in section II.2, but the processing will be considered to have included the use of personal information about the complainant. Therefore, this is considered to be the processing of personal information that falls under the scope of Act no. 90/2018 as defined in the aforementioned provisions and thus under the authority of the Personal Protection Authority. 2. Lawfulness of processing This case concerns the processing of personal data about the complainant by the then [administrator X]. The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. [X] is considered to be the party responsible for said processing according to Act no. 90/2018, on personal protection and the processing of personal data, and regulation (EU) 2016/679, since it is generally understood that the responsible party is the organization or company concerned and not individual employees, whether it is managers or ordinary employees. All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, it is possible to work with personal data if it is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the legal provision and point c of the regulatory provision. When evaluating authorization for processing, it may also be necessary to consider provisions in other laws that are applicable at any given time. In particular, law no. 92/2008, on secondary schools. In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision, that they must be sufficient, appropriate and not beyond what is necessary based on the purpose of the processing, cf. Number 3. of the legal provision and point c of the regulatory provision, and that personal data shall be processed in such a way that their appropriate security is guaranteed, cf. Number 6. of the legal provision and section f of the regulatory provision. The personal information about the complainant to which the complaint relates originates from a teaching assessment for the complainant's teaching at [X]. Regarding authorization for processing with regard to the preparation of teaching evaluations, [X] refers to VII. chapter of law no. 92/2008, on secondary schools. In Article 41 of the Act on Internal Evaluation stipulates the obligation of secondary schools to systematically evaluate the results and quality of school work on the basis of Article 40. with the active participation of staff, students and parents as appropriate. Of the aforementioned provisions of law no. 92/2008, Personal Protection considers that [X] is permitted the processing of personal information about the complainant that is included in the preparation of teaching evaluations, cf. Number 3. Article 9 Act no. 90/2018 and point c of paragraph 1. Article 6 of regulation (EU) 2016/679. In Article 6 Act no. 92/2008 on secondary schools states that the headmaster's role is to manage the day-to-day operations and work of secondary schools and to ensure that the school's work is in accordance with laws, regulations, the main curriculum and other valid instructions at any given time, as well as to initiate reform work within the school. It has been stated by [X] that teaching evaluation is an important part of the school's internal evaluation, i.a. regarding the assessment of teachers' performance, teaching methods and their behavior towards students. Taking into account the obligations imposed on secondary schools to carry out regular internal evaluations of the results and quality of school work, it is believed that it may be necessary for school administrators to work further with the results of teaching evaluations in their work. According to the above, it is clear that [administrators] have certain obligations in relation to the operation of secondary schools. In the opinion of the Data Protection Authority, the necessary processing of personal information during the daily operation of secondary schools, incl. that [administrators] provide certain employees with information about the results of the teacher's teaching evaluation, based on item 3. Article 9 Act no. 90/2018, provided that other provisions of the law are observed. In particular, section 6 comes into consideration here. Paragraph 1 Article 8 of the Act on Security in the Processing of Personal Information. As is the case here, it is the opinion of the Data Protection Authority that the then [administrator X] did not grant access to the complainant's personal information to any unauthorized parties at a meeting on April 9, 2019, but only to those employees of the school who needed the information for their work. In light of the above, it is the conclusion of the Data Protection Authority that the processing of personal information about the complainant, which consisted of distinguishing [administrator Z] and [employee Y] at [X] from the results of a teaching evaluation that concerned the complainant's teaching at the school, was in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Ruling: The processing of [X]'s personal information about [A] was in accordance with the provisions of Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. Privacy, November 23, 2022 Helga Sigríður Þórhallsdóttir Edda Þuríður Hauksdóttir