Datatilsynet (Denmark) - 2019-431-0045

From GDPRhub
Datatilsynet - 2019-431-0045
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1) GDPR
Article 6(3) GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published: 18.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 2019-431-0045
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Maria Lohmann

The Danish Data Protection Agency finds that the passing on of answers of assignments to researchers without having received instrutions by the data controller is a violation of data protection rules. Moreover, it has been hold that answers to questions can be regarded as personal data, as there is a specific kind of answering so that a machine can associate respective authors.

English Summary

Facts

MaCom A / S has developed and provided the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools. MaCom A / S is processing answers of assignments.

On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments. The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.

Dispute

The data controllers had to notify the Danish Data Protection Agency about a data breach due to the forwarding of answers of assignments to researchers without approval of disclosure.

Holding

In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, under Article 28(1) GDPR. Thus, it has not been decided on whether or not MaCom could process information in accordance with Article 6(3)(a), (1)(a) - (f) GDPR.

An answer to a question can be regarded as personal data, as defined in Article 4(1) GDPR, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.

However, the fact that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form are mitigating circumstances.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Dissemination of assignment answers
Published 18-06-2020
Decision Private companies

The Danish Data Protection Agency expresses serious criticism that a data processor for a number of upper secondary schools has passed on parts of the students' assignments.

Journal number: 2019-431-0045
Summary

The Danish Data Protection Agency has made a decision in a case where three high schools have reported a breach of personal data security to the Danish Data Protection Agency regarding MaCom A / S, which as data processor has passed on parts of the students' assignments to researchers from the Department of Computer Science at the University of Copenhagen for development of plagiarism programs.

In the decision, the Danish Data Protection Agency has established that MaCom has acted in violation of the data protection law rules by passing on extracts from assignment answers to the researchers without having received instructions to this effect from the data controllers.

The Danish Data Protection Agency found that answering questions can be regarded as personal data, as they are an expression of the answering machine's thinking, judgment and critical sense. The Danish Data Protection Agency also found that extracts from assignment answers that are passed on for the purpose of developing plagiarism programs must be regarded as pseudonymised personal data, as the extracts must have qualities that can identify people on the basis of thinking, judgment, critical sense, and MaCom continued to keep the assignment answers. in their entirety in another, closed, system, for which reason the extracts could be attributed to a particular registered.

In relation to the degree of seriousness, the Danish Data Protection Agency has in its assessment emphasized that MaCom could not account for the number of extracts that were disclosed or the number of times the disclosure took place. However, the Danish Data Protection Agency regards it as mitigating circumstances that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form.

Decision

The Danish Data Protection Agency hereby returns to the case where the Authority, through three reports of breaches of personal data security in accordance with Article 33 of the Data Protection Ordinance [1], has become aware that MaCom A / S as data processor for a number of educational institutions (Paderup Gymnasium, Aalborg Katedralskole and Århus Akademi ) (hereinafter the data controllers) have passed on information about students to researchers.

In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, cf. Article 28 (1) of the Data Protection Regulation. Thus, in this decision, the Danish Data Protection Agency has not taken a position on whether MaCom could process information in accordance with Article 6 (3) (a). 1, letters a-f, if MaCom A / S had been data responsible.

Decision

Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. Third

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

It appears from the case that MaCom A / S has developed and delivered the operation of the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools, including the data controllers, e.g. in connection with the processing of assignment answers.

On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data security to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments . The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.

The disclosure of the information has taken place by the researchers having physical access to data / information in the form of excerpts from assignments in physical presence at MaCom A / S. The extracts of the assignment answers are stored in an electronic copy, which is stored on an independent and closed medium, which does not have access to MaCom A / S 'IT system and other data.

It appears from the case that MaCom A / S does not have an overview of the number of information that has been made available to the Department of Computer Science, or an overview of the number of times this has taken place, as the data / information in question is ongoing. has been deleted in the closed media / data room. The project at the Department of Computer Science has been in force since the summer of 2016, with a planned completion in March 2020. It is over a year since the researchers in the project have had access to information, and they will not receive it as long as this case is pending.

2.1. MaCom A / S ’comments
On behalf of MaCom A / S, Therkildsen Advokater has generally stated that this is concrete data / information that does not contain personal information, and which it is also not possible in any way to attribute to one or more specific persons, which is why is personal data within the meaning of the Data Protection Regulation.

MaCom A / S has noted that the scientific purpose of the disclosure has primarily been to develop effective algorithms that can detect plagiarism, for example in the case where a student has written off from a previously handed in assignment or got another person to write a Report.

In addition, MaCom A / S has stated that MaCom A / S makes new versions of the study administration system Lectio on a daily basis to ensure that the educational institutions that subscribe constantly live up to the requirements imposed. Functionality to expose plagiarism must be regarded as socially relevant, politically desirable and necessary to the educational institutions, which have a strong focus on exam cheating.

Justification for the Danish Data Protection Agency's decision

The Danish Data Protection Agency assumes that parts of the assignment answers from MaCom A / S have been passed on to researchers from DIKU.

It follows from the judgment of the European Court of Justice of 20 December 2017 in C-434/16 (Peter Nowak case) that an answer to a question can be regarded as personal data, as defined in Article 4 (1) of the Data Protection Regulation, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.

On that basis, the Danish Data Protection Agency assumes that this is personal data, cf. Article 4 (1) of the Data Protection Regulation, when a task answer is processed in its entirety.

It also follows from the judgment of the European Court of Justice of 19 October 2016 in C-582/14 (Breyer case), paragraph 40, that by identifiable person is meant a person who can be identified not only directly but also indirectly. It further follows from paragraph 44 of the judgment that the classification of information as personal data does not require that all the information enabling the data subject to be identified be held by a single person.

On this basis, the Danish Data Protection Agency finds that MaCom A / S 'processing of the extracts of the assignment answers must be regarded as a processing of pseudonymised personal data, cf. Article 4, no. 5 of the Data Protection Regulation.

The Danish Data Protection Agency has hereby emphasized that MaCom A / S continued to store the assignment answers in their entirety in their own, for the researchers, closed system, through which the individual data subjects could be identified. The purpose of the processing of the extracts of the assignment answers has been to avoid plagiarism and thereby ensure that a given answer is an expression of the test participant's own way of thinking, judgment and critical sense. The extracts from the assignment answers have thus been of such a scope that the plagiarism system should be able to recognize the individual answers from each other, which is why the extracts continued to have such a detailed character that, using additional information, they could be attributed to a specific registrant.
The Danish Data Protection Authority also assumes that there has been no instruction from the data controller to MaCom A / S that a transfer may take place, just as the Authority assumes that there is no authority in the submitted data processor agreement for MaCom A / S could process information, in the form of assignment answers, with a view to disclosure.

It follows from Article 28 (1) of the Data Protection Regulation 3, letter a, that a data processor may only process personal data in accordance with documented instructions from the data controller.

On the basis of the above, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. 

Third

The Danish Data Protection Agency has hereby emphasized that personal data has been processed without the proper instructions from the data controller in question.

When choosing the degree of criticism in an aggravating direction, the Danish Data Protection Agency has emphasized that MaCom A / S cannot account for the number of information that has been made available or the number of times the transfer has taken place.

In a mitigating direction, the Danish Data Protection Agency has emphasized that disclosure has taken place for scientific purposes and with a community service purpose, that it is a matter of disclosure of extracts, that disclosure has taken place by appearance and not by extradition, and that the disclosure has taken place in pseudonymised form. 

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).