Datatilsynet - 20/01949 (PVN-2020-13)

From GDPRhub
Datatilsynet - 20/01949 (PVN-2020-13)
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 5(1)(d) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 13(2)(f) GDPR
Article 14 GDPR
Article 15 GDPR
Article 16 GDPR
Article 17(1)(d) GDPR
Article 17(1)(d) GDPR
Article 24 GDPR
Article 30 GDPR
Article 32(2) GDPR
The Education Act Chapter 9A
Type: Complaint
Outcome: Partly Upheld
Decided: 09.11.2020
Published: 09.11.2020
Fine: None
Parties: Datatilsynet
Personvernnemda
Arendal kommune
National Case Number/Name: 20/01949 (PVN-2020-13)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Privacy Appeals Board (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA's (Datatilsynet) decision to ban Arendal municipality from using a digital form to survey bullying behaviour at their local schools.

English Summary[edit | edit source]

Facts[edit | edit source]

A parent submitted a complaint to the DPA on the municipality's use of a digital form to survey bullying behaviour at local schools. The DPA concluded in their investigations that the municipality lacked legal grounds for the processing cf. Article 6(1)(c), as they didn't believe the processing was "required" to achieve the goals of The Education Act Chapter 9A. Consequently, the municipality had to delete all personal data related to this processing, cf. Article 17(1)(d).

The DPA also found that the municipality were in breach of the principles of lawfulness, fairness and transparency, cf. Article 5(1)(a), and accuracy, cf. Article (5)(1)(d), they hadn't recorded the processing activity as required in Article 30, hadn't conducted a risk assessment as per Article 32(2) or a Data Protection Impact Assessment as per Article 35(1) cf. 35(7) cf. the DPA's list over processing activities requiring a DPIA.

Arendal municipality opposed this decision, however, following a review, the DPA continued to upheld it. The case was then forwarded to the Privacy Appeals Board, who concluded that the municipality had indeed sufficient legal grounds, however had other shortcomings that need to be resolved before further processing can take place, including: - conduct a DPIA cf. Article 35 - clearly inform students cf. Article 12 that a) it's voluntary to participate in the survey cf. Article 13(2)(f), and b) that their responses can be shared with individuals they name in their response cf. Article 15 - fulfill the other requirements as per the GDPR, including the fundamental principles for processing personal data cf. Article 5(1) and data subjects' rights cf. Chapter III - record the processing activity as per Article 30 - create written routines and other necessary documentation to ensure sufficient internal controls

Dispute[edit | edit source]

Did Arendal municipality (and the schools) have legal grounds for processing the personal data in the digital form, cf. Article 6(1)(c) cf. The Education Act Chapter 9A?

Holding[edit | edit source]

Yes, Arendal municipality (and the schools) have legal grounds for processing the personal data in the digital form, cf. Article 6(1)(c) cf. The Education Act Chapter 9A, however had other shortcoming that need to be resolved before further processing can take place.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 9 November 2020 (Mari Bø Haugstad, Bjørnar Borvik, Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem)

The case concerns a complaint from Arendal municipality on the Data Inspectorate's decision of 23 October 2019, in which the authority imposed a ban on the processing of personal data obtained using the mapping tool Spekter, and ordered the municipality to delete the collected personal data.

Background to the case

On 28 November 2018, the Data Inspectorate received an inquiry from a parent concerning Arendal municipality's processing of personal data using the mapping tool Spekter at Hisøy school. Spekter consists of a non-anonymous digital questionnaire that is used to uncover bullying and map the learning environment in a school class. It is stated that the Norwegian Data Protection Authority has received several inquiries from parents regarding the use of Spekter.

Spekter was developed by the Learning Environment Center at the University of Stavanger (national center for learning environment and behavioral research, hereinafter the Learning Environment Center), and is intended for students from 3rd grade in primary school and up to and including upper secondary school. Spectrum, which became available in digital version on 1 January 2018, has been used in schools for several years and is used in over 800 schools throughout the country.

The following questions are asked in Spekter:

    Who in the class would you like to be with in the free minutes?

    Who in the class decides the most?

    Who in the class helps other students if they need it?

    If the teacher needs help, which students will help?

    Who in the class is making noise in class?

    I think the others in the class think there is too much noise in the lessons

    I think there is too much noise in the classes

    How often do you make noise in class?

    How often have you been bullied at school by someone in your class in recent months?

     If you have been bullied, who has bullied you?

    How often have you bullied others in your class at school in recent months?

    If you have bullied others, who have you bullied?

    Who in the class bullies others?

    Who in the class is being bullied?

    Who in the class do you think will help another student if he or she is being bullied?

    How often have you been bullied digitally by someone in your class in recent months?

    If you have been bullied digitally, who has bullied you?

    How often have you bullied others in your class digitally in recent months?

    If you have bullied others digitally, who have you bullied?

    Who in the class is being bullied digitally?

    Who in the class is bullying others digitally?

    Is there anything else you want to tell about how you feel in class?

Before the student answers the questions, the form explains what bullying and digital bullying are:

"About bullying: Bullying is hurtful acts such as exclusion, spreading rumors, teasing or pushing, punching and kicking someone who cannot defend themselves."

«About digital bullying: By digital bullying we mean harmful actions when using, for example, a mobile phone, tablet, PC, against someone who cannot defend themselves. It can be exclusion on social media, spreading rumors or teasing. "

The student answers the questions partly by stating the names of other students, partly by ticking on predefined answer options in a check box ("Strongly disagree", "Slightly disagree" "Slightly agree" and Strongly agree "," Never " to »« Two or three times a month »,« Every week »and« Approximately every day »). In addition, there is a free text field where there may be other information related to well-being in the class (question 22).

In Arendal municipality, Spekter has been used in five schools. Hisøy School started using Spekter in 2018. The school has pupils in primary and lower secondary school (1st to 10th grade). Prior to the survey, the students were informed about Spekter in the classes and the parents at a parent meeting. At the parent meeting, information was also referred to on the Learning Environment Center's website. The Learning Environment Center has prepared an information leaflet on Spekter for parents, where, among other things, information is provided about the parents' right to access.

When completing Spekter, the students log in with their Feide identity, which uniquely identifies the student. Feide is the national solution for secure login and data sharing in education and research.

It is the school owner, ie the municipality / county municipality that is responsible for processing the personal data. The Learning Environment Center is a data processor, and processes personal data on behalf of the data controller by delivering and administering Spekter. The Learning Environment Center entered into a data processor agreement with Arendal Municipality in August / September 2018. Bouvet Norge AS is responsible for the technical operation of the solution. There is a data processor agreement between Læringsmiljøsenteret and Bouvet Norge AS.

The Data Inspectorate asked Arendal municipality for a statement in a letter on 4 March 2019. The municipality issued its statement on 8 April 2019.

The Norwegian Data Protection Authority notified the municipality on 24 June 2019 that the authority would impose a ban on the processing of personal data obtained using Spekter and that the authority would order the municipality to delete the information. The municipality submitted comments on the notification on 23 August 2019. After the municipality received the notification, the schools have not used Spekter and all the personal information obtained has been deleted.

On 23 October 2019, the Data Inspectorate made the following decision:

«1. Arendal Municipality has no legal basis for the processing of personal data in the mapping tool Spekter, cf. the Privacy Ordinance Article 6. On this basis, the Data Inspectorate introduces a ban on the processing as described in the case, cf. the Privacy Ordinance Article 58 no. 2 letter f.

2. As as a result of Arendal municipality not having a legal basis for processing personal data obtained using Spekter, the municipality must delete all personal data stored in connection with the use of the mapping tool, cf. the Privacy Ordinance Article 17 no. 1 letter d. »

The Data Inspectorate assumed that the municipality's processing of personal data about pupils in Spekter violated basic principles of personal data protection, including transparency and accuracy, and that the processing violated key obligations for information security.

On 13 November 2019, the municipality submitted a timely appeal against the Data Inspectorate's decision.

The Data Inspectorate assessed the complaint, but found no reason to change its decision. The case was sent to the Privacy Board on 3 July 2020. The municipality was informed of the case in a letter from the board on 7 July 2020, and was given the opportunity to comment. The municipality has not submitted any comments. The tribunal has obtained additional information about Spekter from the Learning Environment Center by contacting 29 September 2020.

The case was discussed at the tribunal's meeting on 9 November 2020. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg and Hans Marius Tessem. Secretariat leader Anette Klem Funderud was also present.

The Data Inspectorate's decision in outline

Especially categories of personal information

The Authority discusses whether the investigation involves a processing of health information, cf. Article 9 of the Privacy Ordinance, but ends up not taking a position on this issue. The audit points out that the school owner, partly as a result of the free text field in the questionnaire, cannot rule out that the content of the answer form will involve a processing of special categories of personal data. The Authority points out that this will be important for the data controller's obligations under Articles 32, 35 and 25.

Legal basis

The Data Inspectorate discusses whether the Education Act, Chapter 9A (§§ 9 A-1 to 9 A-5) provides a sufficient supplementary legal basis for the processing, together with the Privacy Ordinance Article 6 No. 1 letter c or e, cf. Article 6 No. 3, as of Arendal municipality is stated as a basis for treatment.

The Data Inspectorate is based on the Education Act § 9 A-3 second paragraph which states that "(s) coal shall work continuously and systematically to promote the health, environment and safety of students so that the requirements in or pursuant to the chapter are met." The audit then concludes that the processing of information in the Spekter mapping system is not a necessary precondition for being able to fulfill the legal obligation imposed on the school through the Education Act, Chapter 9 A, including the activity obligation in § 9 A-4. The mentioned provisions in the Education Act, in the Data Inspectorate's assessment, do not meet the requirement for a supplementary national legal basis in the Privacy Ordinance Article 6 no. 3. The Authority provides a supplementary account of its interpretation of the Education Act, which is not reproduced here.

The Norwegian Data Protection Authority points out that the processing of personal data in Spekter entails a major encroachment on the right to the individual child's privacy, including privacy. In addition, the information is of such a sensitive nature and the way the survey is conducted is intrusive. Children are entitled to special protection under the Privacy Ordinance. All these circumstances indicate that the legal basis must be sufficiently clear, predictable and proportionate and must contain the necessary guarantees for the data subject.

Although it is not a requirement for a supplementary national legal basis that it should exhaustively describe which personal data can be processed and how, the basis must generally satisfy both the principle in the European Human Rights Convention (ECHR) Article 8 on requirements of necessity and proportionality, the basic principles of the Regulation in Article 5, the Constitution § 102 on the right to respect for privacy etc. and the principle of legality in Norwegian law. The more intrusive a processing of personal data is, the clearer the legal basis for the processing must be, cf. Prop. 56 LS (2017-2018) section 6.3.2 page 33.

Transparency

Overall, it is the Data Inspectorate's assessment that there is too little transparency about the processing of personal data in Spekter, and that the processing is thus unpredictable for students and parents. The fact that the Data Inspectorate has received a number of complaints about this tool reinforces this impression.

Without information, the data subject is in practice barred from using his other rights such as the right of access, correction and deletion.

Information work that is intended to comply with the principle of openness and the rights to information and access in the Privacy Ordinance must be documentable, cf. the Privacy Ordinance Article 6 No. 2 and Article 24. Without documentation of what information is provided and in what context, and compared Since the information that parents are referred to on Spekter's website is misleading, the information given through briefings in class and at parent meetings, in the opinion of the supervisor, cannot be given much weight.

With regard to the data subjects' ability to exercise their rights under the privacy regulations, Arendal municipality only refers to the privacy statement of Spekter. In the Authority's assessment, this privacy statement is deficient.

Accuracy

The Norwegian Data Protection Authority points out that everyone who processes personal data must ensure that the information is of good quality and correct, cf. the Privacy Ordinance, Article 5, paragraph 1, letter d and Article 24.

From a privacy perspective, the Data Inspectorate considers it problematic that allegations of rioting and bullying remain without those who are named as troublemakers, bullies or victims of bullying being given an opportunity to counter these allegations. Spectrum is not an information system intended for transparency and contradiction. In its privacy statement, Spekter even argues on its website that students or parents do not have the right to access the personal information that emerges. Without the right of access, it is not possible to refute allegations or come up with your own version of events. Without effective mechanisms to ensure the quality of the information, or provide the opportunity for correction, the principle of accuracy will not be met.

The principle of legality and assessment of privacy consequences

Legislation that is to form the basis for the processing of personal data that is intrusive for the individual must have a clear legal basis and be thoroughly investigated with regard to privacy consequences, cf. the Privacy Ordinance Article 5 no. 1 letter a, ECHR Article 8, Constitution 102 on the right to respect for privacy, etc., the principle of legality and Article 35 no. 10.

The legal provision that the municipality believes authorizes the processing is very unspecific and does not provide any instructions on which personal data can be processed, how the answers are to be interpreted and further processed, nor has any requirements or restrictions in processing operations and disclosures. The preparatory work for the law does not contain any evidence to say that the legislator has assessed the extent to which personal data must be processed to fulfill tasks related to the preventive anti-bullying work imposed on the municipality, and consequently no assessments of any consequences for personal data protection.

Without special measures and guarantees that can effectively safeguard students 'and parents' rights and freedoms in accordance with the privacy regulations, the Authority cannot see that the described treatment can be legal.

Protocol, risk assessment and assessment of privacy consequences

The municipality has not kept a record of the treatment activities in Spekter. This constitutes a violation of Article 30 of the Privacy Ordinance. The municipality has also not carried out a risk assessment when purchasing Spekter in accordance with Article 32 (2) of the Ordinance.

The municipality has a duty to assess privacy consequences in "Processing of personal data to evaluate learning, mastery and well-being in schools and kindergartens", cf. the regulation article 35 no. 1, cf. no. 7 and the Data Inspectorate's list of processing activities where privacy consequences must always assessed. Failure to assess privacy implications is a breach of Article 35 (7) of the Privacy Regulation.

Conclusion

Arendal Municipality's processing of personal data about pupils in the mapping tool Spekter has no legal basis, cf. the Privacy Ordinance Article 6.

Arendal Municipality's processing of personal data about students in the mapping tool Spekter violates basic principles for personal data protection, including the principle of transparency and the principle of accuracy, cf. the Privacy Ordinance Article 5 no. 1 letters a and d.

Arendal Municipality's processing of personal data about pupils in the mapping tool Spekter violates key obligations for information security, including the obligation to carry out risk assessments in the Privacy Ordinance, Article 32 no. 2.

Arendal Municipality's processing of personal data about pupils in the mapping tool Spekter violates the obligation to assess privacy consequences and implement measures for processing that entails a high risk for the data subjects' rights and freedoms, cf. the Privacy Ordinance Article 35.

It is the Data Inspectorate's assessment that the breaches of the Privacy Ordinance are so serious that it is necessary to introduce a ban on the processing as described in the case, cf. the Privacy Ordinance Article 58 no. 2 letter f.

Arendal municipality's view of the case in outline

The Data Inspectorate has partly based on incorrect facts regarding Spectrum and the use of the survey. The Data Inspectorate's report does not state how the school worked further with the data that was collected and the municipality disagrees with parts of the presentation of how privacy was taken care of with regard to adversarial etc. There are good research-based mechanisms for quality assurance of the information so that the principle of accuracy is met. The school uses supervisors prepared by the Learning Environment Center for this.

Spectrum was to be used as a supplement to other more traditional mapping in the systematic student environment work, and was not to replace this. Both students and parents are given information about Spekter in advance. The information provided satisfies the duty to provide information and the principle of transparency. The municipality is puzzled by the Data Inspectorate's assessment that information given in class and at parent meetings "cannot be given special weight." The country's professional authority on learning and the learning environment, the Directorate of Education, has recommended the use of Spekter.

Basis for treatment

The municipality has a processing basis in the Privacy Ordinance Article 6 No. 1 letter c to process personal data about the pupils in Spekter (legal obligation), cf. the Privacy Ordinance Article 6 No. 3, cf. the Education Act Chapter 9 A (§§ 9 A-1 to 9 A -5).

The requirement for a supplementary legal basis in Article 6 no. 3, which states that "[t] he purpose of the treatment shall be determined in the said legal basis", is fulfilled in the Education Act, Chapter 9 A on "Pupils' school environment". The Education Act stipulates the school's activity obligation towards the pupils. There is no requirement that the supplementary legal basis must regulate the processing of personal data explicitly. According to the wording of Article 6 no. 3, it is sufficient that the supplementary legal basis imposes on the data controller a legal obligation which it is necessary to process personal data in order to fulfill, cf. Prop. 56 LS (2017-2018) section 6.3.2 page 33 and Advocacy 45 of the Regulation 45.

The Education Act clearly expresses the need for mapping the pupils' learning environment, cf. the requirement for clarity in the ordinance's point 41. , cf. Prop. 57 L (2016-2017) point 5.5.2.6.

It follows from the Education Act § 9 A-3 second paragraph that the school shall "work continuously and systematically to promote the health, environment and safety of students". The provision means that the school cannot be content with passively waiting for someone to complain about the conditions. The school must work systematically throughout the school year, random sampling is not enough. Spectrum is a suitable tool for fulfilling the school's duty to systematically promote health, environment and safety for students.

The school must also “ensure that the pupils involved are heard. What is best for the pupils shall be a fundamental consideration in the school's work », cf. the Education Act § 9 A-4 fifth paragraph. The duty to let students be heard is a key principle of the law. Spekter gives the students the opportunity to express themselves about their everyday work and how they thrive, and works well as a supplement to map the rivers' psychosocial environment, as the students give honest feedback in the survey. This has been an effective tool to ensure that students are heard.

Spekter also takes into account students who are suspected of offending other students or have offended other students. The answers from the survey are used to initiate student conversations with the person who is alleged to have been bullied, the person who is alleged to be bullying, as well as other students to deny or confirm whether the statement is true. The person who is alleged to be bullying must be heard in the process and ensured contradiction.

The Ministry assumed that as a consequence of the actions required by the activity obligation, the school has both a duty and a right to process personal data. This applies to both ordinary personal information and sensitive information. The Ministry considered that the requirement for a basis for processing, in what was then the Personal Data Act § 8 ​​and § 9 first paragraph letter b, was fulfilled in that «the activity obligation provision so clearly presupposes the processing of personal data», cf. Prop. 57 L (2016-2017) point 5.5.2.6. The provisions correspond to the current Article 6, No. 1, letter c in the Privacy Ordinance, that the processing of personal data is necessary to fulfill a legal obligation incumbent on the data controller.

The Data Inspectorate thus errs when it concludes that the preparatory work for the Act does not indicate that the legislator has assessed the extent to which personal data must be processed in order to fulfill the tasks imposed on the municipality. On the contrary, the draft legislation shows that the legislator has assessed which personal data is processed, which is information about students' well-being at school, who may be bullying and who is being bullied. The legislature has also assessed this type of information against the personal data protection and concluded that the processing of personal data is necessary to achieve the purpose of a good psychosocial environment for the students.

Possible processing of special categories of personal data

In principle, the Spectrum Survey does not imply that sensitive information about oneself or others is provided. If a student is bullied, this can have consequences for the person's health conditions and this can, after a specific assessment of the individual situation, possibly constitute health information that falls under "special categories" of personal information.

When the school uses Spekter, it is as part of the activity duty to ensure a safe school environment and prevent bullying. If the school processes health information in connection with a student being bullied, it is to offer the student the necessary health care. In our opinion, the processing of personal data thus takes place in connection with the administration of a health service or system based on national law, including to ensure the pupil's psychosocial environment in school in accordance with the Education Act, Chapter 9 A. Furthermore, the data is processed by employees to (…) the national law of the Member States », cf. Article 9 no. 3, as the staff in the school is subject to a duty of confidentiality pursuant to section 13 of the Public Administration Act.if it becomes necessary in the specific case. The preparatory work explicitly mentions the right of the school to process both ordinary and sensitive personal data.

Summary

The Norwegian Data Protection Authority has to an insufficient extent relied on the information on how Arendal municipality has actually used Spekter. Furthermore, the Norwegian Data Protection Authority seems to have not emphasized enough the methodology for the use of Spekter, which is research-based and documented through appendices in the case from the Learning Environment Center at UiS. Here, there is a failure in the actual basis for the decision that has affected the content of the decision.

Arendal Municipality has a legal basis for the processing of personal data in the mapping tool Spekter, cf. the Privacy Ordinance Article 6 with supplementary legal basis in the Education Act, Chapter 9 A.

For the municipality, Spekter has been a suitable tool when less intrusive measures (eg anonymous student surveys) have not proved to be sufficient. The municipality's thorough considerations before use have helped to ensure proportionality between goals and means. A concrete assessment has been made by the school management on a case-by-case basis.

With regard to transparency, reference is made to the description of information given in advance of the survey, etc. above. The municipality believes that the information provided is satisfactory.

Regarding accuracy, reference is also made to the description given above. The municipality also refers to the guide that is used and which i.a. shall take care of the consideration of adversarial proceedings. Student interviews with those involved are always conducted.

The municipality has acknowledged that no minutes have been kept and will comply with this in the future.

With regard to risk assessment, the municipality has used a survey recommended by the Norwegian Directorate of Education and has considered the Learning Center at the University of Stavanger as a serious partner, and a thorough data processor agreement has been signed. The schools are also experienced in good and secure handling of personal information and employees have a duty of confidentiality. Nevertheless, the municipality wishes to learn from the criticism from the Norwegian Data Protection Authority regarding risk assessment, and will make a more detailed risk assessment in the event of future use of Spekter.

The Privacy Board's assessment

Collection and use of information using the mapping tool Spekter is to be regarded as a processing of personal data that falls within the scope of the Personal Data Act and the Privacy Ordinance. This means that the processing must have a legal basis for processing in the privacy claim Article 6, as well as in Article 9 if the processing also includes special categories of information. In addition, the processing of personal data must take place in a lawful, fair and open manner, cf. Article 5 of the Privacy Ordinance, so that, among other things, the data subjects' rights stipulated in Chapter III of the Privacy Ordinance are safeguarded.

Basis for treatment

The general rules on the basis for processing follow from Article 6 of the Privacy Ordinance, and the tribunal assumes that the relevant basis for processing in this case is Article 6 no. 1 letter c "the processing is necessary to fulfill a legal obligation incumbent on the data controller". In accordance with Article 6 (3), the legal obligation must be laid down in Union law (letter a) or in national law (letter b). Arendal Municipality has stated the Education Act Chapter 9 A «Pupils' school environment» as a supplementary legal basis and the question for the tribunal is whether the Education Act Chapter 9 A is a sufficient legal basis for the processing of personal data that takes place using the mapping tool Spekter.

It follows from Article 6 (3) of the Privacy Ordinance that the purpose of the processing shall be determined in the said legal basis. However, it is not necessary for the supplementary legal basis to regulate the processing explicitly, cf. the regulation's advocacy clause 45 and the preparatory work for the Personal Data Act, Prop.

"Overall, the wording of Article 6 (3) suggests that a supplementary legal basis must be demonstrated in Union or national law, but that it is not necessary for the supplementary legal basis to expressly regulate the processing of personal data. In this connection, the Ministry also refers to Article 35 no. 10, where it is presumed that the legal basis for processing pursuant to Article 6 no. 1 letter c and e does not need to specifically regulate the processing activities.

Nor does the preamble to the regulation support an unconditional requirement that the processing of personal data must be expressly regulated in the supplementary legal basis. Proposition 45 states that the treatment in these cases should "have a legal basis in Union law or the national law of the Member States", but that "a special legal provision is not required for each individual treatment".

The Ministry states in the same place that it is sufficient according to the wording in Article 6 no. 3 that the supplementary legal basis imposes on the data controller a legal obligation which it is necessary to process personal data in order to fulfill.

In some cases, however, it is not sufficient to meet the minimum requirements in the wording of the regulation, as it appears from Prop. 56 LS (2017-2018) section 6.4 page 35, where the Ministry states:

"At the same time, there is no doubt that the general rules of the Regulation, possibly in combination with a supplementary legal basis that only meets the minimum requirements according to the wording of Article 6 (3), will not always provide sufficient specific legal basis or necessary guarantees in accordance with the Constitution and the ECHR. It will then be necessary to formulate more specific legal bases and additional guarantees in national law, and in many cases it will be necessary to have explicit authority in special legislation. In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR.

[…]

What is required of the supplementary legal basis cannot be answered in general, but must be decided after a specific assessment. "

When the Education Act was amended in 2017, the purpose of the new rules was to "strengthen the rights of students who are bullied and their parents, and be an effective tool against bullying and poor school environments", cf. Prop. 57 L (2016-2017) item 1 page 5, where it says:

«The proposal entails a full revision of the current chapter on the school environment in the Education Act. In a completely new chapter 9 A, both new rules and changes to existing ones are proposed. Clear and strict duties are imposed on school owners and schools. There is a clear expectation in the regulations that the schools will mobilize the preventive work, and show quick and effective action in individual cases. If the schools do not react quickly and correctly, the pupils should be able to easily have the case tried by the county governor and the school owner can receive daily fines. The protection of pupils' right to a safe and good school environment is given priority in this proposal for new school environment rules. "

Regarding the school's processing of personal data in connection with the activity obligation that is introduced, the ministry says in section 5.5.2.6 page 27/28:

«The duty of activity that the ministry proposes to legislate presupposes that personal data of various kinds are processed. The Ministry assumes that as a consequence of the actions required by the activity obligation, the school has both a duty and a right to process personal data. This applies to both ordinary personal information and sensitive information. The ministries [t] consider that the requirement for a basis for processing, cf. the Personal Data Act § 8 ​​and § 9, first paragraph, letter b, is met in that the activity obligation provision so clearly presupposes the processing of personal data. In the Ministry's view, an explicit legal basis for such processing is superfluous to include in the Education Act, Chapter 9 A. There are also no explicit legal sources for other areas in the Act where the processing of personal data is also relevant.The Ministry also refers to Meld.St.11 (2011–2012) Privacy - prospects and challenges chapter 6 where legal authority as a basis for processing personal data is discussed. »

According to the Education Act § 9 A-2, all pupils have the right to a safe and good school environment that promotes health, well-being and learning. It is specified in the comments to the provision that it is the student's own experience that is decisive for whether the student has a safe and good school environment. § 9 A-3 states that the school shall have zero tolerance for violations such as bullying, violence, discrimination and harassment and in the second paragraph it is stipulated that the school «shall work systematically to promote the health, environment and safety of students, so that requirements in or pursuant to the chapter are met ». In § 9 A-4, the school is required to have an activity obligation to ensure that the pupils have a safe and good psychosocial environment. The activity obligation is divided into five action obligations, and sets requirements for ensuring the students' participation and for documentation. Duties to follow,Intervene and notify the principal in the first and second paragraphs of the provision are duties that apply to the school's employees. The third paragraph imposes a duty of investigation on the school and the school is in the last paragraph required to document what has been done to fulfill the activity duty.

There is no doubt that the school, in order to fulfill its obligations under the Education Act, Chapter 9 A, must process a number of personal data, as the Ministry has also assumed in the draft legislation. All the information requested in the questionnaire in Spekter (see listing initially under "Background to the case"), is information that in the tribunal's assessment is relevant and necessary for the municipality to fulfill its duty under the law to work systematically to ensure a safe and good school environment. There is therefore nothing about the nature of the information that is collected that means that the legal basis in the Education Act is not a sufficient legal basis for collecting and processing the information. Although the information may be qualitatively different in digital collection compared to collection via, for example, observations and student interviews,nor is this something which means that the legal basis in this case is not considered sufficient. The tribunal does not see it as its task to assess the suitability of Spekter versus other ways of collecting the same information.

The tribunal then concludes that Arendal municipality has a basis for processing the processing of personal data that takes place using the mapping tool Spekter in the Privacy Ordinance, Article 6, No. 1, letter c, cf. the Education Act, Chapter 9 A.

The question of particular categories of information

If the information processed belongs to the group of special categories of personal data, cf. Article 9 (1), the municipality must, in addition to having a basis for processing pursuant to Article 6, also fulfill one of the conditions in Article 9 (2).

Based on the questions asked in Spekter, the tribunal assumes that the survey does not in principle require special categories of personal data. Bullying of a student can, however, have consequences for the person's health conditions, and information about this can therefore in some cases constitute health information. As the survey also uses possibilities for free text, the school cannot be sure that it does not also receive information that falls under article 9. However, this is not information that is requested and the school must therefore not have a basis for processing in article 9 for the actual collection of data in Spekter.

The tribunal notes that when designing data collection tools such as Spekter, the data controller can ensure that privacy-enhancing technologies are used, such as limiting the possibility of free text. This will be especially important when the tool is aimed at children and is used to map a topic that for many is very sensitive and difficult.

The tribunal points out that the possibility of receiving special categories of information sharpens the requirements for the data controller's assessment of the privacy consequences, the requirements for information security and the establishment of legal security guarantees for the data subjects.

Basic principles for the processing of personal data - especially about the data subjects' rights

Although the municipality has a legal basis for processing in Article 6, with supplementary legal basis in the Education Act, the processing of personal data must also take place in accordance with the other rules in the Privacy Ordinance, including the basic principles for processing personal data in Article 5 (1). Chapter III of the Privacy Regulation must also be safeguarded in order for the processing to be lawful.

In its decision, the Data Inspectorate has concluded that there is a lack of transparency about the processing of personal data that takes place in Spekter and that the data subjects are thus barred from using their rights with regard to access, correction and deletion. The audit has also concluded that the requirement for correct information has not been met and has pointed out that the municipality lacks mechanisms to ensure the quality, possibly correcting the information.

The tribunal first assesses whether the requirements for information to the data subject have been met.

The municipality has stated that it has informed the students about Spekter in the classes. The parents received information from the principal at the parents 'meeting, where reference was also made to further information on the Learning Environment Center's page about the Spectrum Survey, and the Learning Environment Center prepared a letter with information about Spectrum to parents, informing about the parents' right to access. According to the principal at Hisøy School, the parents would also receive general information about the results of the survey when it was completed.

Pursuant to Article 12 of the Privacy Regulation, the data controller shall take appropriate measures to secure the data subject as referred to in Articles 13 and 14. This includes that the data subject is entitled to information on who will receive the data (Article 13 (1) (e)), the court for access to and correction and deletion of the information (Article 13, paragraph 2, letter b), as well as information on whether the data subject has a duty to provide the information or may choose not to respond (Article 13, paragraph 2, letter f). As the survey presupposes that the students provide information about other students (who in the class decides the most, who in the class is bullied, who in the class bullies others? Etc.), the students who collect information will be entitled to information according to article 14 , and the right of access under Article 15.This can raise difficult trade-offs against teachers' duty of confidentiality and shows that it is both appropriate and necessary for the data controller to make an assessment of the privacy consequences for the students covered by the survey, cf. Article 35 of the Privacy Ordinance.

In the tribunal's assessment, the submitted information letter on Spekter that is given to guardians contains incorrect information when it is stated:

"The learning environment therefore considers that the students prior to the implementation, in the same way as today, are assured that no other students or parents will have access to their answer."

This is, as the tribunal sees it, incorrect information and represents a violation of the pupils' right to clear and distinct information according to article 12. The pupils are entitled to information that what they tell about can be passed on, both to other staff at the school (for example principal), the student's parents and in severe cases also to other named students and their parents. This is not information that can be embezzled to the students in order to get the students to tell as much as possible.

Students must also be informed that they have no obligation to answer the questions asked in the survey and it must be ensured that the survey is set up so that they do not have to give an answer to proceed. Although the schools in the Education Act are subject to a legal obligation to work systematically to ensure a good school environment for all pupils, the Education Act does not impose any legal obligation on pupils to provide information. Information that the survey is voluntary and that one can choose not to answer questions is therefore important information that must be given to both the students and the parents, cf. Article 13 no. 2 letter f.

The privacy statement for digital Spekter states about the right to information and access and a correct reproduction of the rules that apply. However, it says nothing about how these rules are applied in practice by schools. A transcript has also been submitted from the Learning Environment Center's website on 24 September 2018, which contains supplementary information about the parents' right to access. It provides a sensible presentation of the various considerations that must be weighed against each other with regard to the children's right to privacy and the parents' right to information in order to exercise their parenthood. However, it does not affect how the right to access information is safeguarded for the student (and his or her parents) who has been designated as a bully. This can also raise difficult questions related to the Public Administration Act's provisions on confidentiality,right to adversarial etc. This again shows the need for the data controller to make a thorough assessment of the privacy consequences the use of the mapping tool raises for the individual data subject, and that written routines are prepared that show how the data subjects' rights under the Privacy Ordinance are safeguarded.

Following this, the tribunal proceeds to assess whether the requirements for quality and accuracy of the information have been met. It is the duty of the data controller to ensure that the information processed is of good quality and correct, cf. the Privacy Ordinance Article 5 no. 1 letter d. The requirement for correct information is supported by the data subject's right to have incorrect information corrected, cf. Article 16

The tribunal assumes that the information collected expresses the individual student's subjective assessments of the questions asked. Although the information provided is not necessarily objectively correct, it goes without saying that the student who, for example, is described as a bully, cannot simply demand the information corrected because he / she (or his / her parents) believe the information collected is incorrect. . The tribunal therefore assumes that the requirements for correct information are met by giving the students who are named as bullies the opportunity to defend themselves. In its complaint, the municipality has stated that the school uses the student responses to make an initial analysis of the results, before proceeding to obtain more information that can confirm or deny information from the students.The answers are then used to initiate student conversations with the person who is being bullied, the person who is being bullied, and other students to deny or confirm whether the statement is true. The principal at Hisøy School has also stated that if information emerges that the school must investigate further, the school will talk to the pupils and their parents. In the tribunal's assessment, these are satisfactory routines for ensuring the accuracy of the information.

Arendal municipality has subsequently been upheld in its complaint that they have a basis for processing to use the mapping tool Spekter in schools in the Privacy Ordinance article 6 no. 1 letter c, cf. the Education Act chapter 9 A. The municipality has not been upheld that their use of Spekter complies with the other rules of the Privacy Regulation, including the basic principles for the processing of personal data in Article 5 (1) and the rules on the rights of data subjects under Chapter III of the Privacy Regulation. In order for the municipality to be able to legally use the mapping tool Spekter in the future, written routines must be prepared that ensure compliance with these rules.

Arendal Municipality has acknowledged that they have not prepared a protocol in accordance with the Privacy Ordinance, Article 30. Both the protocol and other internal control routines are conditions that must be in place for Spekter to be legally used in the future.

Conclusion

1. Arendal municipality has a treatment basis for using the mapping tool Spectrum in schools in the Privacy Ordinance, Article 6, No. 1, letter c, cf. the Education Act, Chapter 9 A.

2. Arendal Municipality must, in order to be able to legally use Spekter in the future, establish internal control documentation and routines that ensure compliance with the Privacy Ordinance.

The decision is unanimous.

Oslo, 9 November 2020