IP - 07121-1/2020/638
|IP - 07121-1/2020/638|
|Relevant Law:||Article 58 GDPR
Article 49(1)(g) ZVOP-1
Article 2 ZInfP
Article 48 of the Labor Relations Act (ZDR-1)
|National Case Number:||07121-1/2020/638|
|European Case Law Identifier:||n/a|
|Original Source:||IP (SI)|
The Slovenian DPA (IP) issued a non-binding opinion regarding the processing of personal data of teachers and pupils when new technologies are used in order to offer or participate in a lesson. The IP opined that data controllers (i.e. schools) should seek for an adequate legal basis and pay attention in particular to their information obligation, the security of personal data, possible data transfers to the US and the principle of data minimisation.
The IP was asked about the records kept by schools and teachers regarding the communication with students and their parents. Issues arised due to different reasons, such as when teachers had to call parents from their private numbers because they would not respond to the professional e-mails, and the fact that they should keep a weekly record of their correspondence.
The IP first clarified that it can only give a general opinion and that it also addressed the questions to the Ministry of Education. It also clarified that the opinion does not address any aspect of employment context.
It found that such processing may be based on Article 48 of the Labor Relations Act (ZDR-1) as long as it is necessary and a private number may be used by a teacher only upon agreement with the employer. Working from home due to the pandemic outbreak inevitably leads to broader use of new technologies. Recordings have become necessary.
As for the processing of teachers' personal data, the IP found that teachers could withdraw their consent at any time according to Article 7(3) GDPR with regard to these recordings. For this reason is important to understand whether recordings should be considered to fulfill a "work obligation" according to ZDR-1. It is, thus, necessary that data controllers (i.e. schools) establish appropriate retention periods, provide adequate security for the processing of personal data and inform individuals of certain mandatory information as foreseen in Article 13 GDPR. All information should be given in a clear and transparent manner.
As for the processing of pupils' personal data, the IP found that consent is not the appropriate legal basis. For this exceptional situation the only appropriate legal basis would be Article 6(1)(c) GDPR since the processing is necessary to fulfill legal obligations of the controller. The legal obligation is defined by various national laws in the field of primary and secondary education. The IP is of the opinion that the Ministry of Education should provide a consistent legal basis for school and common guidance.
Consideration should also be given to the security of personal data and its transfer to third countries, as well as to the principle of data minimisation. The IP specifically emphasizes that the controller of personal data must maintain security at all stages of processing and in accordance with Article 32 GDPR. As for the data transfers to third countries, the IP states that many providers of the modern technologies are US based, so the data controllers should always check the list of the EU-US Certified Privacy Shield.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.
Date: 04/17/2020 Title: Personal Data Processing and Teacher Reporting and Keeping Records of Teaching and Distance Learning Number: 07121-1 / 2020/638 Subject matter: Employment relations, Informing an individual, Legal bases, Education, Personal data protection Legal act: Opinion Thank you for your questions regarding the provision of additional professional assistance at mainstream elementary school and decision-making lessons, and for keeping records regarding communication with students and their parents, as such is intended to be the responsibility of the competent ministry. The dilemmas that you raise in terms of personal data protection are: 1. Some parents are not responsive to your work email, and you are required to obtain feedback from them about their work for the school. Therefore, you are forced to call them from your private telephone number to their private number (which they otherwise provided to the school records). Due to the distance and obstacles to reimbursement in the given circumstances, it would be difficult to make contact from the school office telephone or. impracticable. 2. You must keep a record of your communication with parents and children on a weekly basis. You are asking what information can this record contain? At your discretion, it could include information that you communicated with your parents (yes / no), date and time of communication, duration of communication, and mode of communication (internet, telephone, other). However, you do not believe that the content of personal correspondence, including pictures and videos of children, should be easily provided without parental consent. On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question. IP initially emphasizes that beyond the inspection process, it cannot judge specific processing of personal data, nor can it evaluate and comment on the specific way of conducting and organizing distance education in terms of the adequacy and security of processing of personal data. The following is a general opinion on the bases for processing personal data and data security, which we have also addressed to the Ministry of Education, Science and Sport from the point of view of the use of various applications. The opinion covers both the processing of personal data of teachers and pupils. However, IP should not provide opinions on the employment aspects of the obligations and organization of teachers' work during these epidemic times. Processing personal data of teachers We make it clear that IP can only give an opinion on the processing of personal data, but not on other aspects of privacy interventions, copyright, organization of school work, teachers' work responsibilities, etc. that may arise in connection with the implementation of distance learning. Any processing of personal data must have an appropriate and legal legal basis. These are set out in Article 6 (1) of the General Regulation and are for the public sector to which educational institutions such as primary and secondary schools belong: consent in the case of non-performance of public tasks (point (a)), conclusion or performance of a contract (point (b)), law (point (c)), performance of a public task (point (e) in relation to the fourth paragraph of Article 9 of PDPA-1). According to the IP, only record keeping and related processing of personal data of a pedagogical worker, such as the collection, publication and storage of videos of his teaching hours may be allowed under the provision of Article 48 of the Labor Relations Act (Official Gazette RS, No. 21/13 , as amended), provided that such processing is necessary for the exercise of the rights and obligations arising out of the employment relationship or in relation to the employment relationship. In such a case, the employer is obliged to prove that such is the employee's personal data that he needs in the context of the employment relationship. In any case, an employee is not obliged to use a personal telephone unless they have agreed with the employer (in this case, the ZDR-1 also provides for adequate compensation for the use of his / her home work resources). In an emergency situation due to the Coronary Virus Epidemic (COVID-19), the use of new technologies, techniques and methods that are also linked to the work of home teachers is inevitable. The Information Commissioner certainly does not object to the use of information technology in the educational process and believes that especially in the current situation, the wise and proportionate use of information technology is indispensable for the implementation of a quality and stimulating educational process and for ensuring the effective fulfillment of teachers' work responsibilities. According to the Information Commissioner, many teachers already use this type of teaching. However, the IP believes that the training method of recording teachers should not be based on their possible consent, as this would not provide adequate continuity and quality of work, and teachers could refuse to use technological solutions that actually enable distance education. Finally, under Article 7 (3) of the General Regulation, teachers could also withdraw their consent at any time and the recordings should be deleted immediately, regardless of the potential consequences for the educational process and the equal treatment of pupils. For this reason, too, we consider it necessary to understand the use of recording in the provision of distance education as a fulfillment of a work obligation under Article 48 of the ZDR-1. In the light of all of the above, it is imperative that personal data controllers (ie schools) establish appropriate retention periods, provide adequate security for the processing of personal data, inform individuals of certain mandatory information referred to in Article 13 of the General Regulation and also address any copyright issue (the latter not otherwise falls within the competence of the Information Commissioner). With regard to information for individuals in accordance with Article 13 of the General Regulation, it should be emphasized that the controller of personal data must provide in a clear and transparent manner basic information concerning the processing of personal data, such as information about who processes personal data, the contact details of the controller, for what purposes it processes data, how long it retains and other information required by that provision. Processing of personal data of pupils / students The process of distance education has been designed by some teachers to require students to use modern information technologies, often involving the processing of personal data. Children should use a variety of online communication tools for distance education, including tools with video call function and related forms of participation, or students / students have to record the completion of a given task and record the teacher with a teacher's instruction. In processing personal data of children for the purposes of providing distance education, IP emphasizes that the classical consent of an individual (or legal representative of a child) is not the appropriate or appropriate legal basis on which such processing of personal data should take place. It is essential that distance education is a public-law exercise of an educational institution, not an activity for which parents, as legal representatives of children, can give free consent - as is traditionally given at the beginning of the school year on a prepared form (for example, posting photos in the school almanac, etc.). Of course, a very special situation is the collection of personal data, for which the law itself, for example. The Elementary School Act (Article 95) stipulates that this personal information is collected only in agreement with the parents of the pupils (in certain cases, except when the pupil is in danger in the family and needs to be protected). Such are, for example, information on pupils' mobility and morphological characteristics or information on pupils requiring assistance and counseling. The law (Article 95 of the Primary School Act) also stipulates that counselors are obliged to protect this information as a professional secret. As professional secrecy, this information is also obliged to be protected by other professionals to whom the data have been transmitted because of the nature of their work. For the processing of personal data of children in the online environment in the current state of emergency when distance education is taking place, according to the IP, in the framework of the above (the exception is data where, in addition to the law, consent is required by law), the only appropriate legal basis is 6 ( 1) (c) of the General Regulation, since processing is necessary to fulfill the legal obligation applicable to the controller. The legal obligation is broadly defined by the laws in the field of primary and secondary education, including the Primary School Act (Official Gazette of the Republic of Slovenia, No. 81/06 - UPB, as amended and supplemented), the Law on Grammar Schools (Official Gazette of the Republic of Slovenia, No. 1/07 - UPB, as amended and supplemented) and the Vocational and Technical Education Act (Official Gazette RS, No. 79/06, amended and supplemented), which define the obligation of schools to provide the intended forms of education, and the duty of pupils and students to fulfill their school responsibilities. Teachers' work responsibilities are further defined in the Organization and Financing of Education Act (Official Gazette of the Republic of Slovenia, No. 16/07 - UPB, as amended), which also stipulates in Article 119 “the collection and processing of data concerning by doing educational and other work. " Due to the exceptional circumstances of the COVID-19 virus prevention measures, which have temporarily altered the educational process, the Information Commissioner is of the opinion that the Ministry of Education, Science and Sport should provide this legal basis with a uniform guidance to schools. The IP has already called for this. Consideration should also be given to addressing concerns regarding the security of personal data and the release to third countries (to which we define below). In addition, schools or teachers should be reminded of the principle of the minimum amount of data, according to which no more personal data may be processed than is strictly necessary to carry out the educational process (principle of minimizing personal data). Your assessment, according to what you state, is therefore completely correct and correct, namely that in the case of reporting work with students who need help and counseling (when it comes to collecting the data referred to in point 4 of paragraph 1 of Article 95 of the Act elementary school) to report weekly on your communication with parents and children should be sufficient to report e.g. about communicating with your parents (yes / no), the date and time of the communication, the duration of the communication and the method of communication (internet, telephone, other). However, the school should, in the circumstances, determine how the documentation of student work is stored and how you work remotely. In doing so, the school should bear in mind that certain information is only collected with the consent of the parents, such as the parents. family and social history; developmental history; expertly interpreted results of diagnostic procedures; information on professional assistance or counseling procedures; documentation regarding the process of directing a student with special needs (this includes, of course, your correspondence and other materials that you obtain in the given distance working conditions); expert opinions of other institutions: centers for social work, health institutions, counseling centers or educational counseling centers. In any case, it does not seem appropriate, in this respect, to automatically and on a weekly basis provide all personal correspondence, including pictures and videos of children without the consent of their parents or parents, from the point of view of secrecy of correspondence. appropriate professional justifications and other legal bases. Namely, the school or the individual teacher must check the fulfillment of their tasks in a way that is least intrusive to the right to the protection of personal data and privacy of the child. The thing about securing data and how it is handled in the circumstances is how the school makes sure that all personal data (especially sensitive) is properly secured and that unauthorized persons are unaware of it. He cannot give specific instructions on how to implement IP in the opinion. Especially with regard to the security of the processing of personal data and the removal to third countries. With regard to the security of personal data, IP specifically emphasizes that the controller of personal data must protect it appropriately at all stages of processing. The first paragraph of Article 32 of the General Regulation states that, taking into account the latest technological developments and the costs of implementation, the nature, scale, circumstances and purposes of processing, as well as the risks to the rights and freedoms of individuals differing in likelihood and seriousness, adequate technical and organizational measures to ensure an adequate level of risk-based security. Ensuring the security of personal data can be particularly problematic when using online tools that teachers use at their discretion and preferably without prior consideration of ensuring the security of personal data. That is why we believe that the use of individual tools should be properly considered and, if possible, the choice of tools should be standardized. However, IP cannot and should not judge individual tools in terms of relevance and, above all, processing security in an opinion. Most of the most well-established tools for online communication enable t.i. end-to-end encryption, but not necessarily in all cases (this is not likely to be guaranteed, for example, if the call is made (partly) through a regular telephone line and not through a data transmission ) and not necessarily the default setting, and there are differences between applications in other aspects of security and privacy. Therefore, IP recommends that, before using these aspects, the data controller (or even your ministry, when making appropriate recommendations) consult with your IT colleagues before using it. An overview of the various aspects of security and privacy in online communication applications is available here: https://www.securemessagingapps.com/ Attention should also be paid to the possible transfer of personal data to third countries, as many providers of such solutions come from the US. We recommend that you check that the solution provider is on the EU-US Certified Privacy Shield list: https://www.privacyshield.gov/welcome. You can read more about exporting data to third countries on our web site https://www.ip-rs.si/protection-personal-data/obligations-management/transfer-private-data-in-third-state-and- international organizations / release-of-personal-data-in-the-us / and generally in the Information Commissioner's infographics: https://www.ip-rs.si/fileadmin/user_upload/Pdf/infografike/Download_of_Personal_data_in_the_steps.pdf.