Tietosuojavaltuutetun toimisto (Finland) - 5618/163/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 5618/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 25(2) GDPR
Basic Education Act (628/1998)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 5618/163/20
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

The Finnish DPA held that the Education Board of the Municipality has violated Article 5(1)(a),(c),(f) and Article 25(2) GDPR by making the personal data of the pupils visible in all primary and secondary schools in an address book of the used e-mail system.

English Summary

Facts

On 6 March 2020, a guardian lodged a case regarding the visibility of pupils' personal data in an address book of an e-mail system (edu.kunta.fi) used by the education provider (the controller). The applicant stated that every student in the municipality is affected, as their date is displayed in the e-mail records.

The data made visible consisted of the students´ names, classes, schools and school addresses.

On 18 October 2022, the controller made a statement, explaining how the e-mail system worked. The controller argued, inter alia, that limiting the visibility of student data to school-specific data would at least partly prevent cooperation between schools. The controller noted that the e-mail system used does not support the limitation of the visibility of said data.

The controller also declared that as an immediate measure, it would ensure that the data will no longer be visible in the address book and foresees other changes in the IT system of the municipality.

The legal question posed was whether the controller complied with the principle of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), the principle of data minimisation (Article 5(1)(c) GDPR) and the principle of integrity and confidentiality (Article 5(1)(f) GDPR) when making visible the aforementioned personal data of the pupils.

Holding

The Finnish DPA made a reference to the principle of minimisation (Article 5(1)(c) GDPR) and Recital 39 of the GDPR, according to which, personal data should be adequate, relevant and necessary for the purposes of data processing.

It was noted by the DPA that it allowed the controller to teach the use of communication tools this way. However, it was also pointed out that it was not necessary that the recipient's address appear in the e-mail address book in order to send a message. Furthermore, it was also mentioned that teachers were allowed to process data about their pupils for the purposes of their work.

Moreover, the DPA considered that pupils also needed to process contact details of other pupils, with whom they were communicating related to school work. However, the DPA found that the data of people outside their own school were not necessary. The DPA also made a remark that even within the same school, the same considerations should be made.

The controller was found to have failed to provide any reasons as to the necessity of the personal data appearing in the address book used by the education provider in all of the municipality's schools. The fact that the system itself does not technically allow limiting the visibility of students' personal data does not constitute justification for the controller.

Thereafter, the DPA held that it was unnecessary that the personal data of every pupil in basic education are visible in every primary and secondary school of the municipality and that it is a breach of Article 5(1)(a) and (c) GDPR. The principle of confidentiality (Article 5(1)(f) GDPR) also had to be considered. The DPA pointed out that the making available of this data is also against this principle, highlighting that here, the processing of children's data is concerned.

Pursuant to Article 25 GDPR, the controller must take appropriate technical and organisational measures to ensure that only personal data necessary for each specific purpose of processing are processed by default. The DPA required the controller to use IT solutions in the organisation of basic education that are appropriate to the nature of the activity.

It was held that the controller failed to comply with the aforementioned provision of the GDPR. The extensive visibility of the pupils' data lacked appropriateness and necessity. The DPA issued a reprimand to the controller and an order (pursuant to Article 58(2)(d) GDPR) to bring the data processing operations in compliance with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Visibility of students' personal data in the address book of the e-mail system used by the teaching organizer
Keywords: children's personal information
schools
data minimization
Legal basis: decision in accordance with the EU General Data Protection Regulation
Diary number: 5618/163/20
Decision of the Deputy Data Protection Commissioner
Thing
Visibility of students' personal data in the e-mail address book used by the teaching organizer

Registrar
Municipality (Education Board)

The applicant's requirements with justification
On March 6, 2020, the guardian initiated a case at the data protection commissioner's office related to the visibility of students' personal information in the address book of the email system in basic education organized by the municipality. According to the applicant, the student in the 3rd year of elementary school has been given an e-mail address ending in edu.kunta.fi. The information in the e-mail contains the information of all schoolchildren in the municipality. The address book shows the student's name, class, school and school address. The applicant said that the municipality or school has opened an e-mail account for the student and that the opening has been notified to the guardians. According to the guardian, the students' information in the e-mail address book should not be visible to all other e-mail users, because it is the information of minors and the procedure can expose them to bullying at school.

Statement by the registrar
According to the report given by the registrar on October 18, 2022, the student's name, email address, school, school address and class are shown in the e-mail address book used by the teaching organizer. According to the report, the students' information is visible to all persons who use the edu.kunta.fi account in the municipality. This group includes teaching services staff, school staff and school students, as well as high school students.

According to the report, at least in the current environment, it is very difficult to limit the visibility of students' data to a school-specific one, because it would be done by creating school-specific address books and Global Address Lists. It would partly prevent cooperation between schools, especially with regard to school staff. In any case, the corresponding information can be seen through Teams, because Teams does not obey those specifications.

The report states that the students' mutual use of e-mail has been very limited, because it has not been a communication channel in schools. As a rule, school staff use another means of communication with parents and students. For several years, pupils and students have also been using other means of communication. Most of the restrictions in the current environment were made before the GDPR regulation, and they have not caused any known problems or abuses.

As an immediate measure, the registrar says that it will transfer the category information transmitted to Active Directory to the Extension Attribute field, so that the group information/category information will no longer be visible in the Outlook address book or in Microsoft Teams. The municipality is also running a change project for basic information technology services, in connection with which the service provider will change and the structure of Active Directory will be substantially changed. In this context, the possibility of limiting the visibility of the Outlook address book and Teams data will be explored.

The applicant's equivalent
The applicant was asked for a return on 17 November 2022. The applicant has not given an equivalent.

On applicable legislation
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The data protection regulation is specified in the national data protection act (1050/2018). The processing of personal data may also be affected by other legislation applicable to the activity. The Basic Education Act (628/1998) provides for the organization of basic education, which is the subject of the case.

A legal question
The Deputy Data Protection Commissioner assesses and resolves the matter as mentioned above on the basis of the Data Protection Regulation (EU) 2016/679, the Data Protection Act and the Basic Education Act. The matter concerns the processing of students' personal data in the address book of the e-mail service used to organize basic education. The matter must be resolved:

1. Has the data controller complied with Article 5 subsection a (principle of legality and reasonableness), subsection c (principle of data minimization) and subsection f (principle of confidentiality) of the data protection regulation, as well as Article 25 subsection 2, when students' personal data is stored in the e-mail used by the organizer of basic education are visible in the address book in all elementary schools and high schools in the city;

2. Should the data controller be given a notice in accordance with Article 58, subsection 2, subsection b of the Data Protection Regulation, if the processing operations have been in violation of the provisions of the Data Protection Regulation and

3. Should the data controller be given an order in accordance with Article 58, paragraph 2, subparagraph d of the Data Protection Regulation to bring the processing operations into compliance with the provisions of the Data Protection Regulation, if necessary in a certain way and within a certain deadline.

Decision and reasons of the Deputy Data Protection Commissioner
Decision
The registrar (organizer of basic education) has not complied with Article 5, Paragraph 1, subparagraph a (lawfulness and reasonableness), subparagraph c (minimization) and subparagraph f (confidentiality) of the Data Protection Regulation, nor with Article 25, paragraph 2, of the Data Protection Regulation when it has placed the personal information of its students available in the address book of the e-mail system they use, so that the information is visible in all elementary schools and upper secondary schools in the city. The address book shows the student's name, email address, school, school address and class. The registrar has not been able to demonstrate the appropriateness and necessity of such wide visibility of its students' information in the organization of basic education.

The deputy data protection commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the data protection regulation, because the processing of students' personal data in the address book of the e-mail system has been in violation of the data protection regulation.

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the Data Protection Regulation to bring the processing operations into compliance with the provisions of the Data Protection Regulation. The registrar must reevaluate making the personal data of students in basic education available in the e-mail address book they use. The registrar must make sure that it no longer processes its students' information in the e-mail system's address book in such a way that it is visible outside its own school, unless there are grounds for wider visibility related to the situation and the organization of teaching. Having students' information available in the e-mail address book must also be necessary and justified within the school itself in terms of organizing basic education.

The order is not given to pseudonymize the data, but to limit the availability of the students' data to a limited group. The decision does not concern making the email addresses of the school staff available in the address book of the email system.

Reasoning
Registrar
The matter at hand is related to the organization of basic education, where the municipality is the organizer of basic education and the data controller in the processing of the personal data of its students. The registrar's responsibility is regulated at a general level in Article 24 of the Data Protection Regulation, which is interpreted together with other regulations on the registrar's obligations. It appears from the report given by the registrar that the municipality buys e-mail services from an external service provider. The controller may use the services of external service providers in its operations, but the controller is responsible for the processing of personal data in accordance with the data protection regulation.

Requirements of legality, reasonableness and data minimization and confidentiality
Article 5(1)(a) of the Data Protection Regulation stipulates that personal data must be processed in accordance with the law and appropriately (principles of legality and reasonableness). According to paragraph 1(c) of the same article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimization). According to Article 5, paragraph 1, subsection f of the Data Protection Regulation, personal data must be processed in a way that ensures the appropriate security of personal data, including protection against unauthorized and illegal processing and against accidental disposal, destruction or damage using appropriate technical and organizational measures (integrity and confidentiality).

The case at hand concerns the display of students' personal information in the address book of the e-mail used by the organizer of basic education for all other users of the same e-mail. The address book shows the student's name, e-mail address, as well as the student's school, school address and class. According to the information received from the municipality's website, basic education is organized in 12 school units in the municipality. There are schools for lower grades in different parts of the municipality. In addition, there is one high school in the municipality. In addition to his own school, the information of students in elementary education is displayed in the e-mail address book for pupils, students and employees of all other elementary schools and upper secondary schools in the municipality.

The registrar states in his report on 18 October 2022 that, at least in the current environment, it is technically very difficult to limit the visibility of students' data to a school-specific one. It would partly prevent cooperation between schools, especially with regard to school staff. According to the report, the students' mutual use of e-mail has been very little, because it has not been a communication channel in schools. As a rule, school staff use another means of communication with parents and students. Pupils and students have used other means of communication. According to the report, most of the restrictions in the current environment were made before the GDPR regulation, and they have not caused any known problems or abuses

The Deputy Data Protection Commissioner draws attention to the principle of minimization laid down in Article 5, Paragraph 1, Subsection c of the Data Protection Regulation. According to paragraph 39 of the preamble of the Data Protection Regulation, personal data should be sufficient and essential and limited to what is necessary for the purposes of their processing. According to it, personal data must be processed only if the purpose of the processing cannot reasonably be achieved by other means. The European Data Protection Board has also issued practical instructions on this principle. According to these instructions, you should first find out whether the processing of personal data is necessary at all. The processing of personal data is expressly advised to be avoided whenever possible. In addition, it has been separately emphasized that the personal data being processed must be relevant for the purpose of the processing in question. All processed personal data should also be necessary to achieve a separately defined purpose. The processing of certain personal data would only be permitted if the purpose of the processing cannot be achieved in other ways.

According to the Deputy Data Protection Commissioner, it is clear that communication tools can be used and taught to use them in the organization of basic education. The confidentiality of communication must also be guaranteed. According to the information received by the Deputy Data Protection Commissioner in connection with the handling of another similar case, in the organization of basic education, communication between students in different basic schools and also between those in basic education and upper secondary education may be necessary in order to implement multidisciplinary learning units according to the basic education curriculum. Teachers need to communicate with the students they teach, and the students may be in different schools than themselves. The Deputy Data Protection Commissioner notes that these situations do not, however, apply to all students in different year classes of basic education.

The deputy data protection commissioner draws attention to the fact that an e-mail message can also be sent to the recipient based on an address obtained in advance and the communication will not be blocked, even if the recipient's address does not appear in the e-mail address book. If the sender of the message does not know the recipient's name, even the address book does not ensure that the message is sent to the right recipient. If a message is sent to an address that is not the recipient's address, the message will not be delivered, and the sender will be notified. The use of the address book also does not completely exclude incorrect communication even when it comes to recipients with the same name. The appearance of a wide address list in the e-mail address book can, of course, in itself reduce the risk of sending errors to the wrong recipient caused by human errors (such as typos). At the same time, the procedure creates risks for the processing of students' personal data. Sending a message to the correct recipient is partly ensured by the fact that the recipient's name appears in the email address, even if the email address does not appear in the address book of the email system.

The registrar also justifies his procedure by the fact that in the e-mail system used to organize basic education, it is not technically possible to limit the visibility of students' personal data in the address book to within one school. The controller also states that the service it uses is a large entity. Not all features or services support visibility restriction equally.

The Deputy Data Protection Commissioner states that school teachers can process information about their students that they need in their work. The students, on the other hand, need to process the contact information of the students with whom they are required to communicate in schoolwork. The Deputy Data Protection Commissioner states that the data controller has not presented reasons why it is necessary for the organization of basic education that all students' information appears in the e-mail address book used by the organizer of basic education in all elementary schools and high schools in the municipality. Not all students have the necessary communication with people outside their own school. The fact that it is not technically possible to limit the visibility of students' personal data in the e-mail used by the data controller is not a reason to process students' personal data more widely than what is required by the tasks related to the organization of basic education. Such a procedure leads to an unnecessarily extensive processing of students' personal data, which is not appropriate for the tasks of the controller.

The Deputy Data Protection Commissioner therefore considers it unnecessary for the processing of students' personal data in terms of organizing basic education that the information of all students in basic education is displayed in all other basic schools and high schools in the municipality in addition to his own school. In terms of the purpose of the processing, the processing of data that is unnecessary is also not appropriate in terms of the tasks of the organizer of basic education. The Deputy Data Protection Commissioner considers that such extensive visibility of basic education student's data is contrary to Article 5(1)(a) and (c) of the Data Protection Regulation. The deputy data protection commissioner also draws attention to the fact that the requirements of reasonableness and data minimization must also be taken into account in the student's own school. The registrar must therefore assess whether it is necessary for the organization of teaching that the information in the student's e-mail address book is always visible to all e-mail users even in his own school.

The deputy data protection commissioner draws attention to the fact that the processing of children's personal data is an issue in the organization of basic education. According to paragraph 38 of the preamble of the Data Protection Regulation, efforts must be made to protect the personal data of children in particular. Children may not be very well informed about the risks, consequences, relevant protective measures or their own rights related to the processing of personal data. Risks may arise in accordance with section 75 of the preamble of the Data Protection Regulation when processing the personal data of vulnerable natural persons, especially children.

The principle of confidentiality laid down in Article 5(1)(f) of the Data Protection Regulation should also be taken into account. Personal data must be processed in accordance with section 39 of the preamble of the Data Protection Regulation in such a way as to ensure the appropriate security and confidentiality of personal data. In the evaluation of the measures regarding the security of the processing required according to Article 32, paragraph 1 of the Data Protection Regulation, the risks of varying probability and severity arising from the processing of personal data to the rights and freedoms of the data subject must be taken into account. The security of personal data processing requires appropriate measures, the purpose of which is to guarantee the proper implementation of the data processing task. The deputy data protection commissioner considers that making student information available in the address book of the e-mail system in all other elementary schools and upper secondary schools in the municipality is also against the principle of confidentiality, taking into account that the matter is about the processing of children's information.

Disclosure of student information
Article 86 of the Data Protection Regulation enables the right to publicize official documents and the right to protection of personal data according to the Data Protection Regulation to be reconciled. According to Section 28 of the Data Protection Act, the provisions on public authorities' activities are applied to the right to receive information and other disclosure of personal data from the authority's personal register. Paragraph 3 of Section 16 of the Act on the Publicity of Public Authorities' Activities (621/1999, Publicity Act) concerns the disclosure of public information from the authority's personal register, e.g. in electronic format. The condition for handing over information is that the recipient has the right to store and use such information according to the provisions on the protection of personal data. The grounds for disclosure of confidential information are laid down in Section 26 of the Publicity Act.

Student information that appears in the e-mail system's address book is public information, according to the National Board of Education's guide, unless the provision of information reveals a matter that should be kept secret on other grounds. The Deputy Data Protection Commissioner states that the evaluation of the public disclosure and confidentiality of information is based on the Publicity Act and the Deputy Data Protection Commissioner does not have the authority to assess the matter. However, the data protection regulation applies to the processing of information that is considered to be public, if it concerns the processing of personal data. The case at hand concerns the processing of personal data.

The Deputy Data Protection Commissioner states that making the students' personal data visible in the e-mail address book also involves handing over the students' personal data to third parties, which is only possible on legal grounds. Even if there is a basis referred to in section 16, subsection 3 of the Publicity Act, the disclosure of information also requires that data protection principles be taken into account. The Deputy Data Protection Commissioner considers that making student information available in the address book of the e-mail system used by the primary education organizer so that it can be seen in all the city's elementary schools and upper secondary schools is against the reasonableness principle, the data minimization principle and the confidentiality principle of the data protection regulation. Therefore, the Deputy Data Protection Commissioner considers that the data controller has not complied with Article 5, Paragraph 1, Subsections a, c and f of the Data Protection Regulation.

Built-in and default data protection and proof obligation
Article 25 of the Data Protection Regulation provides for built-in and default data protection. The controller must implement appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Paragraph 78 of the preamble of the Data Protection Regulation states that when developing, planning, choosing and using information systems, it must be taken into account that the data controller must be able to fulfill his data protection obligations.

According to Article 5(2) of the Data Protection Regulation, the data controller is responsible for it and must be able to prove that Article 5(1) of the Data Protection Regulation has been complied with. The controller must be able to demonstrate that the data protection regulation has been effectively complied with. The implementation of the measures must take into account the risk to the rights and freedoms of natural persons.

The deputy data protection commissioner draws attention to the fact that built-in and default data protection requires the data controller to use IT solutions that are suitable for the nature of the activity when organizing the basic education. The characteristics of the information system cannot be used to justify the legality of the processing of basic education students' personal data. The deputy data protection commissioner states that the data controller has not been able to demonstrate that data protection principles and built-in and default data protection have been followed in the case at hand.

About the case at hand
In the case at hand, the provisions regarding the processing of personal data laid down in Article 25, paragraph 2 and Article 5, paragraph 1, subparagraphs a, c and f of the Data Protection Regulation, and the demonstration of their compliance, are relevant. In the organization of basic education, an e-mail system must be used in its operations that enables compliance with data protection regulations in the processing of students' personal data.

The Deputy Data Protection Commissioner deems it appropriate to give the data controller a notice in accordance with Article 58(2)(b) of the Data Protection Regulation, because the processing of students' personal data in the address book of the e-mail service used by the organizer of basic education has been based on the grounds described in more detail above in Article 5(1)(a), (c) and (f) and Article 25(2) of the Data Protection Regulation against. The deputy data protection commissioner also gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the data protection regulation to bring the processing operations into compliance with the provisions of the data protection regulation. The registrar must make sure that the visibility of the students' information in the e-mail address book is necessary and appropriate for the organization of basic education, and the visibility of the students' information will be changed accordingly.

Applicable legal provisions
Those mentioned in the justifications.

Appeal
According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019).

Service
The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was made by deputy data protection commissioner Heljä-Tuulia Pihamaa.

Supervision of the deputy data protection officer

The Outlook e-mail service in the Microsoft Office 365 environment can transfer personal data outside the EU/EEA region. At this stage, the data controller is informed and the data controller's attention is drawn to the fact that another data controller has been given guidance on the transfer of personal data to third countries in connection with the data protection commissioner's decision. In this respect, the Deputy Data Protection Commissioner directs the data controller to familiarize himself with the guidance given in the decision dnro 1509/452/18 issued by the Data Protection Commissioner on 30 December 2021. This matter regarding the transfer of personal data to third countries is still pending at the data protection commissioner's office and will be resolved in the near future in connection with the aforementioned matter.

In this decision, the Deputy Data Protection Commissioner has not evaluated the grounds for processing students' personal data in the e-mail system of the basic education organizer or in other digital services used by the data controller. In this regard, the Deputy Data Protection Commissioner also draws the data controller's attention to the Data Protection Commissioner's decision no. 1509/452/18.

The security ban is regulated in the Act on the Population Information System and the Certificate Services of the Digital and Population Information Agency (661/2009). This decision does not assess how the security ban granted to the student affects the creation of an email address and the visibility of the address.

In connection with another matter, the Deputy Data Protection Commissioner has received information from the data controller that in a certain city the address book is completely hidden and the students' information will therefore not appear in the address book when basic education is organized for other e-mail users. In this connection, the Deputy Data Protection Commissioner states as a general note that teachers and students usually have the opportunity to make their own personal address books.

The use of electronic services also involves matters related to the protection of files created by students, which the deputy data protection commissioner has not clarified in more detail in connection with the handling of this matter. The Deputy Data Protection Commissioner draws the data controller's attention to the obligation to protect personal data and to the fact that the data protection regulation obliges the data controller to ensure that sufficient instructions have been given on the processing of personal data and that the processing of personal data is monitored.

This guidance of the Deputy Data Protection Commissioner cannot be changed by appeal.