Inservice Programme 20202021 Data Protection for Principals Deputy

In-service Programme 2020/2021 Data Protection for Principals, Deputy Principals and Clerical Officers

The Goal • I want to build your knowledge to help you in your role when it comes to Data Protection matters • Help you prioritise the key areas of the GDPR • Provide tools to support you within your school

Agenda • Why Data Protection Matters • The Principles of Data Protection • Accountability in Schools – Policies, Documentation and Procedures • Data Breaches 3

What is the GDPR General Data Protection Regulation enforceable since 25 May 2018. • • Replaced the previous EU Directive and our Data Protection Acts 1988 and 2003 Harmonisation of Data Protection Law in Europe – member states enact the law through their own Data Protection Acts and have the right to implement more specific legal requirements Global application GDPR brings law on protecting the right to privacy of individuals right in to the 21 st century and the digital age

Why it matters Legally: • “Citizens fundamental rights and freedoms” – Council of Europe • Unenumerated Right to Privacy in Irish Constitution – Upheld by SC in Mc. Gee • A fundamental human right - Articles 7 & 8 Charter of Fundamental Rights of the European Union

Why it matters Ethically: • Individuals trust organisations with their most personal information – contact details, PPS number, bank account details • Children’s Information (under 18 s) - DOBs, PPS numbers • Ethical concerns around children’s data and consent. Higher standard of care owed to children.

Why it matters • 83% of breaches relate to unauthorised disclosures. Source: Data Protection Commissioner’s Annual Report for 2019 • Majority of breaches reported by the Private Sector – Source: Data Protection Commissioner’s Annual Report for 2016

Data Protection Principles Scope of GDPR: “The GDPR applies to the processing of personal data … which form part of a filing system or are intended to form part of a filing system” “Personal data” means data relating to an identified or identifiable natural person (‘data subject’). “Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. (Could include SEN Data)

Data Protection Principles “Data Controller” means the individual or organisation who alone or jointly with others determines the method and the means of data processing e. g. Board of Management “Data Processor” means the individual or organisation who processes personal data on behalf of a data controller e. g. IT Services (Advanced Software, VS Ware), payroll providers

Data Protection Principles 1. Data must be obtained legally, fairly and transparently • 1. Legal Basis required for obtaining personal data. Consent only one of 6 permitted legal bases for processing and possibly the weakest on which to rely. 2. The performance of a contract 3. Compliance with a legal obligation 4. To protect the vital interests of a data subject or another natural person 5. The performance of a task carried out in the public interest - COVID 6. Pursuing the legitimate interests of the data controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject Individuals should be fully aware of the extent of your use of their data – privacy statements, data protection policies.

Data Protection Principles 2. Purpose Limitation • Schools and staff must understand the extent of the purpose for gathering and retaining personal data. • Can not use it for any further processing without consent.

Data Protection Principles 3. Data Minimisation • Data gathered must not be irrelevant or excessive to the purpose – Admission Forms drafted in consideration of this

Data Protection Principles 4. Integrity and Confidentiality • Passwords on laptops, phones, excel spreadsheets. • Security of networks and servers. • Risks associated with poor security practices including taking files and equipment off site – see ACCS Guidance Note “Updated Security and Privacy - Working Remotely and Distance Learning 25. 01. 21” • Paper files in locked, fire proof cabinets? Building security?

Data Protection Principles 5. Accuracy • An obligation to keep data accurate and up to date.

Data Protection Principles 6. Storage Limitation • Statutory retention periods • Retention Policy

Data Protection Principles 7. Data Subjects Rights • Subject Access Requests the most common • Have a procedure for handling Data Subject Requests in compliance with the law – see ACCS website

Data Protection Principles Data Subjects Rights

Data Protection Principles 8. Accountability • Codified by the GDPR • Demonstration of Compliance • Appropriate technical and organisational measures to demonstrate that the processing is performed in accordance with the regulation

Accountability Demonstration of Compliance – how? • • • Data Protection Policy Website Privacy Statement Website Cookie Policy and permissions – DPC review Data Retention Policy Procedures for handling requests Procedures for handling data breaches Data Breach Register CCTV Notice Data Protection Impact Assessments (DPIA)– e. g. Use of Biometrics Contracts with Data Processors Practice on the ground

Accountability Templates of Data Protection Policy, Data Retention and for handling Data Breaches and Data Subject Rights are on the ACCS Website:

Accountability Remainder of documents available from myself - more bespoke for what your school is doing • • • Website Privacy Statement Website Cookie Policy and permissions CCTV Notice DPIAs Contracts with Data Processors Data Breach Register – a log of breaches and how you managed them

Data Breaches • 83% of breaches relate to unauthorised disclosures- Source: Data Protection Commissioner’s Annual Report for 2019 • Majority of breaches reported by the Private Sector – still the case. • A total of 6, 673 valid data protection breaches were recorded by the DPC in 2020, representing an increase of 10% (604) on the numbers reported in 2019 – DPC Annual Report 2020

Data Breaches “The DPC also saw an increase in the use of social engineering and phishing attacks to gain access to the IT systems of controllers and processors…. it is evident that organisations are not taking proactive steps to monitor and review these measures, or to train staff to ensure that they are aware of evolving threats. ”

Data Breaches Not all incidents will be breaches, as per the GDPR definition: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” You need to assess the incident (see Data Breach Procedure) and decide whether it is a) a breach at all; and b) serious enough to meet the requirement for notifying the DPC.

Data Breaches If a notification is made to the DPC they will assess it and take into consideration, amongst other things: “whether (the affected data subjects) are children or vulnerable persons — and characteristics of the data controller and/or processor, such as statutory responsibilities or processing of other types of personal data, can be highly significant”

Data Breaches Organisational and technical measures in the school will be considered in mitigation. DPC has power to issue fines: Tusla fined € 75, 000 in May in relation to 3 cases of unauthorised disclosed of children’s data.

Data Breaches in Schools 8% of matters I dealt with from March 2020 to February 2021 related to data breaches. I’m already seeing an increase so far since March 2021 compared to the same time last year. Most common one is the incorrect email address.

Potential Data Breach in a School

Data Breaches • Case Study 5: • Attendance Monitoring and Facial Recognition at a secondary school (Direct Intervention) • DPC met with members of staff and the Board of Management. The DPC outlined the data protection issues surrounding the use of biometrics data, specifically facial recognition technology, in an educational environment, including processing the data of minors. • The DPC referred to the Swedish data protection authority’s first fine under GDPR, concerning a trial project in a secondary school where facial recognition technology was used to register student attendance. • The DPC stepped through the definition of biometric data and highlighted GDPR Principles of Purpose limitation and data minimisation; Article 9 — Sensitive data; and Articles 35 and 36 — Data Protection Impact Assessment (DPIA) and Prior Consultation. • Subsequent to the meeting, the school provided the DPC with a full written report on the matter, including confirmation that it did not proceed to trial the attendance monitoring product in question. European data protection authorities have traditionally adopted strong positions with regard to facial recognition in schools and the use of biometric attendance systems in the education sector. • In Ireland, the DPC regularly conducts inspections of schools where reports of biometric attendance systems or trials are received. The DPC considers that exposure to intrusive methods of surveillance without sufficient legal basis or justification can desensitise students at a young age to such technology and lead to them ceding their data protection rights in other contexts also.

Digression Children’s Fundamentals – DPC asked for submissions from stakeholders on draft set of fundamentals for a child oriented approach to data processing. ACCS made a submission.

Data Breaches

Thank you Any questions? 083 3474562 htreacy@accs. ie