GDPR: Impact on the Education Sector GDPR... · 2018-03-01 · GDPR: Impact on the Education Sector...
66
GDPR: Impact on the Education Sector 8 February 2018 ©Rollits LLP 2018. All rights reserved.
Transcript of GDPR: Impact on the Education Sector GDPR... · 2018-03-01 · GDPR: Impact on the Education Sector...
GDPR: Impact on the Education Sector 8 February 2018 ©Rollits LLP 2018. All rights reserved.
Tom Morrison
Introduction
Today’s session
• GDPR – history and overview
• Preparing for the GDPR – 8 actions to take now
• Student data and direct marketing
• Data breaches
• Notification requirements
GDPR – history and overview
• Data Protection Acts - 1984 and 1998
• Associated legislation - e.g. PECR
• Step change in enforcement regime
• Plans for modernisation and harmonisation
• Recession
• The General Data Protection Regulation
• The go-live date is set: 25 May 2018
• Who does it apply to? You
• Does Brexit mean we can relax? Absolutely not
Preparing for the GDPR:
8 Steps to take now
Definitions
• Processing
• Controller the college
• Processor e.g. payroll provider
• Personal Data student information
parent information
staff records
• Special Categories of Personal Data
Principles
1. Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
2. The controller (i.e. the college) shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Step 1 - Designate someone to take responsibility for data protection compliance
Appointing a Data Protection Officer is mandatory for colleges under the GDPR
Data Protection Officers
• Details of the DPO to be published and provided to the ICO
• DPO is not personally responsible for compliance with the GDPR
• DPO’s role is to foster a data protection culture within the college by raising awareness, staff training, audits
• Monitor the college’s compliance with the GDPR
• Required to have “expert knowledge on data protection law and practices”
• Need to be involved in all issues relating to the protection of personal data
• Must be independent
Step 2 - Identify what personal data the college processes
• What information does your college hold that constitutes personal data?
• How is that personal data collected?
• Where is such personal data held (is any data is held by third parties)?
• What does your college do with the personal data it holds?
• What data does your college actually need in order to carry out these processes?
• What security is in place to protect the personal data?
• Is all personal data collected necessary?
• Is your college creating derived or inferred data about people?
• Is your college likely to do other things with the personal data in the future?
• Does your college share personal data with any third parties? If so, are there any agreements in place with those third parties?
Step 3 - Establish and record the lawful basis upon which personal data is collected
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.*
*Colleges will not be able to rely on this ground when performing a public function.
Consent
“any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he, or she, by a statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her”.
Consent must be…
• Verifiable
• Clear and prominent
• Granular
• Separate from other terms and conditions
• As easy to withdraw as it is to give
Consent is only appropriate if it provides real choice and control. If not, another legal basis is required. Consent will often not be the appropriate legal basis for processing personal data for colleges
Special categories of personal data
• Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited unless:
Special categories of personal data
(a) explicit consent of the data subject has been obtained;
(b) Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
(c) Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
Special categories of personal data
(d) Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
(e) Processing relates to personal data manifestly made public by the data subject
Special categories of personal data
(f) Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
(g) Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
Special categories of personal data
(h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
Special categories of personal data
(i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
(j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
Step 4 - Communicating privacy information
• Providing accessible information to data subjects (students, staff, parents etc.) about how their data is used is a key element of the GDPR. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Review privacy notices (for example, on college’s website, in letters to parents and learners, enrolment forms etc.) and, if necessary, update to ensure compliance with the GDPR.
Step 5 - Review and update DP policies and procedures • Data protection policy to ensure efficient and proper use of the
college’s IT and communications systems and to explain both how the college handles its employees’ personal information and how employees must handle the personal information of others.
• Data breach policy - for handling and reporting data breaches within the time frames required and for establishing who needs to be informed.
Step 5 - Review and update DP policies and procedures
• Retention and destruction policies. Such policy should be consistent with the privacy policy.
• Data subject request policy. A procedure for handling requests made by data subjects (students, parents, staff etc.) in respect of their personal data (for example, responding to a subject access request from a parent in respect of their child.)
Rights for individuals
• The GDPR provides the following rights for individuals:
The right to be informed (Articles 13 and 14 - see comments above regarding privacy policies and consent)
The right of access (Article 15 - Subject access requests)
The right to rectification (Article 16)
The right to erasure (Article 17)
The right to restrict processing (Article 18 and Article 19)
Rights for individuals
• The GDPR provides the following rights for individuals:
The right to data portability (Article 20) (for example, if a student moves to a new college and wishes to have their personal data transferred)
The right to object (Article 21)
Rights in relation to automated decision making and profiling (Article 22)
Step 6 - Training
• To new staff members on induction before they have access to personal data.
• Existing staff should receive regular and refresher training
• Document the procedure for ensuring that staff are appropriately trained and are made aware of your college’s policies on data protection.
• Record who attends training sessions and document how policies are complied with.
Step 7 - Review Agreements
• Data Processor Agreements - do they include the provisions required under the GDPR?
Data Processor Agreements
(a) process personal data only on documented instructions from the controller
(b) subject to confidentiality
(c) comply with the security provisions of the GDPR
(d) restrict processor from engaging another processor unless certain conditions are met
(e) assist controller to respond to requests from data subjects
Data Processor Agreements
(f) assist the controller in ensuring controller’s compliance with the security obligations set out in the GDPR
(g) deletes or returns all the personal data to the controller after the end of the provision of services relating to processing
(h) allow for and contribute to audits conducted by the controller.
Step 8 - How and when to implement Data Protection Impact Assessments • Compulsory in certain circumstances:
“type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operation on the protection of personal data”.
• e.g. college decides to implement a new e-learning portal where students can input their personal data.
Implementation
1. Will the project involve the collection of new information about individuals?
2. Will the project compel individuals to provide information about themselves?
3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
Implementation
4. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
5. Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
6. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?
Implementation
7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private.
8. Will the project require you to contact individuals in ways that they may find intrusive?
8 Steps in Summary
1. Designate someone to take responsibility for data protection compliance
2. Identify what personal data your college processes 3. Establish and record the lawful basis upon which personal data
is collected 4. Communicating privacy information 5. Review and update DP policies and procedures 6. Training 7. Review agreements 8. Work out how and when to implement Data Protection Impact
Assessments
Student Data and Direct Marketing
What types of student information do you hold?
• Collected through multiple sources: paper, on-line, self-service systems, emails etc
• Student personal information
• Student progress information
• Can range from contract details, to attainment, to safeguarding issues
• Information received from third parties?
Some considerations
• Requirements of funders to obtain and disclose beneficiary information.
• Enrolment documentation/consents
• Cloud solutions
• Sharing data with Government agencies
• Subcontractors
• Subject Access Requests
• Security
• Direct Marketing
Direct Marketing - Relevant Legislation
• Data Protection Act 1998
• General Data Protection Regulation / Data Protection Act 2017
• Privacy and Electronic Communications Regulations 2003 (PECR)
• e-Privacy Regulation
Right to Object – The Current Law
S.11 DPA An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data controller “Direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
Market Research? Secondary Purpose?
MoneySupermarket.com • Sent “Terms and Conditions Update” emails to its customers
• Emails advised recipients that they had updated their T&Cs and asked recipients if they would like to reconsider receiving marketing emails and instructions on how to do this
• Direct marketing?
Current Position - PECR
PECR
• Specific rules on:
marketing calls, emails, texts and faxes;
cookies (and similar technologies);
keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings
Current Position - PECR
PECR
• Restricts unsolicited marketing by phone, fax, email, text, or other electronic message (usually will need specific consent of the individual)
• The rules are generally stricter for marketing to individuals than for marketing to companies
• Does not cover marketing by post but still have to comply with Data Protection Act
Unsolicited Direct Marketing
• Different rules apply to different types of communication, and also vary depending on whether the marketing is sent to an individual subscriber or a corporate subscriber.
• Individual Subscriber = means a living individual and includes an unincorporated body of such individuals (e.g. sole trader or partnership).
• Corporate Subscriber = a corporate body (an entity with a separate legal status).
• What about [email protected]?
Example 1: An organisation asks its customers to opt out of receiving marketing from third party organisations when its customers purchase products on its website. The wording means that by unticking the boxes the organisation will not send further information regarding the product the customer has purchased. Has the organisation obtained valid consent if the customer does not untick the boxes?
Example 2: The same organisation wishes to send marketing emails to customers on its database. It does not know whether the customers have consented to receiving marketing emails as there is a defect with the database. It emails its customers informing them of its intention and provides an option for its customers to opt out. Will this be sufficient to obtain valid consent?
Direct Marketing Individual Subscriber
Emails (includes email, text, video and picture messages)
Opt-in consent required (can opt out). Limited exception - if there is an existing commercial arrangement in respect of similar products and services can rely on “soft opt-in”.
Automated calls
Opt-in consent required (can opt out)
Live Calls
Consent not required but can opt out and must screen against the Telephone Preference Service (and would still need lawful basis under DPA if targeting specific individuals - i.e. opt-in or opt-out consent). If not targeting individuals then DPA would not apply.
Fax
Opt-in consent required and can register on the fax preference service
Post (DPA not PECR)
Lawful basis under DPA if targeting specific individuals - i.e. opt-in or opt-out consent. Individual can opt-out. If not targeting individuals then DPA would not apply.
Direct Marketing Corporate Subscriber
Emails (includes email, text, video and picture messages)
Consent not required but recommended that corporate subscribers can opt out.
Automated calls of communications
Opt-in consent required (can opt out)
Live Calls
Consent not required but can opt out and must screen against the Corporate Telephone Preference Service
Fax
Consent not required but can opt out and must screen against the Fax Preference Service.
Post (DPA not PECR)
Can send post to corporate subscribers but if sent to any individual that individual can opt out
Soft Opt-In (current law)
Requirements:
1. Individual’s details are obtained in course of a sale/negotiations for a sale
2. Marketing email content relates to similar products and/or services
3. Identity of the company sending the marketing email not concealed
4. Opt-out on bottom of email
Soft Opt-In (current law)
Example:
Individual provides organisation with their details when purchasing a CD or entering into negotiations with that organisation to purchase a CD. The organisation can email that individual with information on other CD’s which they might be interested in so long as the individual can opt out and the organisation identifies itself in the email.
What about sending information on a book?
E-Privacy Regulation Changes • Soft-opt in still an option but only applies to sales and not
negotiations. “Clear affirmative act”?
• Reference to individual and corporate subscribers. No clarification – how will this impact upon the tables on the earlier slides?
• Unclear picture at moment
• Focus on legitimate interests and consent
Data Breaches
Potential consequences of breach - DPA 1998
• ICO Enforcement Notice / Undertaking / Information Notice
• Criminal Offence - e.g. failing to comply with ICO Enforcement Notice
• Personal liability for directors and trustees
• Individual liability for unlawfully accessing personal data
• Damages for damage and/or distress
• Reputational risks
• ICO fine (maximum limit to be increased under GDPR)
All of the above will remain relevant under GDPR
Recent Enforcement Action – Direct Marketing
• Home Logic UK Limited – TPS (£50,000)
• Moneysupermarket.com – email without consent (£80,000)
• Provident Personal Credit – one million nuisance texts (£80,000)
• Keurboom Communications – 99.5 million automated calls (£400,000)
• Cancer Research – wealth ranking and finding additional data without consent (£16,000)
• Flybe – ‘service’ email to 3.3 million customers without consent (£70,000)
New Financial Penalties Under GDPR
• Two ‘tiers’ of fine, which depend on the nature of the breach
• Tier 1 - ‘less serious’ breaches such as failures in relation to internal records, data protection officers, processor contracts and breach notification Maximum fine (per breach) = EUR10 million or (if higher) 2% of annual
worldwide turnover.
• Tier 2 - ‘more serious’ breaches such as failures in relation to data protection principles (including security), consent requirements, subject access and data transfers abroad Maximum fine (per breach) = EUR20 million or (if higher) 4% of annual
worldwide turnover
Relevant Factors re Financial Penalties
• Nature, gravity and duration of breach
• Any intent/negligence
• Any mitigation of damage
• Extent of security measures pre-breach
• Any relevant previous breaches/enforcement action
• Extent of co-operation with ICO
• Type of data affected
• Was breach proactively notified?
• Other factors - e.g. financial benefits gained by breach
Comparison of Data Protection fines
• Independent report by NCC Group
• For illustration only - unlikely to directly translate, but a (very) theorectical comparison of DPA > GDPR
• Contractor security failures - £200,000 > £6.8m
• Email sent to wrong person - £150,000 > £5.1m
• Failure to process fairly and lawfully - £180,000 > £6.2m* *assuming no 90% discount applied to charities in those particular cases
• Laptop stolen from house - £15,000 > £515k
• Failure to security-check software - £400,000 > £59m
Notification Requirements
Breach Notification Requirements
• Current position = notifying ICO and/or data subjects can be good practice but is not generally a legal requirement
• Under GDPR: Controllers must notify ICO of breaches within 72 hours of
becoming aware unless the breach is unlikely to result in a risk to the affected individuals’ rights and freedoms
Controllers must also notify affected individuals “without undue delay” if the breach is likely to result in high risk to their rights and freedoms
Breaches in relation to special categories of personal data and financial personal data will likely need to be notified to both
Risks of Failing to Notify Breach
• Fine of up to EUR10 million or (if higher) 2% of annual worldwide turnover
This excludes any additional penalties for the original breach, which could also warrant a fine
