2020 School Predictions: Data Protection & Cyber Security
Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools...
Many organisations will have had to modify existing solutions and services or install and commission new systems and services to facilitate remote working. Whether the chosen solutions were expanded, modified or brand new, your organisation needs to ensure that they adhere to current data protection regulations and standards.
The introduction of new technologies, whether adopted at a rapid pace or in a considered manner, can open up your network to vulnerabilities, both technically and operationally. There are a series of checks and balances that need to be undertaken to ensure that your organisation has applied the due care and due diligence expected of your staff and the wider school community when processing their data.One of the first steps is to look at your Records of Processing Activities (RoPA). All existing and new processes need to be captured within your organisation's RoPA. The editing and mapping of the latest and revised processes will identify areas of privacy risk.
Some of the most common areas where organisations find security loopholes within processes are:
Throughout the process mapping, you will also identify areas of high-risk processing where a more detailed assessment must be carried out. These comprehensive assessments must be carried out on any new solutions that have been implemented or expanded or those processes that provide a heightened risk to personal data. The EU General Data Protection Regulation (GDPR) references these detailed assessments as Data Privacy Impact Assessments (DPIAs), and organisations within the EU will have started using the criteria outlined in the GDPR to identify processes that require a DPIA. Some regulations will refer to them as Privacy Impact Assessment (PIA), and others will outline that data controllers have a duty of care to ensure that processors provide appropriate security measures. It is the controllers responsibility to ascertain if processors maintain and adhere to the proper safety and security standards.
Register for a free 14-day trial of the 9ine App and transform the way you manage data privacy and protection.
The EU GDPR acted as a catalyst for many countries around the world to introduce modern privacy rule. Leading up to the introduction of the GDPR, an advisory body was formed with a representative from the Data Protection Authority of each EU Member State, the European Data Protection Supervisor and the European Commission. This body was formed to provide expert advice and promote the consistent application of the data protection directive. This group was the Article 29 Working Party (Art. 29 WP). The whitepaper, Guidelines on Data Protection Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, outlines some very clear practical steps for identifying high-risk processes, which include (but are not limited to) the below nine criteria:
This includes profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”.
E.g. processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”.
E.g. processing used to observe, monitor or control data subjects, including data collected through networks or “systematic monitoring of a publicly accessible area”.
This includes special categories of personal data as defined by your local regulation. In practice, this applies to medical and health information, ethnicity, religious belief, sexual orientation and can vary from regulation to regulation.
What constitutes large-scale, has not been defined. However, the WP29 recommends that the following factors be considered when determining whether the processing is carried out on a large scale:
E.g. originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
The processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees, more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.
E.g Combining the use of fingerprint and face recognition for improved physical access control. The use of new technology can trigger the need to carry out a DPIA. This is because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms.
This includes processing operations that aim at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.
In some cases, you may determine that you require a more detailed assessment (DPIA) without the process falling under any of the above areas or being sent to a 3rd country where there is no appropriate adequacy agreement. Ultimately to determine if a new process or technology is high-risk, you need to establish the likelihood and severity of harm that the process could have on the individual/s if the process were to become compromised.
Some of the modified processes or implementation of technologies will require that your data subjects are informed of the change of use of their data at the point of collection. As you review the revised processes you need to ensure any change of use of the data has been captured and is reflected in the appropriate privacy notices.
An organisation needs to ensure that the appropriate due care and diligence is undertaken when dealing with personal data. Any event that forces the change of processes and/or the implementation or expansion of technologies introduces risk. Performing a thorough assessment of all changes to ensure they adhere to modern data privacy standards is crucial in both protecting your user’s personal data and the reputation of the organisation.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.
Share this blog
Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools...
A Data Protection Impact Assessment (“DPIA”) is a type of risk assessment in which an organisation identifies the data protection risks associated...
Schools need to be prepared and ready for a no-deal Brexit The EDPB has just published adopted (12th February 2019) guidance on the requirements on...