GDPR and education part 2

A presentation at GDPR & Education part 2 in October 2018 in Antrim BT41, UK by Simon Whittaker

Slide 1

Slide 1

GDPR & Education part 2

Slide 2

Slide 2

Vertical Structure - Prepare, Protect, Persist® • Prepare • We help you and your partners to understand how to identify and resolve potential security issues at the earliest stages with hands on 'hack yourself first', threat modelling and GDPR compliance workshops as well as security training for nontechnical colleagues. • Protect • Using automated and manual penetration testing techniques, we provide a comprehensive security report for your Web and mobile applications, including API testing, and networks. The report highlights potential issues and their resolutions. • Persist • We ensure that your organisation benefits from continual improvements in security levels through information assurance processes, auditing and certification including ISO27001:2013 and Cyber Essentials. © Vertical Structure Ltd where applicable [email protected]

Slide 3

Slide 3

Simon Whittaker • Parent Governor at Holywood Nursery School & St Patrick’s Primary School • Security consultant/tester © Vertical Structure Ltd where applicable [email protected]

Slide 4

Slide 4

GDPR – some of the details • What is it? • When does it come into effect? • Small organisations • GDPR in Education • What do I need to do? © Vertical Structure Ltd where applicable [email protected]

Slide 5

Slide 5

Disclaimer • This is not meant as a substitute for legal advice on particular issues and action should not be taken on the basis of the information in this document alone. • Vertical Structure Ltd make no warranty, representation or guarantee, express or implied, as to the information contained. © Vertical Structure Ltd where applicable [email protected]

Slide 6

Slide 6

What is it? • The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) • Enacted in the UK as Data Protection Act 2018 • Replacement for the 1995 Data Protection Directive • Officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data • Enacted in the UK as the Data Protection Act 1998 • Basic compliance required registration with the ICO in the UK • Designed to help protect personal data • Legislating common sense © Vertical Structure Ltd where applicable [email protected]

Slide 7

Slide 7

What was wrong with the Data Protection Act? • Designed for 1998 not 2018 • No understanding of current world: • Distributed Web Applications • Cloud Environments • Big Data including: • Sharing across borders • Enforcement tends to be on self-reported incidents • Large amount of fines for charities and public bodies • Inconsistencies across member nations © Vertical Structure Ltd where applicable [email protected]

Slide 8

Slide 8

When did it come into effect? • Enforced from 25th May 2018 © Vertical Structure Ltd where applicable [email protected]

Slide 9

Slide 9

• “GDPR is an evolution in data protection, not a total revolution. GDPR is building on foundations already in place for the last 20 years.” • Steve Wood – Deputy Commissioner for Policy, ICO • Evolution yes but also revolution © Vertical Structure Ltd where applicable [email protected]

Slide 10

Slide 10

GDPR & small organisations – does this even apply to me? • Article 30 of the regulation declares that: The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons © Vertical Structure Ltd where applicable [email protected]

Slide 11

Slide 11

Unless…… • The processing it(the organisation) carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9, or personal data relating to criminal convictions and offences referred to in Article 10. • In addition, if a company’s processes deal routinely with personal data, then that company should abide by the regulation. © Vertical Structure Ltd where applicable [email protected]

Slide 12

Slide 12

Basically • Yes • As a rule of thumb, ICO has stipulated that any business which is affected by the Data Protection Act (DPA) will also be affected by the GDPR. • The GDPR should, in fact, be seen as an enhanced version of the UK’s own DPA. © Vertical Structure Ltd where applicable [email protected]

Slide 13

Slide 13

Some important points • • • • • What counts as personal data/sensitive personal data? Data processor vs data controller Lawful Basis for Processing Rights of the data subject Data defence • Why do you have this data? • Data portability • Subject Access Requests • • • • Breach notification Passing on of data to someone else Territoriality Enforcement © Vertical Structure Ltd where applicable [email protected]

Slide 14

Slide 14

Definitions • Data Subject • A natural person • A citizen or resident of an EU member state • Data Controller • Organisation that collects data • Responsible for determining the purposes, condition and means of processing personal data • Data Processor • Processes data on behalf of data controller • Service provider like a hosting provider or cloud provider • DP can now be subject to direct enforcement © Vertical Structure Ltd where applicable [email protected]

Slide 15

Slide 15

What counts as personal data? • Any information relating to an identified or identifiable natural person(the data subject) – this is just a sample of what could be personal data • • • • • • • Name Birthdate Address Mobile device id Social media posts Photos IoT collected data • Personal data is owned by the individual, not the organisation holding it • Paper and electronic are just as valid – if the data is organised © Vertical Structure Ltd where applicable [email protected]

Slide 16

Slide 16

Sensitive personal/Special Category data • • • • • • • • • • Race; Ethnic origin; Politics; Religion; Trade union membership; Genetics; Biometrics (where used for ID purposes); Health; Sex life; or Sexual orientation. © Vertical Structure Ltd where applicable [email protected]

Slide 17

Slide 17

Lawful Basis for Processing • Consent • Contract • Legal Obligation • Vital Interests • Public Task • Legitimate Interests

Slide 18

Slide 18

Consent Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. • Data must be freely given - Data subject must be able to say no • The consent must be specific and intelligible - what exactly is the processor doing • Informed – all purposes the data will be used for. • Consent must be unambiguous - “clear affirmative action” to signify consent © Vertical Structure Ltd where applicable [email protected]

Slide 19

Slide 19

Consent for sensitive data & Children’s data • Must be explicit • “yes, I agree to my sensitive personal data to be used as described ‘here’” • Where the child is below the age of 16 years such processing will be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child • Processing only able to be performed if consent provided by the parent(this can change depending on location – can be between 1316) © Vertical Structure Ltd where applicable [email protected]

Slide 20

Slide 20

Consent for pictures • [Example 4] A public school asks students for consent to use their photographs in a printed student magazine. Consent in these situations would be a genuine choice as long as students will not be denied education or services and could refuse the use of these photographs without any detriment. © Vertical Structure Ltd where applicable [email protected]

Slide 21

Slide 21

Photos and the DPA 2018 • The Data Protection Act is unlikely to apply in most cases where photographs or videos are taken in schools and other educational institutions. • If photos are taken for personal use they are not covered by the Act. • Photos taken for official school use may be covered by the Act, so pupils and students should be advised why they are being taken. © Vertical Structure Ltd where applicable [email protected]

Slide 22

Slide 22

Personal Use • A parent takes a photograph of their child and some friends taking part in the school Sports Day to be put in the family photo album. These images are for personal use and the Data Protection Act does not apply. • Grandparents are invited to the school nativity play and wish to video it. These images are for personal use and the Data Protection Act does not apply. © Vertical Structure Ltd where applicable [email protected]

Slide 23

Slide 23

Official Use • Photographs of pupils or students are taken for building passes. These images are likely to be stored electronically with other personal data and the terms of the Act will apply. • A small group of pupils are photographed during a science lesson and the photo is to be used in the school prospectus. This will be personal data but will not breach the Act as long as the children and/or their guardians are aware this is happening and the context in which the photo will be used. © Vertical Structure Ltd where applicable [email protected]

Slide 24

Slide 24

Media Use • A photograph is taken by a local newspaper of a school awards ceremony. As long as the school has agreed to this, and the children and/or their guardians are aware that photographs of those attending the ceremony may appear in the newspaper, this will not breach the Act. © Vertical Structure Ltd where applicable [email protected]

Slide 25

Slide 25

Correct lawful basis for processing • Consent is not always best basis • Contract • Legal Obligation • Vital Interests • Public Task • Legitimate Interests © Vertical Structure Ltd where applicable [email protected]

Slide 26

Slide 26

Consent vs Legitimate Interest The processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data... The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. (Recital 47) • If you want to use the legitimate interest condition then you should: • • • • Consider your rationale carefully Be able to justify it – document it! Demonstrate that you aren’t overriding an individual’s rights Consider if processing the data to send direct marketing is within their reasonable expectations. • Institute of Fundraising have a great guide • http://vsltd.co/iofGDPRGuide © Vertical Structure Ltd where applicable [email protected]

Slide 27

Slide 27

The right to erasure/right to be forgotten • The data subject may request erasure of their data when there is no compelling reason for it to be retained • Must be erased if they withdraw consent • Must be erased if they request it • Not an absolute right to erase • Must be erased if found to be in breach • Only be used for the purposes for which it was given © Vertical Structure Ltd where applicable [email protected]

Slide 28

Slide 28

Right to erasure "I want my child school history deleted” “I want my employment history deleted”

Slide 29

Slide 29

Data Defence – why do we need this data? “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” • Don’t collect data you don’t actually need • Is birthdate a required field when purchasing something from an online store? • Why? • How long do we store it? • Backups • Spreadsheets • Where do we store it? • CRM systems • Spreadsheets • Laptops – encrypted? • Why are we retaining it?

Slide 30

Slide 30

The right to be informed & Subject Access Requests • The data subject may obtain confirmation that their data is being processed and gain access to the data itself • Must be free • Can charge for multiple identical requests but only limited cost. “…..where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.” © Vertical Structure Ltd where applicable [email protected]

Slide 31

Slide 31

Subject Access Request © Vertical Structure Ltd where applicable [email protected]

Slide 32

Slide 32

Time to comply with Subject Access Requests “You must act on the subject access request without undue delay and at the latest within one month of receipt.” https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ © Vertical Structure Ltd where applicable [email protected]

Slide 33

Slide 33

Breach Notification Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO. https://ico.org.uk/for-organisations/report-a-breach/ • Under GDPR: • Breaches of personal data need to be reported as soon as possible(if within certain criteria) • Ideally within 24 hours • Certainly within 72 hours • Must be clear about: • • • • What’s been lost How it happened Potential impacts Mitigations which you’ve done © Vertical Structure Ltd where applicable [email protected]

Slide 34

Slide 34

Breach Notification Process ⁃ Breach notification/recognition ⁃ How? ⁃ What are the signs? ⁃ Incidents include loss of data - not just theft or compromise Assign responsibility for management/investigation/ closure ⁃ Who’s in charge? ⁃ ⁃ Escalation required? Who is escalation point of contact? Identification of supervisory authority ⁃ Assessment Indicators of compromise? Scale? ⁃ ⁃ ⁃ ⁃ ⁃ ⁃ Defintion Is the data classified as “personal”? Was personal data accessed by an unauthorised third party? Was Personal Data sent to an incorrect recipient? Computing devices containing personal data stolen or lost Has personal data been altered without permission Is personal data no longer available? This is probably not a personal data breach. No Yes Establish likelihood and severity of resulting risk to people’s rights and freedoms. Individual Notification • • • Name and contact details of DPO/Contact point Likely consequences of breach Measures taken or proposed to be taken to deal with breach and mitigate adverse effects This needs to be notified to the individual concerned Yes This needs to be notified to ICO within 72 hours of becoming aware Severity regarding Individual notification ⁃ Is the potential or actual impact of the breach high or severe? Yes ⁃ ⁃ ⁃ ⁃ ⁃ ⁃ ⁃ ⁃ ⁃ No ⁃ Is there a loss of control of personal data? Is there now a limitation of rights? Is there a risk of discrimination? Is there a risk of ID theft or fraud? Is there a risk of financial loss? Is there a risk of pseudonymisation reversal? Is there a damage to reputation? Is there a loss of confidentiality of personal data protected by professional secrecy?!?! Any other significant economic or social disadvantage to the natural person concerned? https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr/personal-data-breaches/?q=profiling This is probably a personal data breach ICO Notification • Additional Considerations(not GDPR related) Communications Service Provider • Are you a Communications Service Provider? UK Trust Provider • Are you a UK Trust Provider? Operator of Essential Service • Are you an operator of essential services? Yes Notify ICO under PECR within 24 hours Yes Notify ICO under eIDAS within 24 hours Yes Notification under NIS This probably doesn’t need to be notified to the individuals concerned • • • • • Categories and approximate numbers of individuals Categories and approximate number of personal data records Name and contact details of DPO/Contact Point Likely consequences of breach Measures taken or proposed to be taken to deal with breach and mitigate adverse effects Call ICO, 0303 123 1113 No This probably doesn’t need to notified to ICO Create Documentation • • • • • • Record all breach or suspected breaches Facts Effects Remedial Action taken Human or systemic error Recurrence prevention © Vertical Structure Ltd where applicable [email protected] © 2018 Vertical Structure Ltd Contains public sector information licensed under the Open Government Licence v3.0

Slide 35

Slide 35

Record Keeping Each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. • Who is the controller? • Name/contact details • • • • • • • Purpose of processing Categories of data subjects AND categories of personal data being stored. Is any of the data listed as “sensitive” Who are recipients of the data? Any transfers to another country or international organisation Time limits for erasure Technical & organisational security measures in place © Vertical Structure Ltd where applicable [email protected]

Slide 36

Slide 36

CCTV – what should I know? • Guidance is confused and confusing • ICO recommend following guidance from Protection of Freedoms Act(POFA) • Data captured using CCTV can be requested under a subject access request • Removal of personal data belonging to others may be required • ICO guidance suggests conducting a “Privacy Impact Assessment” • Helps assess requirement for CCTV • Could a less intrusive method be used? © Vertical Structure Ltd where applicable [email protected]

Slide 37

Slide 37

CCTV disclosure • Schools may disclose CCTV footage relating an individual: • With third parties who are directly involved in dealing with any request, enquiry, complaint or other correspondence submitted by an individual which the footage is relevant to; • With third parties who are providing a school with professional advice which the footage is relevant to where necessary for their legitimate interests and permitted by law; • Where a school is legally required to do so; • In connection with criminal investigations, legal proceedings or prospective legal proceedings which the footage is relevant to for the related legitimate interests of a school or a third party and permitted by law; • In order to establish, exercise or defend a school’s legal rights where necessary for their legitimate interests and permitted by law; and • Where a school has stated or informed an individual otherwise. © Vertical Structure Ltd where applicable [email protected]

Slide 38

Slide 38

CCTV steps to take • Governance • Do we actually need this? • Storage • How do we protect the data? • Openness and honesty • Tell people that they are being surveilled • Tell people who is responsible for the system • Disclosure and Subject Access Requests • Who can disclose? • When can it be disclosed? • Technical measures? © Vertical Structure Ltd where applicable [email protected]

Slide 39

Slide 39

CCTV steps to take • Retention • How long do we need this data for? • Selecting and siting surveillance systems • Reduce the impact on general public and others • Can public spaces be blocked • Using the equipment • Access to control room • Quality of images • Encryption • Create a policy © Vertical Structure Ltd where applicable [email protected]

Slide 40

Slide 40

NICS CCTV report 2016 © Vertical Structure Ltd where applicable [email protected]

Slide 41

Slide 41

Asking the questions https://www.whatdotheyknow.com/request/data_protection_impact_assessmen

Slide 42

Slide 42

© Vertical Structure Ltd where applicable [email protected]

Slide 43

Slide 43

Enforcement https://ico.org.uk/action-weve-taken/enforcement/ © Vertical Structure Ltd where applicable [email protected]

Slide 44

Slide 44

Enforcement • Two tier system for infringements • Lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation's global turnover (whichever is greater) • Most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater) • Fines will be: • Effective • Proportionate • Dissuasive • Will take into account • Gravity & duration of the infringement • What did the organisation do to mitigate the damage? © Vertical Structure Ltd where applicable [email protected]

Slide 45

Slide 45

Enforcement • TalkTalk were breached in 2016 and faced a fine of £400,000 for security failings which made national news. This fine was 0.022% of gross revenue • If proof of negligence and ongoing, consistent infringements this could have been ~£59million under GDPR. © Vertical Structure Ltd where applicable [email protected]

Slide 46

Slide 46

Other Enforcements • Issue warnings • Reprimands • Force controller to comply with data subject’s requests • Bring processing to compliance • Tell a data subject about a breach • Compel erasure • Suspension of flows to a third country • “Stop Processing” (temporary or definitive limitation) © Vertical Structure Ltd where applicable [email protected]

Slide 47

Slide 47

© Vertical Structure Ltd where applicable [email protected]

Slide 48

Slide 48

Data Protection Officer • Appointed by the company engaged in regular and systematic monitoring of individuals on a large scale” or who process data on a regular basis. • They keep the Controller and Processor in check and one must been appointed if you: • Are a public authority (except for courts acting in their judicial capacity); • Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences. © Vertical Structure Ltd where applicable [email protected]

Slide 49

Slide 49

DPO’s tasks • Inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws • Monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits • Advise on, and to monitor, data protection impact assessments • Co-operate with the supervisory authority • Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, children etc). © Vertical Structure Ltd where applicable [email protected]

Slide 50

Slide 50

DPO • Take into account risk to the organisation • Prioritise and focus on the organisation’s riskier activities • Special categories of data © Vertical Structure Ltd where applicable [email protected]

Slide 51

Slide 51

What is the Education Authority doing? “subject to consultation with the Information Commissioner’s Office, EA is prepared to assume the specific role of Data Protection Officer (DPO) for all schools…” “Please email [email protected] if you would like EA to assume the DPO role for your school.” Letter from EA - 27 April 2018 © Vertical Structure Ltd where applicable [email protected]

Slide 52

Slide 52

What do I need to do? • Protection/Security by design • Think about security as you implement new systems • Understand your data • Use the resources available to you http://www.eani.org.uk/about-us/ea-think-data-online-resourcehub/templates-and-guides/ • Read the FAQ and the Action Plan © Vertical Structure Ltd where applicable [email protected]

Slide 53

Slide 53

Who, What, Why, When, Where? Who • Whose data is being held by the organization? What • What data is being held by the organisation Why • Why is the data being held When • When is the data deleted? Where • Where is the data held or stored? © Vertical Structure Ltd where applicable [email protected]

Slide 54

Slide 54

GDPR Action plan • Awareness • Inform staff and volunteers • Register with the ICO • Fill in the Information Asset Register • Update privacy notices • Update data protection policy • Ensure individuals are aware of their rights © Vertical Structure Ltd where applicable [email protected]

Slide 55

Slide 55

GDPR Action plan • Review consent • Special emphasis on Children’s data and special category • Understand data breaches and what you would do • Develop processes which use privacy by design • Use Privacy Impact Assessments where possible • Implement a Data Protection Officer • Understand CCTV usage © Vertical Structure Ltd where applicable [email protected]

Slide 56

Slide 56

What do schools need to do? “The new regulation requires each school to complete an Information Asset Register (IAR).” Letter from EA - 27 April 2018 • http://www.eani.org.uk/about-us/think-data/ © Vertical Structure Ltd where applicable [email protected]

Slide 57

Slide 57

Information Asset Register http://www.eani.org.uk/_resources/assets/attachment/full/0/77232.xlsx © Vertical Structure Ltd where applicable [email protected]

Slide 58

Slide 58

Some useful links • https://ico.org.uk/for-organisations/education/education-gdpr-faqs/ • https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12steps.pdf • https://ico.org.uk/for-organisations/data-protection-reform/gettingready-for-the-gdpr/ • https://ico.org.uk/for-organisations/guide-to-data-protection/privacynotices-transparency-and-control/ • http://www.eani.org.uk/about-us/think-data/ © Vertical Structure Ltd where applicable [email protected]

Slide 59

Slide 59

Data – in general Visitors to the website Staff (current/potential/substitute) Suppliers © Vertical Structure Ltd where applicable [email protected] Children Fundraising/Marketing

Slide 60

Slide 60

Data – the details Data Source of data What do we do with this data Lawful Basis Action to be taken © Vertical Structure Ltd where applicable [email protected] Data limitation Where stored?

Slide 61

Slide 61

Thank you, questions and feedback https://vsltd.co/NAHTPART2