Many organisations will have had to modify existing solutions and services or install and commission new systems and services to facilitate remote working. Whether the chosen solutions were expanded, modified or brand new, your organisation needs to ensure that they adhere to current data protection regulations and standards.The introduction of new technologies, whether adopted at a rapid pace or in a considered manner, can open up your network to vulnerabilities, both technically and operationally. There are a series of checks and balances that need to be undertaken to ensure that your organisation has applied the due care and due diligence expected of your staff and the wider school community when processing their data.
Your school’s Record of Processing Activities (RoPA) is up-to-date.
One of the first steps is to look at your Records of Processing Activities (RoPA). All existing and new processes need to be captured within your organisation's RoPA. The editing and mapping of the latest and revised processes will identify areas of privacy risk.
Some of the most common areas where organisations find security loopholes within processes are:
- Specific users or departments are copying data to and from personal, unencrypted removable media drives for ease of transportation or because users are uncomfortable or not confident in the use of cloud technologies.
- Specific users or departments are following processes but leaving downloaded PDFs, documents, files or folders on laptop desktops, local drives on unencrypted mobile devices.
- Transportation of hardcopy data in unsecured, unmanaged or monitored (sign in, sign out) carriers outside of the school premises.
- Storage of hardcopy data is kept in inappropriate or unsecured internal locations on or off-premises.
- Unknown or undefined data retention times within new products or services.
- Improper access to systems or files through privilege creep in or provision of excessive or unnecessary permissions, rights and privileges.
High-risk processing activities that require a more detailed assessment have been identified.
Throughout the process mapping, you will also identify areas of high-risk processing where a more detailed assessment must be carried out. These comprehensive assessments must be carried out on any new solutions that have been implemented or expanded or those processes that provide a heightened risk to personal data. The EU General Data Protection Regulation (GDPR) references these detailed assessments as Data Privacy Impact Assessments (DPIAs), and organisations within the EU will have started using the criteria outlined in the GDPR to identify processes that require a DPIA. Some regulations will refer to them as Privacy Impact Assessment (PIA), and others will outline that data controllers have a duty of care to ensure that processors provide appropriate security measures. It is the controllers responsibility to ascertain if processors maintain and adhere to the proper safety and security standards.
Register for a free 30-day trial of the 9ine App and transform the way you manage data privacy and protection.
New processors requiring a Data Processor Assessment have been identified.
The EU GDPR acted as a catalyst for many countries around the world to introduce modern privacy rule. Leading up to the introduction of the GDPR, an advisory body was formed with a representative from the Data Protection Authority of each EU Member State, the European Data Protection Supervisor and the European Commission. This body was formed to provide expert advice and promote the consistent application of the data protection directive. This group was the Article 29 Working Party (Art. 29 WP). The whitepaper, Guidelines on Data Protection Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, outlines some very clear practical steps for identifying high-risk processes, which include (but are not limited to) the below nine criteria:
- Evaluation or scoring
This includes profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”.
- Automated-decision making with legal or similar significant effect
E.g. processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”.
- Systematic monitoring
E.g. processing used to observe, monitor or control data subjects, including data collected through networks or “systematic monitoring of a publicly accessible area”.
- Sensitive data or data of a highly personal nature
This includes special categories of personal data as defined by your local regulation. In practice, this applies to medical and health information, ethnicity, religious belief, sexual orientation and can vary from regulation to regulation.
- Data processed on a large scale
What constitutes large-scale, has not been defined. However, the WP29 recommends that the following factors be considered when determining whether the processing is carried out on a large scale:
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity
- Matching or combining datasets
E.g. originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
- Data concerning vulnerable data subjects
The processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees, more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.
- Innovative use or applying new technological or organisational solutions
E.g Combining the use of fingerprint and face recognition for improved physical access control. The use of new technology can trigger the need to carry out a DPIA. This is because the use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms.
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.
This includes processing operations that aim at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.
In some cases, you may determine that you require a more detailed assessment (DPIA) without the process falling under any of the above areas or being sent to a 3rd country where there is no appropriate adequacy agreement. Ultimately to determine if a new process or technology is high-risk, you need to establish the likelihood and severity of harm that the process could have on the individual/s if the process were to become compromised.
Processors who operate in countries without an adequacy agreement have been identified.
Some of the modified processes or implementation of technologies will require that your data subjects are informed of the change of use of their data at the point of collection. As you review the revised processes you need to ensure any change of use of the data has been captured and is reflected in the appropriate privacy notices.
Privacy notices, where appropriate, have been updated to inform data subjects.
An organisation needs to ensure that the appropriate due care and diligence is undertaken when dealing with personal data. Any event that forces the change of processes and/or the implementation or expansion of technologies introduces risk. Performing a thorough assessment of all changes to ensure they adhere to modern data privacy standards is crucial in both protecting your user’s personal data and the reputation of the organisation.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.
Share this blog