GDPR and data protection Flashcards
What is GdPr?
General Data Protection Regulation (GDPR) is an EU-wide piece of legislation which replaces the Data Protection Acts 1988- 2003. There are a number of new provisions in GDPR that were not previously in the Data Protection Acts 1988-2003, however, 80% of GDPR mirrors the provisions in the previous legislation. GDPR enhances the individual’s data privacy and data rights and builds on the obligations and responsibilities of data controllers. Prior to the commencement of GDPR, EU Member States had the opportunity to legislate for GPDR at a national level. Whilst GDPR is the law and supersedes any national legislation, Ireland’s Data Protection Act 2018 applies elements of GDPR in certain, specific ways in the Irish legal context.
On what grounds can data processing be done under GDPR?
Consent
contractual necessity
legal obligation
legitimate interests - where those interests aren’t overridden by the interests rights or freedoms of the person that the data is about (data subject)
vital interests - e.g. for the protection of someone’s life
public task
GDPR contains two tiers of fine for breaches. What are these two tiers?
For less serious breaches: Up to 10 million euros, or 2% of global annual turnover, whichever is HIGHER
For more serious breaches: Up to 20 million euros, or 4% of annual turnover, whichever is HIGHER
Is GDPR an EU or UK law?
GDPR is an EU regulation, but it is implemented in the UK through the Data Protection Act 2018 which is a UK law and is basically the UK version of the EU’s GDPR
Is GDPR applicable around the world?
GDPR is an EU law, but it is applicable to any organisation outside of the EU that has personal data of people who are living in the EU
When did GdPr commence?
GDPR commenced across EU Member States, including Ireland, on 25 May 2018. Since that date, GDPR is the law in all EU Member States, including Ireland.
What is the minimum age for someone to give consent for the processing of their personal data under GDPR?
16 years old
This can be changed in national implementations of this EU law. In the UK’s implementation of GDPR, which is the Data Protection Act 2018, the age is 13
What are GdPr principles?
Schools shall be responsible for, and must be able to, demonstrate compliance with GDPR principles. The principles are:
Fair, transparent and lawful processing: the data subject should know the type of data collected and the reason the school collects that data.
Purpose limitation: schools should only collect data for a specific purpose and keep only for as long as necessary.
Minimisation of processing: schools must only process data that is needed to achieve its processing purpose.
Data accuracy: schools must take every reasonable step to ensure the data they process is accurate and complete.
Storage limitation: schools should hold data in a form that identifies a data subject for as short a time as possible.
Integrity and confidentiality: schools must process data securely to safeguard against unauthorised/ unlawful processing, accidental loss, destruction or damage.
What rights are granted to people by GDPR?
Data protection legislation/GDPR, sets out the rights of data subjects including:
The right of access: – Accessing one’s own data can be done via a Subject Access Request (SAR). This means that a data subject can request a copy of all his/her data (or their own child) free of charge and this must be provided within 30 calendar days.
The right to rectification: – This right means that a data subject can ask the data controller to rectify the data the controller holds e.g. if a data subject’s phone number changes.
The right to be forgotten/right to erasure: – This means that a data subject can apply to a data controller to erase all the data which the controller holds on that data subject. This is not an absolute right and is qualified in certain circumstances e.g. where data is being held for a statutory purpose or in line with legislation, for example, the rollbook/ rolla.
The right to restrict processing: – This means that, in certain circumstances, a data subject can apply to a data controller to restrict the processing of his/her data. INTO question and answer guide “Everyone has the right to the protection of personal data” – European Commission The General Data Protection Regulation (GDPR) came into force from 25 May 2018. The new law, which seeks to make the EU ‘fit for the digital age’, governs how we all must collect and process the personal information we hold. The INTO’s legal team provides you with this timely update as you return to school. General data protection regulation INTOUCH sUpplemeNT – sepTember 2018
The right to data portability: – Data portability, in simple terms, means that a data subject can apply to have all of his/her data held with one data controller copied and passed to a new data controller.
The right to object to certain processing: – Save for compelling legitimate reasons, this right means that a data subject can object to the processing of his/her data based on his/her particular situation or state of mind.
GDPR prohibits personal data being transferred to a country outside of the EU except for hwen
The country’s data laws are adequate as assessed by the European Commission
- Or, there’s a standard contractual clause approved by the European Commission that grants safeguards to that personal data
- Or, Binding Corporate Rules (BCRs) have been organised and approved by the relevant data protection authorities. BCRs are internal rules within multinational companies to aid personal data transfer within the company including to non-EU countries. These BCRs even though their internal to the particular company need approval from the relevant data protection authorities
- Explicit consent is given by the data subject
- Its necessary for a contract to be performed
Who does GDPR affect?
GDPR affects all data subjects. An individual under GDPR is known as the ‘data subject’; that is, they are the subject of the data collected about them by the organisation. In schools, a data subject is a pupil; a parent/guardian; a teacher; a school secretary; any employee of the school. All data subjects had certain rights protected under the previous data protection legislation. GDPR enhances and builds on these rights.
What is data processing?
Processing is the legal term used to describe various acts including the collection, recording, organisation, structuring, storage, alteration, use of, retrieval, disclosure or transmission of information/data.
Why do we collect data? are we entitled to collect data?
Yes, schools are entitled to collect personal data about pupils through the enrolment process and/or through expressions of interest in relation to enrolment. This is legitimate for the purposes of providing education services to pupils. Additional information may be collected from third parties, including former schools and through school activities and interaction(s) during the course of the pupil’s time at school. Schools also collect personal data about parents and guardians through the enrolment process or expressions of interest for enrolment. Additional personal data may be collected through interactions during the course of the pupil’s time at school. In addition, schools are also places of employment and so personal data is
What are processing
grounds?
A processing ground is the legal reason for which data is collected, processed and retained – in other words, the legal reason why we are allowed to collect, process and retain certain data. Schools collect and process personal data about teachers, other employees, volunteers, pupils, parents/guardians for a variety of legitimate purposes and are entitled to rely on a number of legal grounds to do so. Schools require this data to perform the duties and responsibilities of the school and to comply with legal and statutory obligations. In addition, schools require this personal data to pursue the legitimate interests of the school and any dealings it may have with relevant third parties, for example, the Department of Education and Skills. The legitimate interests upon which schools rely are the effective operation and management of the school, managing the education and welfare needs of pupils; the employment of teachers and other members of staff; the management of volunteers and other approved school-related matters. Schools, generally but not exclusively, process personal data on the basis of the following lawful purposes:
a. Legal obligation
Schools process personal data to comply with legal and statutory obligations, including but not limited to, those under the Education Act 1998 (as Amended), the Education (Welfare) Act 2000, the Employment Equality Acts 1998-205, the Education for Persons with Special Needs (EPSEN) Act 2004, the Health Act 1947, the Children First Act 2015, the Child Protection Procedures for Primary and Post- Primary Schools 2017, the Teaching Council Acts 2001-2015 and Safety Health and Welfare at Work legislation.
b. Legitimate interests
Schools may also process personal data in order to:
enable pupils to develop to their full potential and meet the educational, social, physical and emotional requirements;
employ members of staff;
enable parents/guardians to be contacted in the case of emergency, or school closures;
inform parents/guardians of their child’s educational progress;
secure and benefit from the support and services of relevant third parties.
Further information about the lawful processing conditions of personal data is contained in Article 6 of GDPR.
What is consent?
The processing of some pupils’ personal data requires consent. For example, the school needs to be sure that parents have consented to allowing photographs of their child to be taken by the school, which may be displayed on the school’s website or on social media platforms or in the print media. Consent can be withdrawn at any time by contacting the school.
Please note: consent regarding data under GDPR is different to consent received from parents for the purposes of allowing their child attend, for example, a school trip/tour. That type of consent must still be sought in the usual way by the school, in line with advice from the school patron and/or insurer(s).
What is a data controller?
A data controller determines what data the organisation/school needs to collect, why that data is needed, how it will be collected, how it will be stored and for how long. The data controller in schools is the board of management. Data controllers are required to store data which they process confidentially and securely. If a security or data breach arises, a data controller, by law, must report the breach to the Data Commissioner within 72 hours. This is not optional, but a legal requirement. In schools, it is advisable to create a culture of awareness and support about GDPR and data privacy. It is vital that all colleagues feel that they can immediately report to the principal/management if they are concerned that they may have inadvertently caused a data breach at the earliest opportunity. The concern can then be reported to the Data Commissioner. GDPR compliance at school involves looking at – or auditing – the data that is collected in the school. In other words, what data is collected by the school, how and why it is collected, retained, updated, stored, and/or accessed in respect of pupils, employees and third parties. It is vital to foster a conversation about data privacy awareness among staff. Whilst there is an onus on the board of management as data controller, there is an onus on all individuals who handle the data of others to be prudent in that regard. Having a discussion about the types of data processed in the school and the importance of reporting any breach in a prompt manner in a supportive culture is advised. This may involve a discussion amongst staff around the need to make some changes in how the school processes (collects, retains, stores and interacts with) the data collected.
What is a data processor?
A data processor processes data on behalf of the data controller, for example, a service provider to the data controller, i.e. the board of management. A good example of a data processor for schools would be a third-party service provider of IT services.
It is important to ensure that within the agreement or contract a school has in place between the data controller (board of management) and a third-party service provider that the following is clarified:
a. The personal data are processed only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation.
b. The confidentiality and security of the data being processed is ensured by the third-party service provider.
c. The third-party service provider gives an undertaking to the data controller that they respect and are compliant with the data subjects’ rights.
d. The third-party service provider can engage subcontractors with the data controller’s approval.
e. Where necessary/appropriate, that the third-party service provider will delete or return the data to the data controller at the end of the provision of services arrangement unless European Union or Member State law requires the continued storage of that data.
f. The processor makes available to the controller all information necessary to demonstrate compliance with the obligations under European Union or Member State law.
Regarding the engagement of third-party data processors/service providers by a board of management, members are advised to continue to consult with their relevant school patron for advice.
What is data retention?
Data retention means holding on to data relating to a data subject. A school should only retain personal data for as long as it is necessary to fulfil the purposes the information was collected for, including any legal, accounting or reporting requirements. Some data is required, by the State, to be retained indefinitely, because of legal requirements, e.g. rollbook data. The retention period(s) of other types of data collected by the school is a matter for each individual board of management to decide. Members are advised to continue to consult with their relevant school patron and school insurers for advice in this regard.
does my school need a data Protection Policy?
Yes, all organisations that process data require a data protection policy. If your school already has a data protection policy, that’s great. However, you should check to make sure that the legislation referred to in the policy is GDPR and the Data Protection Act 2018, and not the previous legislation. If GDPR and the Data Protection Act 2018 is not reflected in your school Data Protection Policy, the policy will need to be reviewed. It is anticipated that most schools will need to update their Data Protection Policy and, in this regard, please refer to the INTO website where further advice and resources are available.
Some key elements of your school’s Data Protection Policy should include:
The purpose of the policy.
The data controller’s commitment to data protection principles/rights under GDPR and the Data Protection Act, 2018.
The name of the data controller (i.e. the BOM).
The lawful basis of the processing of data.
Details of when consent is required and that it can be withdrawn.
The categories/types of pupil data collected, processed, retained, shared by the school. The categories/types of BOM data processed, retained, shared by the school.
Data security measures taken.
CCTV, including purpose and use of CCTV data in the school.
Rights of data subjects and how to access them.
Contact details for the Data Protection Commission.
All other policies which may interlink: e.g. Child Protection Policy; Anti- Bullying Policy; Code of Behaviour/ Discipline; CCTV Policy; ICT Policy; Acceptable Use Policy; SPHE Policy etc.
What is a subject access request?
A Subject Access Request (or SAR) is exactly the same as a Data Access Request, in that a data subject can apply to a data controller to be given a copy of any information on record relating to the data subject, which is kept on computer or in a structured manual filing system operated by the data controller. In schools, teachers can make a SAR to the data controller, board of management as their employer, in relation to their own data only. Parents/guardians can make a SAR to the data controller, board of management, on behalf of their own child. Under GDPR, a SAR can be done by writing to the data controller/board of management requesting copy of the personal data held in relation to the data subject. A SAR must be complied with within 30 calendar days, whether it arises during a school closure or not. Failure to comply within this timeframe may be reported to the Data Commissioner. Crucially, GDPR provides that copy of the data is provided to the data subject free of charge.
does my school use ccTv?
If your school uses CCTV, data subjects should be informed through visible and clearly legible notices inside and outside the school. While it is a good idea to have a CCTV policy, at the very least, use of CCTV in the school must be noted within the school Data Protection Policy. In addition, please note that it is advisable to specify the basis – or purpose for the use of CCTV. Is it for security purposes only? Is it for health and safety purposes also? Whatever the purpose, it must be specified in your policy. Please note that if CCTV is used for health and safety purposes – i.e. for investigations into bullying etc, data subjects would be entitled to seek a copy of a recording should they wish to. Should any SAR be made in relation to CCTV, please note that, before release, the recording must be redacted/pixelated so that the only visible person is the relevant data subject. Pixilation is a process which may incur fees, so it is a good idea to have a discussion about this with the board of management. In addition, it is a good idea to note the duration period of a CCTV recording in the school policy – i.e. whether it lasts for 25/28/30 days etc., before restarting.
What is a data breach?
A data breach is where, accidentally, inadvertently or unlawfully, personal data are destroyed, lost, disclosed or accessed, transmitted, stored or otherwise processed. Schools, as data controllers, are required to store data which they process confidentially and securely. If a data breach does happen or you have concerns that it may have happened, you must report your concern to your principal/the board of management immediately. The relevant data subject must also be informed. The reason for the immediate requirement of reporting is that the data controller, by law, must report the breach to the Data Commissioner within 72 hours. This timeframe is not optional, but a legal requirement.
Data and privacy
Privacy and anonymity are not explicitly addressed in UK Intellectual Property law, but they may be relevant in certain situations.
For example, in the context of copyright infringement claims, the identity of the alleged infringer may be relevant in determining liability and damages. If a copyright owner believes that their work has been infringed, they may seek to obtain the identity of the alleged infringer through a court order, such as a Norwich Pharmacal order.
In this context, the privacy and anonymity of the alleged infringer may be protected by certain legal principles, such as data protection laws and the right to respect for private and family life under the Human Rights Act. However, these rights may be balanced against the copyright owner’s right to protect their intellectual property.
In addition, individuals who wish to remain anonymous when engaging in certain intellectual property-related activities, such as registering a trademark or filing a patent application, may be able to do so by using a proxy or third-party representative. However, the use of proxies or third parties may not always be permitted or advisable, depending on the specific circumstances.
Social Media & Cookies
Social media and cookies are not directly related to UK Intellectual Property law, but they may have implications for intellectual property rights and data protection.
Social media platforms, such as Facebook, Twitter, and Instagram, allow users to share content, including copyrighted material. In some cases, users may infringe on the copyright owner’s exclusive rights by sharing or distributing their work without permission. In these cases, the copyright owner may be able to take legal action to stop the infringement and obtain damages.
Cookies, on the other hand, are small files that are stored on a user’s device when they visit a website. They can be used to track user behavior and preferences, including their interests, location, and online activity. The use of cookies is regulated by data protection laws, such as the General Data Protection Regulation (GDPR), which requires websites to obtain user consent before using cookies.
In the context of intellectual property, cookies may be used to collect data on users’ online behavior and preferences, which can be used to target advertisements and promotional content. This may have implications for trademark and branding, as well as for copyright and related rights.
