Data Protection Training - The British School of Lanzarote

DATA PROTECTION TRAINING

WOW

empezar

DATA PROTECTION TRAINING

4.

1.

Introduction

Rights

2.

5.

Principles

Protocols

Situations

3.

6.

Digital Rigths

Regulatory Framework

LOPDGDD

GDPR

LSSI

Spanish Law 34/2002, of 11 July, of information society services and electronic commerce

Spanish Organic Law 3/2018, of 5 december 2018, of personal data protection and guarantees of digital rights Digital Rights

Regulation (UE) 2016/679, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

KEY CONCEPTS

1. Personal Data

2. Data Processing

3. Data Controller

4. Data Procesor

Personal Data

Means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data in special categories: ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning life or sexual orientation.

Game

Data Processing

Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Processor

Data Controller

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller

Info

Data Controller - Data Processor

The data controller is responsible for hiring only with Data processors who comply the GDPR. It is necessary to sign a contract that regulates the obligations of both parties.

International transfer of data

PRINCIPLES

a) Lawfulness, loyalty and transparency: processed lawfully, fairly and in a transparent manner in relation to the data subject. b) Purpose limitation: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. c) Data minimisation: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. d) Accuracy: accurate and, where necessary, kept up to date. e) Storage limitation: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. f) Integrity and confidentiality: processed in a manner that ensures appropriate security of the personal data.

LAWFULNESS

• The data subject has given consent.

Minors Consent

• It is necessary for the performance of a contract to which the data subject is party.

• It is necessary for compliance with a legal obligation.

• It is necessary in order to protect vital interests.

• It is necessary for the fulfilment of a mission carried out in the public interest for the purposes of the exercise of public authority.

• It is necessary for the purposes of the legitimate interests pursued by the Data Controller.

If you want to enroll your child in the school, which lawfulness is used?

INFORMATION

The data subject should be informed in a concise, transparent, intelligible and easily accessible manner, using clear and simple language:

• The identity of the Data controller.
• DPO contact detail.
• The purposes of the processing
• The lawfulness
• The recipients of the personal data, if any.
• The retention period.
• Rights to request.
• The right to lodge a complaint with a supervisory authority.

Two Layers

The person concerned must be provided with the basic information and given an e-mail address or a means of accessing the other information.

Basic information if the data are not obtained directly from the data subject:

Basic information if the data are obtained directly from the data subject:

• Identity of the Controller.

• Purpose of processing.

• Where you can exercise your rights.

• From which source the personal data originate.

• Identity of the Controller.

• Purpose of processing.

• Where you can exercise your rights.

What legal texts should be included on a website?

A simple website in Spain, without e-commerce, must have 3 legal texts:

• Legal notice: which tells the user who is the owner of the website.

• Privacy Policy: informs the user about the processing of his data.

• Cookies policy: information about the cookies used, if any.

In addition to the cookie policy, a cookie banner should be displayed to give the user the option to check or uncheck its use.

Priority Channel

Priority Channel

Info

IN WHAT CASES CAN YOU GO? This channel has been set up to deal with exceptionally sensitive situations, when the contents (photograhs or videos) are of a sexual nature or show acts of aggression and the rights and freedoms of those affected are being put at high risk, provided that they are Spanish nationals are in Spain, especially if they are minors or victims of gender-based violence. WHO CAN USE THIS CHANNEL? Both the affected person and any person who has knowledge of the dissemination of this type of content can resort to this channel. What will happen after requesting the withdrawal before the AEPD? The AEPD analyzes the claim as a priority and, if necessary, may adopt precautionary measures, blocking or ordering the removal of the content to the service provider or platform where it is being disseminated. In addition, if there are indications of crime, they will bring it to the attention of the Public Prosecutor´s Office. If appropriate, the investigation will continue in order to process a sanctioning procedure against the persons responsible for the dissemination.

Situations

• Do you know any law that enables the School to collect data?

• Can student health data be collected during enrolment or only at the beginning of the course? And will consent be required to process this data?

• About biometric data, is it legal to use the fingerprint for the control of employees' working hours?

• Can a school access the content of pupils' electronic devices, such as their WhatsApp or social networks?

Situations

• Can you communicate with parents or students through your personal cell phones?

• The school wants to publish the list of admitted students at the entrance of the school, is this the right place to put it?

• Should teachers have access to the academic records of all pupils in the school, or only those of the pupils they teach?

• How can we communicate test scores? Can they be said orally in class?

• If the students are over 14 years old, do their parents have the right to know their academic qualifications? And in case of students over 18?

Situations

• In case of separated parents, does the school have to inform both parents, or only the one who pays for the school? Both of them?

• In the case of pupils under 14 years of age, who must sign the data protection document included in the enrolment form, and in the case of pupils over 14 years of age?

• Do we have to ask for consent to transfer data to another school in case of an exchange? What if the school is outside the EU?

Situations

• In situations of risk or neglect of the child, can data be passed on to social services, or would we have to ask for consent?

• In emergency situations with a pupil, can data be transferred to health centres, or should we ask for consent?

• If we organise an excursion to a museum where a list of participants must be provided for access to the museum, should we ask for consent?

• Is it possible to use any application available on the Internet that is interesting from an educational point of view?

Situations

• A teacher wants to take images in which students may appear, and wants to include them in a presentation for pupils in their class, would consent be required for such use of the images? With what device should they capture these images?

• If you want to publish photos on the school's social media, would you need consent? and what if the pupils are not identified because their backs are turned or their faces are pixelated?

• Graduation day, parents/families take photos during the event, can they do so or do they have to ask for consent from other parents? What if a father doesn't want anyone to take pictures of their child? Should the event be cancelled?

• And if the school hires a photographer to record the event, must the consent of all parents be obtained?

• Suppose the school decides to prohibit photos from being taken on its premises, could it do so?

Means to be used

Only apps/webs/blogs/platforms that comply with the GDPR, and which have been approved by the school management (which have been previously reviewed by the Data Protection Officer), are allowed to be used for teaching purposes. What should be checked to ensure that the app/website is secure:

• That the app belongs to a company located within the EU, or in a country that has been recognised by our supervisory authority as having an adequate level of protection.
• It must have a clear and complete privacy policy (it must state at least the details of the data controller, purpose, legitimacy, retention periods, transfers and rights that apply).

The form of communication with families will always be by means owned by the school (IESFACIL, corporate email, or school telephones), except in exceptional cases of urgent need.

Rights

The right of ACCESS allows the holders of personal data to know and obtain information about their data free of charge. The right of RECTIFICATION allows you to correct errors, to modify data that prove to be inaccurate or incomplete and to guarantee the certainty of the information. The right to ERASURE allows data to be deleted when requested to do so or when it becomes inadequate or excessive. The right of OPPOSITION is the right of the data subject to have the processing of his or her personal data stopped or not carried out for reasons related to his or her personal situation. The right of LIMITATION OF PROCESSING allows to keep the data to be treated, with your consent for the exercise or defense of claims. The right of PORTABILITY allows the information to be transmitted directly from one entity to another, without the need to be delivered to the user himself, such as the transfer of a file.

Rights Request

If someone wishes to exercise any of the data protection rights, it must be clearly and simply stated that: It must be submitted in writing either by sending a reasoned and accredited communication, by e-mail to dpo@thebritishschoollanzarote.com by post, or on paper personally at the secretary's office. In the event that a request arrives by a different way, please send it to our Data Protection Officer, Davíd Díaz, at dpo@thebritishschoollanzarote.com

Personal Data Breach

If a personal data breach occurs, the person responsible must notify the Spanish Data Protection Authority within a maximum period of 72 hours, from the time the incident becomes known, when it constitutes a risk to the rights and freedoms of natural persons. What could happen that could lead to a security breach? A computer/mobile/USB phone with company information is lost or stolen. An email is sent to the wrong recipient or to multiple recipients without blind copy. You suspect you've been the victim of a cyber attack. Files or paper documents are lost or stolen If something like this happens, please inform David Diaz, your Data Protection Officer at dpo@thebritishschoollanzarote.com

Data Protection Officer

The Regulation introduces the figure of the DPO, in some cases on a mandatory basis and in others on a voluntary basis. The DPO may be part of the staff or act within the framework of a service contract. This figure must be able to accredit professional knowledge and experience and will act with autonomy and independence, and may not be removed for decisions taken in the exercise of his or her functions. They report directly to the management and have full access to the company's resources. It is a mandatory figure for educational centres in accordance with article 34 b) LOPDGDD. Art. 34. b) "Educational centres offering education at any of the levels established in the legislation regulating the right to education, as well as public and private universities".

Basic Safety Measures

Access to information

• Protect the PC or device with an alphanumeric password whenever possible.

• Try not to leave passwords for access to corporate platforms (email, drive, etc.) stored.

• When using printers or photocopiers, after printing jobs with information of a personal nature, they should be collected immediately, or printed in a blocked way, making sure not to leave printed documents in the output tray.

Transfers or publications

• The transfer or publication of information containing personal data or images collected inside the facilities for personal purposes or uses is not permitted.

Extracting and/or sending information

• We advise against copying large amounts of data from the school onto removable storage media (USB sticks, external hard disks). However, if there is no alternative, the device must be password-protected.

• When sending a document by e-mail, it must be password-protected.

Data backup and recovery

• We recommend not processing School information locally, but in the event of having to do so, it should be uploaded as soon as possible to the server or cloud owned by the School, which will allow the necessary security measures to be applied to this information, and to be subject to the backup procedures established by the organisation.

Secure Internet

• Our recommendation is to work connected to the wired internet. If this is not possible, try to use only your trusted wireless network.
• Use only secure websites (with the "https" protocol).

Pay close attention to the e-mails received in accordance with the following recommendations:

• Do not open any links or download any attachments from an e-mail that shows any unusual signs or patterns.
• Do not rely solely on the name of the sender. Check that the domain of the received mail itself is trustworthy. If an email from a known contact requests unusual information, contact them by phone or other means of communication to corroborate the legitimacy of the email.
• Before opening any file downloaded from the mail, make sure of the extension and do not rely on the icon associated with it.
• Do not enable the macros of the office documents even if the file itself requests it.
• Do not click on any link that asks for personal or bank details.
• Always keep your operating system, office applications and browser (including installed plug-ins/extensions) up to date.
• Avoid clicking directly on any link from your own mail client. If the link is unknown, it is advisable to search for information on it in search engines such as Google or Bing.
• Use strong passwords for email access. Passwords should be periodically renewed and if possible double authentication should be used.

Digital Rights

• The Right to digital security.
• Right to digital education.
• Protection of minors on the Internet.
• Right of rectification on the Internet.
• Right to privacy and use of digital devices at work.
• The right to be digitally disconnected in the workplace.
• Right to privacy in the use of video surveillance and sound recording devices in the workplace.
• Right to privacy in the use of geolocation systems in the workplace.
• Data protection of minors on the Internet.
• Right to forget in Internet searches.
• Right to forget in social networking and equivalent services

Right to digital education

The education system shall ensure that pupils are fully integrated into the digital society and that they learn to use digital media safely and with respect for human dignity, constitutional values, fundamental rights and, in particular, respect and guarantee personal and family privacy and the protection of personal data. Actions in this area shall be inclusive, in particular with regard to pupils with special educational needs. A direct mandate is introduced to all the educational administrations so that they include in the block of subjects of free configuration as well as the elements related to the situations of risk derived from the inadequate use of ICT. To this end, teachers will be adequately trained in digital skills and for the teaching and transmission of the values and rights referred to in the previous section. We are waiting for the Government, together with the Autonomous Communities, to draw up an action plan to promote these training, dissemination and awareness actions

Right to privacy and use of digital devices at work

Employees shall have the right to protection of their privacy in the use of digital devices made available to the employer. Employers are required to establish criteria for the use of such digital devices, including specifying the authorised uses and, where appropriate, determining the periods during which the devices may be used for private purposes. The possibilities for the employer to access the content of these digital devices should also be specified. Employees should be informed of this.

Right to be digitally disconnected at work

The concrete content and modalities of the exercise of this right shall be established by the employer, after hearing the workers' representatives, by means of an internal policy which shall include management positions and pay particular attention to cases of distance working.

Thank you!

For any questions you can write us at: dpo@thebritishschoollanzarote.com

Find Information about yourself

Right now by checking on Google input your name and surname, and you will find some information about yourself. Later, write your surname first, before your first name. You will notice the result will be different. For example, in Spain the public sanctions, as the traffic sanctions, are published with your surname after your name.

How long can the following information be stored?

• Exams

• Photos published on web or social networks
• Information about you as employees

Minors consent

The GDPR provides that minors may consent to the processing of their data when they are over 16, but leaves Member States free to lower this age to 13.

In Spain, the LOPDGDD has established it in 14 years. .