News and developments
COVID-19 and back-to-school privacy concerns
The Government of Malta is, thus far, set on opening schools come September. The debate on appropriate safety protocols is ongoing, and questions on how best to deliver lessons abound. Online or in-class lessons, or a mix of both with part of a class at home and the other following from home? The implications on privacy of the individual have, to date, not featured much in the ongoing debate. Here we attempt to explore the main concerns that arise in this respect.
The Government of Malta is, thus far, set on opening schools come September. The debate on appropriate safety protocols is ongoing, and questions on how best to deliver lessons abound. Online or in-class lessons, or a mix of both with part of a class at home and the other following from home? The implications on privacy of the individual have, to date, not featured much in the ongoing debate. Here we attempt to explore the main concerns that arise in this respect.
Let us set the scene by considering one possible scenario. Suppose that half the cohort attends school in person and the other half listens in using an online communication platform. Lessons are recorded and can be shared, and the footage features the classroom and schoolchildren. Added to this are new practices that have emerged for collecting personal data, including daily temperature checks and performing contact tracing should students or staff test positive for COVID-19. These all involve the processing of personal data, and therefore ought to be in line with the requirements of the General Data Protection Regulation (GDPR).
Striking a balance between rights of students and staff to privacy, on the one hand, and the protection of their and their loved ones’ health in a pandemic, on the other, is a consideration which should rank highly on the priority list of every school at the moment. When it comes to processing of children’s data, the GDPR is unforgiving: the principle laid in GDPR is that children merit specific protection to protect their personal data, as they may be less aware of the risks, consequences, safeguards associated with, or their rights in relation to, the processing of personal data.
One of the areas which must be revisited in the wake of these types of ‘new purposes of processing’ activities come end September is the provision of information related to the processing of personal data, usually embodied in a privacy notice. Where a new processing activity or a new purpose for collecting personal data is contemplated by a data controller, such as the school in this case, this should be immediately brought to the attention of the related data subjects prior to its collection, processing, or both. This would mean that schools are likely to require a revision of their privacy notices, and in the event that no privacy notice exists or predates GDPR, now is surely the time to implement or revisit respectively. Once privacy notices are instated or updated, they would need to be sent to students and their legal guardians. Privacy notices related to staff should likewise be updated by the school and sent to the data subjects concerned.
Besides new processing activities, schools should also assess the lawful bases justifying each data processing activity. The GDPR provides data controllers with six lawful bases of processing. One of these, consent, is not necessarily a better or more important option than the alternatives. In fact, when consent cannot be given freely, data controllers should consider using another justification. Nevertheless, Subsidiary Legislation 586.07 on the Processing of Personal Data (Education Sector) [S.L.586.07] is rather clear in stating that educational institutions may process visual images provided that consent is obtained from the students themselves, if they would have attained the age of sixteen, or from their parents or legal guardians. The subsidiary legislation lacks a definition for “visual images,” however, the assumption is that the term is to be understood broadly when images of students are captured, encompassing audio-visual recordings as well as their transmission over online communication platforms.
Where consent is required, S.L.586.07 clearly states that consent should be made in writing or by an opt-in indication. This consent may at any time be withdrawn in writing by the person giving it, and the data controller is obliged to stop the processing activity for which the consent has been withdrawn and delete or destroy the data concerned.
However, unless the legislator was gifted with admirable foresight, chances are that this law was not written with a pandemic in mind. The situation facing us is an unprecedented one, where traditional models of teaching merit reconsideration and where schools are scrambling to migrate to online teaching, in whole or in part, whether from the start or by way of contingency in case a second lockdown is enforced at a point during the scholastic year. Collecting consent for online learning might have to be studied further. One can understand the position where consent is required if the school were to market or commercialise its online classes, but what about those instances where this method is incorporated as a reasonable and legitimate tool to mitigate the risk of a spreading virus? Consent would certainly not be an appropriate lawful basis of processing if the school cannot offer an individual genuine choice and control, that is, the possibility to opt out of those classes, or where this is deemed to be a precondition of a service. If a school implements live streaming, would consent be an appropriate lawful basis of processing? Could a student or their legal guardian refuse to provide that consent for online classes and live streaming and, if so, could the school reasonably be expected to provide an alternative? Could parents and students really opt out of this technological leap? From a legal perspective, schools might be better off with considering alternatives to consent, such as a legitimate interest to conduct classes online under the current circumstances.
With regards to best practices, a sensible way to approach this thorny issue is for schools to avoid delivering classes using platforms such as Instagram live, Facebook, YouTube, or Tik Tok. These platforms are public-facing online social media tools and the reasonable expectation here is that the personal data is not shared or live-streamed on such media. Schools should consider employing safe videoconferencing platforms that offer the technology to protect student information. Schools also need to ensure that their live-streaming practices meet basic requirements, such as the safe storage of video footage; avoiding the collection of unnecessary personal data, such as a “camera switched off” policy for students joining classes remotely; ensuring that videos are only accessible to the class and a limited number of school personnel; and enforcing rules on deleting videos after a set period of time.
Schools certainly have quite some homework cut out:
1. revisit personal data practices and documents, such as their privacy notices;
2. build trust by informing data subjects whenever possible on what the school is doing to protect their rights and ensuring a safe environment, keeping in mind that transparency is critical;
3. adopt the right practices to avoid personal data becoming publicly available; and,
4. seek professional advice when uncertain of the position at law.
Sharon Xuereb is a Senior Associate at Camilleri Preziosi, practising primarily in the fields of privacy and data protection, intellectual property, IT and electronic communications laws. Camilleri Preziosi provides regular advice in the fields of privacy and data protection law. The firm participated in various discussions and training programmes on the GDPR.