The pandemic has disrupted all sectors of society and exposed their shortcomings – especially in our education systems. Lockdown confined students and teachers to their homes, forcing everyone to turn to digital technologies and start teaching remotely. Schools had to adapt to the new conditions as quickly as possible and ensure distance learning. Right from the start, a number of shortcomings became apparent: a lack of strategy, insufficient capacity, technology, and the knowledge and skills needed for a smooth transition to an online virtual environment. The subsequent introduction of school traffic lights meant that schools had to find solutions and adapt the educational process to changing conditions, combining face-to-face and distance learning. However, no one prepared schools for the pitfalls awaiting students and teachers in the online world, how to protect the personal data of students and teachers during online teaching, or whether hybrid education is safe at all.
When processing personal data, the school operator must always take into account the best interests of children and comply with the principles of processing set out in Article 5(1) of the GDPR as follows:
Personal data must be:
- processed lawfully, fairly and transparently in relation to the data subject ("lawfulness, fairness and transparency");
- processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the original purposes. 1 shall not be considered incompatible with the original purposes ("purpose limitation");
- appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer if the processing is carried out solely for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the data subjects ("retention minimization");
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality").
Distance learning
The pandemic has shown that there is no single solution for distance learning. Needs and technical capabilities vary, and what works well in one school may not be applicable in another. Each operator knows best what measures can work in their school and what will not work at all. It is therefore best for school management to adapt measures to their conditions and possibilities. However, data security must always be ensured.
The Minister of Education, Science, Research and Sport, pursuant to Section 150(8) of Act No. 245/2008 Coll. on education and training (the School Act) and on amendments to certain acts, as amended (hereinafter referred to as the "School Act"), has decided with effect from 29 November 2021 as follows: "If a child or pupil does not attend education and training at school during restrictions on freedom of movement and residence imposed by a curfew currently in force by a resolution of the Government of the Slovak Republic, this shall be considered an excused absence; if operational conditions allow, school principals shall provide distance learning for such children or pupils."
The definition of distance learning according to Section 54(10) of the School Act is as follows: "Distance learning is remote learning through correspondence, telecommunications media, and other means, in which there is generally no direct contact between teaching staff and independent students."
If distance learning is conducted online, the operator must take into account the security risks of the individual platforms and take appropriate technical measures.
What should you look out for when using online platforms?
- Platforms often need to collect basic information in order to function. Nevertheless, they must protect sensitive data such as the content of conversations or details of individual contacts. Conversations should not be shared with third parties. If they are shared, this should be clearly defined in the privacy and personal data protection rules.
- Method of authentication – verification of the user's identity. Two-factor authentication serves as additional identity verification.
- Method of data encryption.
- Option for secure deletion of user data.
In distance learning, the teaching process takes place from the children's homes. In this case, the child's legal guardian is responsible for the security of their data.
Hybrid education
Nowadays, schools are largely recommended to use so-called hybrid education, where face-to-face education is provided online to the homes of children who cannot attend school. Such processing of personal data, i.e. recording pupils and teachers during lessons for the purpose of providing a record to third parties (pupils in their home environment) is inappropriate and dangerous, as it violates the fundamental rights and freedoms of other children participating in the lessons and of the teacher themselves. According to Section 11 of Act No. 40/1964 Coll. of the Civil Code, a natural person has the right to protection of their personality, in particular their life and health, civil honor and human dignity, as well as their privacy, name, and expressions of a personal nature. During the in-person teaching process, the operator is responsible for the safety of students. The operator must take appropriate technical and organizational measures to ensure the protection of the personal data of students and teaching staff.
In the case of hybrid teaching, it is not possible to ensure the security of the personal data of students and teaching staff in the form of images or behavioral characteristics. In a home environment, where the operator no longer has access, unauthorized recording may occur, even by other family members, and subsequent publication, misuse, etc. Cyberbullying is also widespread today, and every operator should strive to eliminate such undesirable influences on children as much as possible.
Sources:
https://www.csirt.gov.sk/wp-content/uploads/2021/08/Videokonferencie1.0.pdf
Act No. 245/2008 Coll. on Education and Training (School Act) and on Amendments to Certain Acts
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Jan Kolouch: CyberCrime
