The pandemic disrupted every sector of society and exposed their shortcomings—especially in our education systems. The lockdown confined students and teachers to their homes, forcing everyone to turn to digital technologies and begin teaching remotely. Schools had to adapt to the new conditions as quickly as possible and ensure distance learning. Right from the start, numerous shortcomings became apparent: a lack of strategy, insufficient capacity, and a shortage of the technologies, knowledge, and skills needed for a smooth transition to an online virtual environment. And the subsequent introduction of school traffic lights meant that schools had to find solutions and adapt the educational process to changing conditions, combining in-person and distance learning. However, no one prepared schools for the pitfalls awaiting students and teachers in the online world, nor for how to protect students’ and teachers’ personal data during online instruction, or whether hybrid education is even safe.
When processing personal data, the operator of an educational institution must always take into account the best interests of the children and, when processing their personal data, comply with the processing principles set forth in Article 5(1) of the GDPR as follows:
Personal data must be:
- processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, and transparency”);
- collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitation”);
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
- stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of data subjects are implemented (“storage minimization”);
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through appropriate technical or organizational measures (“integrity and confidentiality”).
Distance Learning
The pandemic situation has shown that there is no one-size-fits-all solution for distance learning. Needs and technical capabilities vary, and what works well in one school may not be applicable in another. Each school operator knows best which measures may work in their school and which will not work at all. Therefore, it is best if school management adapts the measures to their specific conditions and capabilities. However, they must always ensure data security.
The Minister of Education, Science, Research, and Sport, pursuant to Section 150(8) of Act No. 245/2008 Coll. on Education and Training (the School Act) and on Amendments to Certain Acts, as amended (hereinafter referred to as the “School Act”) has decided, effective as of November 29, 2021, as follows: “If a child or student does not participate in education and training at school during a restriction on freedom of movement and residence due to a curfew imposed by a currently valid resolution of the Government of the Slovak Republic, this shall be considered an excused absence; if operational conditions permit, school principals shall provide distance learning for such children or students.”
The definition of distance learning pursuant to Section 54(10) of the School Act reads: “Distance learning is remote education conducted via correspondence, telecommunications media, and other means, in which, as a rule, there is no direct contact between teaching staff and the self-studying student.”
If distance learning is conducted online, the operator must take into account the security risks associated with individual platforms and implement appropriate technical measures.
What should you be aware of when using online platforms?
- Platforms often need to collect basic information in order to function. Nevertheless, they must protect sensitive data, such as the content of conversations or contact details. Conversations should not be shared with third parties. If they are shared, this should be clearly defined in the privacy and data protection policies,
- Authentication method – verification of the user’s identity. Two-factor authentication serves as an additional identity verification,
- Data transmission encryption method,
- Option for secure deletion of user data.
In distance learning, the teaching process takes place from the children’s homes. In such cases, the child’s legal guardian is responsible for the security of their data.
Hybrid education
Nowadays, so-called hybrid education is widely recommended for schools, where in-person education is delivered to the homes of children who cannot be at school via online transmission. Such processing of personal data—that is, recording students and teachers during class for the purpose of providing the recording to third parties
(to students at home), is inappropriate and dangerous, as it will violate the fundamental rights and freedoms of the other children participating in the lesson as well as the teacher themselves. Pursuant to Section 11 of Act No. 40/1964 Coll., the Civil Code, a natural person has the right to protection of their personality, in particular their life and health, civic honor and human dignity, as well as their privacy, their name, and expressions of a personal nature. During in-person instruction, the operator is responsible for the safety of students. The operator must take appropriate technical and organizational measures to ensure the protection of the personal data of students and teaching staff.
In a hybrid form of instruction, it is not possible to ensure the security of students’ and teaching staff’s personal data regarding likenesses or behavioral characteristics. In a home environment, where the controller no longer has control, unauthorized recording may occur—even by other family members—and subsequent publication, misuse, and the like. Cyberbullying is also widespread today, and every operator should strive to eliminate such undesirable influences on children as much as possible.
Sources:
https://www.csirt.gov.sk/wp-content/uploads/2021/08/Videokonferencie1.0.pdf
Act No. 245/2008 Coll. on Upbringing and Education (School Act) and on Amendments to Certain Acts
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Jan Kolouch: CyberCrime
