Anyone involved in media production nowadays, whether for education or for any other reason, needs to understand privacy law. We invited Emmanuel Salami who has published articles on data protection law and who works as a data protection counsel in Germany to bring us up to speed.
Emmanuel: Technological advancements in the world have impacted largely upon all facets of human existence and the educational sector is no exception. With the aid of these technological advancements, students are now able to approach their academic pursuits (including long distance studies) without necessarily requiring any paper-based correspondence between them and their academic institutions. From video learning in the classroom, to the use of various apps for learning, grading and assessing of students, media learning falls squarely within the purview of data protection law. Academic institutions are therefore not left out of the legal requirement to ensure data protection compliance in the use of modern and advanced technologies and media for learning particularly as same affects the right to data protection of their students as well as members of their teaching and non-teaching staff (hereinafter collectively referred to as data subjects). In the light of the extant provisions of the General Data Protection Regulation (GDPR), some important steps towards data protection compliance in the use of media learning tools are listed below.
Legal basis: A foundational requirement for the processing of personal data under data protection law is the requirement that personal should be processed lawfully. This principle of data protection law as stipulated under Article 6 of the GDPR provides that personal data should be processed on one of six legal bases which include consent, performance of a contract, legal obligation, legitimate interest of the controller etc. The absence of a sufficient legal basis renders a processing operation unlawful from its very inception. In a media learning scenario, before the recording and sharing of a lecture (for instance), a justifiable legal basis must be obtained for the students on one hand and the lecturer/other applicable members of staff (as employees of the university) on the other hand. The importance of making such a distinction before the adoption of a legal basis for both categories of data subjects lies in the fact that various conditions may come into play which will make it impossible for the personal data of both students and teachers to be processed under the same legal basis (1).
Other principles of data protection: In addition to the requirement that personal data should be processed lawfully, there are other principles of data protection law which include the fairness and transparency principle, the storage limitation principle, the accountability principle etc. The importance of paying attention to these principles of data protection lies in the fact that it is impossible to be compliant with data protection law if these principles are not complied with. For instance, to be compliant with the storage limitation principle in a media learning scenario, video and audio recordings, personal data contained in apps etc. must be deleted once they are no longer necessary for the purpose for which they were initially collected/processed. Hypothetically, such deletion must occur in the event that the courses for which the personal data are related are cancelled and there is no further need to retain the personal data thereunder.
Provision of data subjects with adequate information: One of the requirements of data protection law as reflected under Article 13 of the GDPR is that data subjects should be provided with adequate information about the processing activity. In order to be compliant from a media learning perspective, data subjects must be provided with adequate information which will include the name of the controller and processor of the personal data, recipients of the personal data, retention periods etc. Hypothetically, if a software will be used to grade students, such student(s) must be provided with adequate information under Article 13 of the GDPR.(2) Furthermore, academic institutions will also be required to provide data subjects with adequate information about their processing activities on social media as they have been held by the Court of Justice of the European Union (CJEU) to be joint controllers of personal data they process on social media platforms along with social media service providers.(3) This is particularly important from a media learning perspective as academic institutions are very prone to updating learning materials on their social media pages.
Access rights and Data Subject Access Rights: One of the foremost objectives of the GDPR is ensuring that data subjects have control over their personal data.(4) In furtherance of this objective, Article 15 of the GDPR gives data subjects the right to request from controllers the right to provide confirmation of whether or not personal data concerning them is being processed by the relevant controller. Also, data subjects are provided with rights such as the right to data portability, erasure, restriction of processing, rectification etc. Hypothetically, in exercising the right to data portability, data subjects can, (subject to Article 20 of the GDPR), request their academic institutions to transfer their academic records to other academic institutions for the continuation of their studies.
Data Processing Agreements: In the use of various applications and software for media learning, academic institutions (being controllers) (5) are likely to engage third party service providers who will be responsible for hosting and maintaining the application. These third-party service providers will therefore have access to the personal data of data subjects. In such a case, Article 28 of the GDPR mandates controllers to enter into a Data Processing Agreement (DPA) with such third parties. Such DPA shall regulate various terms of the processing operation including the transfer of personal data to third countries, data deletion, appointment of subcontractors etc.
In conclusion, in order to ensure compliance with data protection law, relevant institutions must ensure that they develop a fully functional data protection compliant framework that takes the peculiarities of their processing operations into consideration throughout the lifespan of the said processing operation(s), from personal data collection to deletion. Also, Privacy by Design (PbD) principles which ensures that data protection principles are incorporated into processing operations from the design phase should be adopted. An example of a PbD measure that could be applicable in this regard could be the use of technology that blurs the faces of persons who do not wish to appear in video recordings or completely using audio recordings with graphical representations of the audio content instead of recording faces of the participants of such lectures. It must be noted that in order to lawfully take advantage of media learning, data protection law compliance must be vigorously pursued by all relevant stakeholders involved in the adoption and use of media learning techniques in order to prevent the violation of data subjects’ right to data protection.
REFERENCES
- It must be noted that while students may consent to being recorded in the classroom, the same may not be applicable to their teachers as the use of consent as a legal basis may conflict with the requirement that consent should be freely-given as stipulated under Article 4(11) of the GDPR. For further reading, please see – Article 29 Working Party Guidelines on consent under Regulation 2016/679, 17/EN WP259.
- In this hypothetical example, further information such as function(s) of the software as well as the legal effects of such software on the data subject must be provided in accordance with Article 22 of the GDPR.
- (Case C-210/16) Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH
- Recital 63 of the GDPR.
- A controller is defined in Article 4 (7) of the GDPR as the natural or legal person that determines the purpose and means of processing.
Emmanuel will be joining other legal experts for a discussion on law and the educational media producer during the media & learning Conference on 5-6 June in Leuven, Belgium.
Author
Emmanuel Salami
University of Lapland, Finland
