The new GDPR regulations coming into force in May 2018 mean that the potential fines associated with data breaches or other leaks will be greater than those that exist under the current data protection act.
The new regulations also finally make third party vendors liable where their action or inaction result in the release or leak of data which they are processing on your behalf. This seems like a good thing in that if you use a third party and through no error of your own their use leads to the leak of data, they will be held responsible.
The issue here though is that the above is only part of the story. Although the third party vendor may be responsible for the breach it would have been your responsibility to confirm their compliance with GDPR and their security and other measures in relation to data prior to commissioning them to handle your data. Even although the breach or leak may have been due to the action or inaction of a third party you are going to have to prove that you showed due diligence in checking out the third party and its operations prior to signing them up to process, store or otherwise use your data. If you didn’t then you too may be found to be liable and therefore receive what could be a significant fine.
As schools a large number of third party sites are used in the delivery of the educational experience we provide the students under our care. This might be specific maths or science websites with sample questions or learning materials, or it might be more generic services such as Showbie or G-suite. In each case you will be providing personal info on your students, with some sites requiring more data than others. In each case you will need to prove that you undertake at least a basic review of the provision offered in relation to data safety and security by each site or service.
With this in mind the key questions I see the need to ask a third party are:
- Do you share my data or allow others to access my data? If so, with who and why?
- What security do you have in place (physical and logical) to protect my data?
- What disaster recovery and backup process do you have in place?
- How long do you retain data and what happens to data should I quit your service?
- Do I have the right to audit or request the audit of your data security provision?
As we approach the May implementation date for GDPR we need to ensure we have a better handle of where school data, that of students, staff, parents, visitors and other stakeholders, is stored. Part of this will involve identifying all third party vendors and asking them regarding their preparedness for GDPR.
A recent BBC News article highlighted a US judges decision to allow data gathered from a defendants pacemaker to be admissible in court (You can read the article here). The data in question was used by an expert witness to cast doubt on the defendants explanation as to the events surrounding the case in hand. The issue here is the gathering of data for one purpose, to measure the defendants vital conditions in order to aid medical treatment and diagnosis, versus the eventual use of the data to prove what he was doing during a specific period in time in relation to criminal prosecution. Surely data gathered from a device in my body would consistent “my data” and therefore be for me to decide or approve its use.
This incident seems to go against the basic rules of the data protection act and also the upcoming general data protection regulations due to come into effect in May 2018 in that the eventual usage of data did not relate to its original purpose. The required permission for storage and usage of the data would have been limited to this purpose. Now there are exceptions for law enforcement in relation to protecting society which may have come into play, plus the incident happened in the US and I don’t have any experience as the equivalent of the data protection act in the US however I would assume the similarities likely far outweigh the differences.
This case seems to suggest that it may be possible for data gathered to be used for purposes other than that for which it is intended or for which permission was obtained. All that is required is some justification of need. This seems vague and particularly concerning.
So what about the Amazon echo sitting in the front room recording every comment, discussion and noise occurring in my house? What about the camera in a Smart TV equipped with gesture control or the Kinetic device attached to my sons Xbox One? What about the engine management unit or GPS unit in my car, the data my smart watch gathers or info from my FitBit or other fitness tracking device? We may be happy about these devices gathering data for their intended purposes but what about the purposes to which the data could be used, where we as yet can predict this? I am sure the bloke with the pacemaker couldn’t have predicted he might be convicted based on data his pacemaker gathered. How might a hacker or someone else with malicious intent use the data which available?
As we work with students to build them into digitally or technologically literate individuals we need to discuss the above.
Are we happy with so much data being gathered, stored and processed on is by third parties? Do we truly understand how the data is or can be used?