Learnovate Lunchtime Series: Data Protection – Implications for Edtech in Schools

The latest in our Lunchtime Sessions on 6th September, covered the topic of Data Protection and was presented by Chris Bollard from Arthur Cox. Chris certainly had the attention of our audience, covering a topic that is vital, yet is not always given the attention it needs. Chris began by covering the history and pointing out that ‘Data Protection’ is a clumsy translation of what really is ‘Rights to Privacy’.

In terms of roles and responsibilities the main players of interest to the edtech industry are data controllers (control the contents and use of personal data) and data processors (process the personal information on behalf of the data controller). Personal data refers to information that can assist in identifying a living person. Sensitive personal data is the same but in addition gives some indication as to the individual’s personal construct, such as race, religion, membership of organisations etc.

In certain circumstances Personal Data can be obtained without consent, but Chris left us in no doubt that consent is the practical way to go in just about every case. He told us data controllers have responsibilities in relation to personal data, as follows:
• Obtain and process personal data fairly
• Keep it only for one or more specified and lawful purposes
• Use and disclose it only in ways compatible with the purposes for which
it was given to them initially
• Keep it safe and secure
• Keep it accurate and up-to-date
• Ensure that it is adequate, relevant and not excessive
• Retain it no longer than is necessary for the specified purpose or purposes
• Give a copy of his/her personal data to any individual, on request
(section4 access request)

When dealing with children the same rules apply with the additional complication that guardian’s consent is also required. There is no hard and fixed rule as to what age constitutes a child but in the view of the Data Protection Commissioner certainly below 16 would be a guide and to be safe possibly 18.

The final part of the presentation dealt with exporting data outside of Ireland. The Data Protection Agency has one main question in this regard does the importing country offer an adequate level of data protection? There is agreement that data can move between the 27 members of the European Economic Area (EEA) and certain other listed countries as they comply with question. The US however is not deemed to provide an adequate level of protection. This does not mean that data cannot be exported to the US, there are various ways, but one of the cleanest in Chris’ experience is to work with an importer who is ‘Safe Harbour’ certified (http://export.gov/safeharbor/) , a certification that means the level of protection is equal to that of EEA member countries.

Chris covered a lot more and fielded many interesting questions from the floor, this article is by way of providing a brief overview, and also to thank Chris Bollard for giving so generously of his time.