GDPR - General Data Protection Regulation

GDPR – General Data Protection Regulation – Image from Pixabay (No attribution required)

 

The introduction of EU GDPR legislation in 2016 and it’s enforcement in May 2018 means that everyone who manages personal data is now responsible for ensuring that it is secure and that data is safeguarded using the highest privacy settings appropriate so that data is not publicly available without a lawfulness of processing criteria identified as required by GDPR Article 6.  Although our VLE – NILE, is a secure network for students this law still applies and can guide us in how we best go about our day to day duties.

 

Device security.

When saving data it is best to either use the cloud storage ‘OneDrive’ or your network drives as locally saved data can be easily hacked should you lose your device. Article 9 of GDPR expects greater degrees of security for sensitive personal data (known as ‘special category data’) and so any personal information of this sort should also be password protected.

If you are unable to work online and are working on documents which contain student data such as Excel, then you should password protect these.  – sensitive personal data should not be worked on offline and snapshots of University databases should never be used to process personal data offline.

When users login to NILE it is usually automated due to ‘single sign-on’ or your password may be held in the browser cache so anyone with access to your computer will be able to login to NILE to view student data. Therefore we strongly advise you do not allow any other users access to your machine, or leave it unattended. When not in use you should always lock the screen (Windows Key + L’  / Mac ‘Control + Shift + Power’).

If you lose either your work device or a mobile device which is linked to data such as your email, you should report this as a data breach to IT immediately via the UoN Service Desk. so they can secure your account, and the University Data Records Manager Phil Oakman, Phil.Oakman@northampton.ac.uk

 

Personal data breach.

If you become aware of a data breach you should inform the University Data Records Manager Phil Oakman, Phil.Oakman@northampton.ac.uk

Personal data breaches include:

  • Access by an unauthorised third party,
  • Deliberate or accidental action (or inaction) by a controller or processor,
  • Sending personal data to an incorrect recipient,
  • Alteration of personal data without permission,
  • Loss of availability of personal data.
  • Loss of personal data
  • Personal data stolen

 

Secure passwords.

Basic passwords can be cracked very easily. This Tech.co article lists some good and bad examples of password

We suggest you don’t use your work password for any other sites, as this leaves our NILE and IT systems open to hacking, also don’t write your password down anywhere or send it on an email.

If you use your smartphone for work, then it is best to choose a longer passcode.  A device called ‘GrayKey’ software is used by government agencies to access iPhones, and can crack a 4 digit security code in a few hours, and a 6 digit code in a few days, but an 8 digit code would take much longer to crack. It is highly likely that hackers use similar software to crack passwords on both IoS and Android, so it is best to increase the number of digits beyond 6.

If you suspect your password is not secure change it here: https://www.northampton.ac.uk/user

 

Sending data via Email.

Sending student data by emails is problematic for a couple of reasons; firstly data can be intercepted by email servers, and secondly, it is easy to send an email to the wrong person.

Do not include personal data and especially sensitive personal data in the body of an email.

To make these more secure you should password protect any files containing student data – such as grades exported from NILE, that you are sending, and send the password in a separate email within an attachment. (not titled ‘password’)

 

Releasing grades.

When revealing grades to students, only use the functionality within our VLE – NILE, as this ensures that this private data is only seen by the student to who it applies.

Staff should not use Announcements or Content areas to release grades or use group names or student numbers to anonymise them – as these are pseudo-anonymous and in breach of GDPR.

 

Group grades & feedback.

Any information posted into the ‘Feedback to Learner’ area in of a Blackboard Group assignment is released to all students in a group, therefore you should not include any grades in this area as this would be in breach of GDPR.

 

Identifying students by name.

Using student names to set up groups or perform tasks necessary for facilitating teaching and learning is a ‘Legitimate interest’ of data. However, staff should be aware that adding additional information such as student numbers, telephone number, address, or age, would be a potential security risk to the students NILE and University account.

 

Collecting data in collaborative activities.

Tools such as blogs, discussion boards and Padlets are often used for online collaborative activities (such as ice-breakers) in which students’ may be asked to share information about themselves. Data such as ethnicity, and sex is recorded in self-portraits and videos, or students may include information such as their home town, or sexual orientation in the written form.

Be particularly cautious of asking students to provide details which are commonly used for (banking) security questions such as; home town, name of pet, mother’s maiden name, favourite book and favourite holiday destination.

You may wish to consider whether the activity is a ‘legitimate interest’ of data as it is linked to the learning of the course, or whether you could redesign the activity to achieve the same learning outcomes without the need for students to provide personal data.

If it is necessary, you may wish to flag up to your students the issues of sharing personal data in a shared digital space. or ask their consent to be 100% GDPR compliant.

 

Video recordings and virtual classrooms.

In the virtual classroom platform Collaborate Ultra, students attending can share their webcams or microphones and post questions in the chat box, this becomes a GDPR issue when sessions are recorded, as all of these are held in recordings.

We recommend that staff either inform the students of the recording prior to the session – including details of where the recording will be made available and to whom. Or make the chat anonymous and remove the ability for students to share their camera and microphone in the session settings.

As it is possible to start and stop the recording during the session staff may choose to anonymise the chat and restrict access to the webcam and microphone during the recorded ‘instructional’ aspects of the session, then stop recording and make these available for when students are actively participating.

 

Use of Social Media Platforms.

The University’s policy on the use of social media in teaching and learning is that students should not be disadvantaged if they do not wish to sign up to these social media platforms.

The reason for this is that these providers are not licensed by the University and we can not expect our students to sign up to third-party terms and conditions. Therefore staff should only adopt social media tools to share content if all students can view the content without signing up for an account, examples of these are Twitter and Instagram.

For the same reason, staff should not ask students to use social media platforms (such as Facebook or WhatsApp) for class communications. There are already tools in the group settings within the VLE to do this such as discussion boards, blogs, email or Collaborate (groups)

If the use of Social Media is a learning outcome for a module, the course leader will need to make all potential students aware of this prior to enrolling on the course through a declaration on the course information page within the university website.

The use of social media is also relevant to GDPR, because social media platforms contain personal data which is not available in the VLE NILE and students are sharing data with third parties.

 

Third Party Tools 

There are many very useful online tools such as Socrative, Kahoot and Prezi which are commonly used for teaching and learning but are not supported by Learning Technology. In a similar way to the University’s policy on social media accounts, the University policy says that students should not be disadvantaged if they do not wish to sign up to third-party tools. Therefore staff should either only use tools allow students to participate without setting up a new account, or provide a supported alternative option which does not prejudice the student.

This is relevant to GDPR because students are sharing data with third party providers.

 

Supported tools and licensed third-party publishers.

Tool and content providers within NILE have all provided GDPR policies to ensure they meet current legislation and confirm that our student data is secure. This includes a number of third-party content providers.

Please note, subjects which require students sign up to new accounts with third-party providers, should post a declaration on the course information page on the university website prior to enrolment to make students aware of this.

 

Sharing student data in research.

Before you start any research project you need to consider the implications of the data that you will be collecting, including how you will be obtaining this, how it will be stored, and how it will be preserved.  A good data management plan will take you through these steps and will assist you in successfully obtaining research ethics approval.  You can use https://dmponline.dcc.ac.uk/ using your university login details to create a data management plan.  Further resources can be found on the research support yammer group.

Anonymisation or Pseudonymisation – GPDR

Two distinct techniques that permit data controllers and processors to use de-identified data. The difference between the two techniques rests on whether the data can be re-identified.

Recital 26 of the GDPR defines anonymised data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Emphasises that anonymised data must be stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the party that is responsible for the anonymisation. When done properly, anonymisation places the processing and storage of personal data outside the scope of the GDPR.

GDPR defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

By holding the de-identified data separately from the “additional information.” GDPR permits data handlers to use personal data more liberally without fear of infringing the rights of data subjects. This is because the data only becomes identifiable when both elements are held together.

By rendering data pseudonymous, researchers can benefit from new, relaxed standards under GDPR. For example, Article 6(4)(e) permits the processing of pseudonymised data for uses beyond the purpose for which the data was originally collected.

Recommended Software: ARX – http://arx.deidentifier.org/ (open source)

 

Post Contributors:

Richard Byles – Learning Technologist.
Phil Oakman – Data Records Manager.
Dawn Hibbert – Head of Research Support

Tagged with: