Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What about GDPR?

51 views

Published on

Presented at: ELESIG Scotland, University of Dundee, 26 November 2018
An overview of the GDPR within a learning and teaching context

Published in: Education
  • Be the first to comment

What about GDPR?

  1. 1. #altc What about GDPR? Martin Hawksey @mhawksey Please feel free to share photos of slides. Various copyright licences are used in this presentation for both content and images. If an image on a slide has no CC attribution assume it is a copyrighted source. This presentation is shared as CC-BY mhawksey. Presented at: ELESIG Scotland, University of Dundee 26 November 2018 Slides go.alt.ac.uk/elesig-gdpr
  2. 2. “ alt.ac.uk Join and interact via zeetings.com You can follow slides and take part in polls by going to: zeetings.com/mhawksey Accessing this talk via zeetings.com is optional. Slides also available from go.alt.ac.uk/elesig-gdpr
  3. 3. alt.ac.uk3/46 Image: CC-BY-SA ALT https://flic.kr/p/LpT8wt
  4. 4. Image: CC-BY-NC Chris Jones https://flic.kr/p/bupUcB
  5. 5. Nota Lawyer Disclaimer: I’m not a lawyer, or data protection expert and I’m only sharing my interpretation of information I’ve gathered for your consideration and does not constitute as legal advice.
  6. 6. alt.ac.uk How familiar are you with GDPR? A. First time I’ve heard about GDPR B. Aware of GDPR C. Know a bit about GDPR and key principles D. Know a lot about GDPR and key principles
  7. 7. alt.ac.uk What level of support have you had? A. No support at all B. Self-directed study C. Taken mandatory training provided by my institution D. Been provided guidance by my Data Protection Officer and/or support staff
  8. 8. alt.ac.uk Overview ♢ Introduction ♢ GDPR ○ Definitions ○ Lawful basis ○ Accountability ♢ Working with GDPR
  9. 9. Data is the new nuclear Data isn’t the new oil — it’s the new nuclear power James Bridle Image Copyright: Leonardo Santamaria 9/46
  10. 10. Image: CC-BY Selfdestination https://flic.kr/p/gGZYKK The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. - Wikipedia
  11. 11. GDPR compliance isn’t just required by EU based organisations. Any ‘enterprise’ processing ‘personal data’ from EU citizens needs to be GDPR compliant or they can face “penalties of up to 4% of worldwide turnover or €20 million, whichever is higher”. Image: CC-BY MoneyBlogNewz https://flic.kr/p/9eXnSq Non compliance penalties
  12. 12. 12/4 6 Brexit? Image: CC-BY Duncan Hull https://flic.kr/p/UzBs6j
  13. 13. Personal data Photo by h heyerlein on Unsplash
  14. 14. Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly - Article 4(1) Personal Data 14/46
  15. 15. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. – UK ICO Key Definitions Personal Data 15/46
  16. 16. 16 Image: CC-BY-SA Dennis van Zuijlekom https://flic.kr/p/ApBi1X Image: CC-BY-NC-ND Matthijs https://flic.kr/p/89w39B Access Erasure
  17. 17. Controller Photo by Matthew Henry on Unsplash
  18. 18. Data Controller - A controller determines the purposes and means of processing personal data. (e.g. your institution) Data Processor - A processor is responsible for processing personal data on behalf of a controller. (e.g. any 3rd party your institution contracts that can access personal data) Data Controller/Processor 18/46
  19. 19. Processing Image: CC-BY mhawksey https://flic.kr/p/qbMRze
  20. 20. 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; -Article 4(2) Processing 20/46
  21. 21. ● Lawfulness, fairness and transparency ● Purpose limitation ● Data minimisation ● Accuracy ● Storage limitation ● Integrity and confidentiality (security) ● Accountability GDPR Key Principles 21/46
  22. 22. 22 Image: CC-BY-NC-ND Maia Weinstock https://flic.kr/p/r7yWg2 Lawfulness
  23. 23. 1. Consent 2. Contract 3. Legal obligation 4. Vital interests 5. Public task 6. Legitimate interests Lawful basis 23/46
  24. 24. 24 Photo by Ho Hyou on Unsplash Samples
  25. 25. Photo by Gift Habeshaw on Unsplash Consent
  26. 26. Copyright 2018 © Moodle Pty Ltd - CC SA - support@moodle.com Digital age of consent ● Age and location check to identify minors (part of recent point release) ● Default age of digital consent is 16 years old ● Can specify countries with other age requirements ● If the user is considered a minor they will be asked to contact the site admin
  27. 27. Copyright 2018 © Moodle Pty Ltd - CC SA - support@moodle.com Policy Plugin ● If the user is above the age of consent they will be shown the policy pages ● Ability to set policies for: ○ Site ○ Privacy ○ 3rd parties ● Policies are shown one at time
  28. 28. Copyright 2018 © Moodle Pty Ltd - CC SA - support@moodle.com Policy Plugin ● The Consent page lists a summary of each policy ● The user is asked to specifically agree to each policy ● When the user agrees to the policies they will be taken to the standard user registration form
  29. 29. Copyright 2018 © Moodle Pty Ltd - CC SA - support@moodle.com Policy Plugin ● Overview of user consents for the site admin or privacy officer ● Ability to filter to a specific policy to determine who consented at what time ● Ability to manually consent on behalf of users
  30. 30. Photo by Cytonn Photography on Unsplash Contract
  31. 31. https://www.perth.uhi.ac.uk/t4-media/one-web/perth/about-us/policies-regulations-and-guidelines/Studen t-Records---Higher-Education---Privacy-Notices.pdf
  32. 32. Image: CC-BY-SA Tim Evanson https://flic.kr/p/bpBg2y Legitimate Interests
  33. 33. https://www.ed.ac.uk/information-services/learning-technology/media-hopper-replay/privacy-statement
  34. 34. “ alt.ac.uk ● Lawful basis: We’re using legitimate interests of the University in providing the service to its staff and students as the lawful basis for processing personal data within the Media Hopper Replay service. The Data protection Officer and lawyers were very clear that this is the appropriate basis (and that the consent lawful basis would actually not be appropriate for a number of reasons, including ensuring consent is freely given, given the power imbalance between the University and either a member of staff or a student, and some of the implications for implementing any withdrawal of consent once a recording has been made.
  35. 35. Photo by Michael D Beckwith on Unsplash Accountability
  36. 36. The processor shall not engage another processor without prior specific or general written authorisation of the controller - Article 28(2) Processor 36/46
  37. 37. 37
  38. 38. The following examples are provided by Salman Usman (Academic E-learning Developer) Kingston University London. You are welcome to re-use/re-purpose these but you will need to check with your Data Protection Officer or equivalent first.
  39. 39. The personal data Padlet holds is staff account details for Padlet and students placing their name or university ID in their Padlet posts for the lecturer to identify them. In order to make the use of Padlet mandatory for students and avoid the need for students to sign a consent form, staff should undertake the following measures: ● Staff should not use their KU email account and password when creating an account with Padlet ● Password-protect the Padlet staff are using with their students ● In their Padlet posts students should only include arbitrary identifiers that are only known to the lecturer. Staff need to store the mapping between student name/ university ID and their identifier securely on university network drive. Provided by: Salman Usman,Kingston University London
  40. 40. The personal data PeerWise holds is staff account details for PeerWise and student identifier, username, password and email address. In order to make the use of PeerWise mandatory for students and avoid the need for students to sign a consent form, staff should undertake the following measures: ● Although it is a requirement to provide KU email address, staff should not use their KU email password when creating an account with PeerWise ● Student identifiers provided to PeerWise should not be their name, university ID or anything else that can identify them. Instead, provide an arbitrary identifier for each student and store the mapping of students’ university ID and their arbitrary PeerWise identifiers securely on university network drive. ● Ask students that when setting up accounts, not to choose a username that identifies them, not to use university password for their PeerWise account password, and not to provide their email address (which is optional anyway). Provided by: Salman Usman,Kingston University London
  41. 41. The personal data that TEAMMATES holds is staff account details for TEAMMATES, student KU email, feedback that students give to their peers and receive from their lecturers and peers. In order to minimise risks associated with using this tool, staff should undertake the following measures: ● The use of TEAMMATES should not be mandatory as it is not possible to use it without providing students’ personal data. ● Staff and other members of teaching team should be made aware that the tool is not supported by the university and that there may be risks associated with handling of personal data. To this end, students need to sign a consent form. Those students who wish to opt out should be provided an alternative method to participate and it should not disadvantage those that choose this method. ● Ensure that peer feedback is given anonymously to all group members (by choosing appropriate settings) ● Staff should not use their KU email address and password when creating Google account to use with TEAMMATES ● Delete all data after end of academic term Provided by: Salman Usman,Kingston University London
  42. 42. Photo by Clem Onojeghuo on Unsplash
  43. 43. alt.ac.ukPhoto by rawpixel on Unsplash No data processing agreement... ● Supported alternatives ● Make optional ● Obscure identity ● Limit functionality
  44. 44. CC-BY-SA miss Murasaki https://flic.kr/p/bCafgG Paws
  45. 45. Thank you Salman Usman and ALT-MEMBERS Slides go.alt.ac.uk/elesig-gdpr @A_L_T/@mhawksey
  46. 46. Association for Learning Technology Registered charity number: 1160039 www.alt.ac.uk @A_L_T

×