Introduction
The
publication for public consultation of the revised version of what is now being
generally referred to as LN76/2014 has essentially proved that the initial
version of the said Legal Notice was far from perfect and that the reservations
raised some months back were not simple scaremongering.
Version
2.0 is indeed a big step towards the right direction on many fronts and is
evidence of the effort and time dedicated by the Office of the Information and
Data Protection Commissioner, which, in conjunction with a dedicated working group
set up by the Commissioner, has looked into this issue for the past months.
This is laudable and highly welcome.
Unfortunately
however, not all that glitters is gold and the draft subsidiary legislation
barely scratches the surface in some aspects, especially in relation to issues
pertaining to research as well as re-identification of personal data used for
such purposes.
LN76/2014 Version 2.0 in a nutshell
The
revised version comes in the form of Regulations contained in an ad-hoc
Subsidiary Legislation to be issued under the Data Protection Act. As opposed
to the initial version, a Legal Notice issued under the Employment and Training
Services Act, version 2.0 has been strongly linked with an enabling act which
makes sense, that is the Data Protection Act.
Immediately
one can note that any ID Card requirement has been removed and there is no
mention of the Minister for Education as being a data controller. Instead, the
draft Subsidiary Legislation distinguishes between Educational Authorities and
Educational Institutions. Whilst Educational Authorities are the Directorates
as established under the Education Act as well as the National Commission for
Further and Higher Education, Educational Institutions refer to the schools or
other institutions which control data regarding to students. This creates the most important and valid
distinction between the categories of data controllers which could process personal
data regarding to students and is indeed the right approach.
The
draft Subsidiary Legislation lays down how processing by Education Authorities
should take place (Regulation 3) as well as processing by Educational
Institutions (Regulation 4). It also provides for the recipients of data
(Regulation 5), the type of consent required for processing (Regulation 6) but
still contains special, and in my opinion, highly controversial, provisions
regarding processing for research and statistics purposes (Regulation 7).
Version
2.0 introduces the concept of pseudo-anonymisation but also contains certain
provisions regarding the re-identification of pseudonymous data following the
carrying out of ‘research’ which can lead to dangerous, highly questionable
processing which might not be in line with applicable EU Directives (namely EU
Directive 95/46/EC), forthcoming EU Regulations (the new EU General Data
Protection Regulation)as well as published opinions of the Article 29 Data
Protection Working Party, especially Opinion 03/2013 on purpose limitation
adopted on the 2nd April 2013.
Scope and
Background
“Government has an obligation to
address deficiencies in the education system resulting in a good number of
students with little or no qualifications and lack of skills or capabilities to
enter the labour market. To address this deficiency, as promised in the
electoral manifesto, the need is felt to enhance our educational system to
include and integrate all students and avoid drop outs and early school leavers
to the detriment of the students themselves and of Maltese society at large.”
The
objective that no student should be left behind is indeed noble and this
statement sets the stage for the purposes behind the revised version of the
highly controversial Legal Notice. In
its statement, the Ministry added that:
“To implement the necessary measures,
the personal data of students have to be processed but this has to be done in
accordance with the Data Protection Act to reach the necessary balance between
the need for processing and the right to protect and safeguard personal data.”
As
already noted, the revised version of the Legal Notice is much improved but
does it strike the right, or even legal, balance between electoral promises to
address certain deficiencies in our educational systems and the fundamental
right to privacy of our children students? Does our Data Protection Act, and in
particular the latest version of the revised Legal Notice, fully transpose the
provisions and the spirit of the applicable Directives and the learned opinion
of the Article 29 Data Protection Working Party? The answer, as will be further
detailed below, is mixed. Is the revised text of the Legal Notice, consciously
or subconsciously, “abuse” of the term ‘public interest’?
Definitions
and Terminology
Sadly,
the draft Subsidiary Legislation is replete with terminology that is not
properly defined. Whilst I would accept that a policy document, or a strategy
document, would include undefined terminology, having a legislative instrument
built upon undefined terms is undesirable and which leads to textual ambiguities,
especially in technical areas such as data privacy.
Terms
such as “targeted policies and/or initiatives” and even “student” itself
remained undefined. Other terms that suffered the same fate include
“reconciliation”, “active participation in employment opportunities”,
“specialised services”, “follow-up action”, “alignment of jobs”, “best interest
of the students” and “re-identification of students”. Such approach could lead
to reducing substantially the integrity and cohesiveness of the legal texts or,
far more dangerously, be prone to wide and potentially abusive interpretations.
A Two-Tier Approach
The
distinction between the roles, duties and responsibilities of Educational
Institutions and Educational Authorities is the star introduction of the
revised Legal Notice. This is in stark contrast with the original version of
the Legal Notice where the Minister of Education and Employment became a new
data controller with unrivalled rights of collection and processing of personal
data relating to students. Clearly making reference to the powers already
available to the Educational Authorities as found under the Education Act is
also positive. But this does not necessarily mean that the powers presently
available at law provide sufficient legal basis for the processing by way of
“research” of student data by such Authorities and whether the revised Legal
Notice should legitimise targeted decisions in relation to data subjects,
irrespective of the honourable cause that lies behind such decisions.
The
revised Legal Notice does provide a certain level of separation between the
role of Educational Institutions and Education Authorities but a clear analysis
of the legal text raises a number of legitimate concerns as to whether such
separation (as further explained below) between these two different data
controllers goes sufficiently far.
The
proposed Regulation 3(1) regarding the processing by Educational Authorities
provides that such authorities “may
process personal data in relation to students and where specifically required
in the best interest of the students, personal data of parents and legal
guardians, may also be processed to carry out their functions as provided under
the Education Act.”
Does
this simply mean that such personal data can be processed to fulfil the functions
as established under the Education Act (which mainly relate to the drafting of
policy and strategies and which would not lead to any personal decisions
affecting the data subject) or merely for the “best interests of the students”?
After all, who will decide what is in the “best interest of the students”? Will
this be a subjective decision by some official within the Education Authorities
themselves? Will it be a politician? Surely, the Education Act, and the powers
available to the Education Authorities established under such Act does not
speak about the “best interests of students”.
Regulation
3 (3) of the revised Legal Notice provides that:
“Where data regarding educational
attainment and ability in relation to the student held by Educational
Institutions is required by the Educational Authorities in order to fulfil
their functions as laid down in the Education Act, identifiable data shall be
substituted by pseudonymous data, provided that any follow-up action is to be
carried out by the educational institutions which transmitted the data as
instructed by the Education Authorities.”
Again,
the text does not provide sufficient clarity. Whilst these new powers are
limited in scope by the Education Authorities’ functions as found in the
Education Act, the draft Regulation 3(3) does not provide explicit and clearly
understandable provision regarding who will be responsible for the substitution
to pseudonymous data.
Will
it be the Education Authorities or the Education Institutions? How will this be
done? What technical parameters will be used? Who will oversee that such data
is substituted in a way that no re-identification will be possible?
It
appears that Regulation 3, especially sub-regulation (6) is introducing a
concept where the Educational Authorities do act as a buffer and are
responsible for the onward transmission of the student personal data to the
Authorities but the text proposed is not sufficiently clear and prone to contrasting
interpretations. The methodology used for the Educational Authorities to
‘decide’ as to whether any specific student requires the “benefit” of
targeted/policies and/or initiatives, is also questionable.
It
is also dubious what is the scope behind Regulation 3(8) which deals with
national initiatives. Whilst the difference between a targeted policy and a
national initiative should be clear, one cannot completely understand why
personal data is required to pursue a national initiative. Does this mean that
under the guise of a “national initiative”, the personal data of all students
over compulsory school age in Malta will be required? Cannot the Educational
Authorities forward any information they receive regarding national initiatives
directly to their students who may then opt to avail of such initiatives
without the need for the Education Authorities to obtain the details of such
students? After all, a national initiative, is, as the name implies, national
and not ‘targeted’.
A Question of Research and Public
Interest
Our
own Data Protection Act provides under Article 8 (b) that “personal data kept for historical, statistical or scientific purposes
shall not be used for any decision concerning a data subject”. The law here
is very clear. Our law further provides in Article 16 (3) that “personal data may be provided to be used
for the purposes” of research and statistics and provided that the
processing is necessary as stipulated in Article 9(e), “unless otherwise provided by applicable rules on secrecy and
confidentiality”.
Article
9(e) of the Data Protection Act provides that personal data may be processed
only if “processing is necessary for the
performance of an activity that is carried out in the public interest or in the
exercise of official authority vested in the controller or in a third party to
whom the data is disclosed”.
The
pertinent question is therefore twofold: (i) can the research/processing
contemplated under the revised Legal Notice fall under Article 9(e) of the Data
Protection Act and (ii) can such research be used as the basis for any decision
concerning a data subject?
In
order to arrive to an answer of these two questions, one has to look at the
transposition of EU Directive 95/46/EC into Maltese law, the new General Data
Protection Regulation and the work of the Article 29 Data Protection Working
Party.
It
seems that the wording used by the Maltese legislator can lead to certain
vagueness of the term “research”. This vagueness is not found in the EU
Directive which makes it clear that research can be of three forms: historical,
statistical and scientific. Are we therefore faced with a situation where the
revised Legal Notice is extending the word “research” beyond the historical,
statistical and scientific realms?
This
discussion gains further relevance when one looks at the text proposed in
Regulation 7 of the revised Legal Notice which states that:
“(1) When processing of personal data
is required for research and statistics
purposes, all identifiable data shall be rendered anonymous, unless in the case of research, the
identification of the data subject is required to fulfil the purposes of such
research.
(2) Within the limits of these
regulations, where, for the purposes of implementing specific targeted
policies, the research being conducted would require the identification details
of students, data controllers shall process such data by replacing personal
identification data with pseudonymous data, and eventually limiting the
re-identification of students only to those cases which specifically fall
within the parameters of the target policy.”
The
proposed Regulation 7 however distinguishes between processing for research
carried out by the Education Authorities and processing for research carried
out by other entities not being Education Authorities. In fact Regulation 7(3)
provides that when other entities are carrying out research, the specific consent
of the data subjects or their legal guardians/parents will be required. Furthermore,
in the case of research carried out on pseudo anonymous data by other entities Regulation
7(4) stipulates that such other entities have to ensure that:
“a) personal data are not processed
for any other purpose that is incompatible with the specific purpose of the
targeted policy and/or initiative, and in particular not for the purpose of
supporting measures or decisions with respect to the student, either specifically related to the targeted
policy and/or initiative or otherwise;
b) data enabling the attribution of
information to an identified or identifiable data subject are kept separately
from the other data;
c) adequate organisational and
technical safeguards are in place to protect the personal data against any
unlawful forms of processing;
d) personal data shall not be retained
for a period which is longer than necessary and all identifiable details shall
be rendered anonymous, deleted, or destroyed, following the completion of the
policy and/or initiative implementation.”
It
is highly questionable why the restrictions laid down in Regulation 7(4) only
apply to other entities and not to the Education Authorities.
Research under EU Directive 95/46/EC
Recital 29 of the Data Protection Directive states that: “Whereas the further processing of personal
data for historical, statistical or scientific purposes is not generally to be
considered incompatible with the purposes for which the data have previously
been collected provided that Member States furnish suitable safeguards; whereas
these safeguards must in particular rule out the use of the data in support of
measures or decisions regarding any particular individual”.
Recital
34 of the Data Protection Directive additionally states that “Whereas Member
States must also be authorized, when justified by grounds of important public
interest, to derogate from the prohibition on processing sensitive categories
of data where important reasons of public interest so justify in areas such as
public health and social protection - especially in order to ensure the quality
and cost-effectiveness of the procedures used for settling claims for benefits
and services in the health insurance system - scientific research and
government statistics; whereas it is incumbent on them, however, to provide
specific and suitable safeguards so as to protect the fundamental rights and
the privacy of individuals”.
It is immediately evident that the present Directive establishes a
higher level of protection with respect to the processing sensitive personal
data justified by important public interest in relation to scientific research
and government statistics. To the effect, rightfully so, the revised Legal
Notice provides that any research involving sensitive personal data must be
pre-approved by the Information and Data Protection Commissioner.
Article 13(2) of the Data Protection Directive adds that: “Subject to adequate legal safeguards, in
particular that the data are not used for taking measures or decisions
regarding any particular individual, Member States may, where there is clearly
no risk of breaching the privacy of the data subject, restrict by a legislative
measure the rights provided for in Article 12 when data are processed solely
for purposes of scientific research or are kept in personal form for a period
which does not exceed the period necessary for the sole purpose of creating
statistics.”
But Article 12 of the Directive only speaks about the right of
access to be provided to the data subject and nothing more. This does not mean
however, as confirmed by this Article, that any processing for scientific
research can lead to measures or decisions regarding particular individuals as
found in Article 8(b) of our own Data Protection Act. Also, will the Education
Authorities actually perform scientific research or just ‘research’ in the
general sense of the word?
Is this not in stark contrast with the provisions contained in
Regulation 3 and 7 of the revised Legal Notice?
Research under the new EU General Data
Protection Regulation
In addition to the provisions already contained in the EU Data
Protection Directive, the legal basis behind processing for the purposes of
research is being further strengthened under the text (as amended by the
European Parliament) of the upcoming new EU General Data Protection Regulation.
Recital 126 of the EU General Data Protection Regulation provides
that:
“Scientific research for
the purposes of this Regulation should include fundamental research, applied
research, and privately funded research and in addition should take into
account the Union's objective under Article 179(1) of the Treaty on the
Functioning of the European Union of achieving a European Research Area. The processing of personal data for historical,
statistical and scientific research purposes should not result in personal data
being processed for other purposes, unless with the consent of the data subject
or on the basis of Union or Member State law.”
Emphasis is being made here on the fact that any
personal decision emanating from the research would require the consent of the
data subject or be taken on the basis of Member State law (as is in the case of
the revised Legal Notice). It is questionable however whether the revised Legal
Notice would be in line with the provision as contained in the new EU Data Protection
General Regulation especially Art. 83.
Article
1(e) of
the EU
General Data Protection Regulation also
provides that personal data shall, amongst others, be “kept
in a form which permits direct or indirect identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal
data may be stored for longer periods insofar as the data will be processed
solely for historical, statistical or scientific research or for archive purposes in
accordance with the rules and conditions of Articles 83 and 83a and if a
periodic review is carried out to assess the necessity to continue the storage, and
if appropriate technical and organizational measures are put in place to limit
access to the data only for these purposes (storage minimisation);”
Article 83 of the EU General Data Protection
Regulation then provides specific rules in relation to the processing for
historical, statistical and scientific research purposes:
“In
accordance with the rules set out in this Regulation, personal data may be
processed for historical, statistical or scientific research purposes only if:
(a) these purposes cannot be otherwise fulfilled by processing
data which does not permit or not any longer permit the identification of the
data subject;
(b) data enabling the attribution of information to an identified
or identifiable data subject is kept separately from the other
information under the highest technical standards, and all necessary
measures are taken to prevent unwarranted re-identification of the data
subjects.”
Since, the proposed Regulation 7 of the revised Legal Notice
explicitly speaks about “re-identification” and “specific targeted policies”,
one seriously questions whether such provision can be considered to be in line
with Art. 83 of the new EU General Data Protection Regulation as well as the prohibition
contained therein to arrive to any personal decision on the data subject in
light of such “research”.
Purpose Limitation, Functional
Separation and the opinion of Article 29 Data Protection Working Party
Opinion
03/2013 on purpose limitation adopted on the 2nd April 2013 by
Article 29 Data Protection Working Party (the “Opinion”) provides a very detailed analysis on the concepts of
purpose limitation, functional separation and their application within
processing for research purposes. Such analysis is of extreme relevance to any
discussion regarding the revised Legal Notice as it expounds on various issues
being raised in the said Legal Notice. Of particular interest is Section III 2.3
of the Opinion specifically dealing with processing from historical,
statistical or scientific purposes.
The
Working Party (Pg.28) states that the present Directive 95/46/EC allows for
further processing for historical, statistical and scientific research as long
as the controller compensates for this change by implementing “appropriate safeguards and in particular by
ensuring that the data will not be used to support measures or decisions
regarding any particular individuals”. The question is therefore whether
the revised Legal Notice, when dealing with research processing contains such
“appropriate safeguards”.
In my opinion, it does not.
Furthermore,
the Revised Legal Notice appears to justify “measures
or decisions regarding any particular individuals” as the main objective
behind the research to be carried out!
Commenting
on Recital 29 of the Data Protection Directive (as referred to above), Article
29 Working Party adds that (Pg 28):
“As noted in recital 29, the purpose
of the safeguards is typically to 'rule out' that the data will be used to support
measures or decisions regarding any particular individual. The term ‘rule out’
suggests that the safeguards should indeed be strong enough to exclude or at
least minimise any risks to the data subjects.”
Here,
Article 29 Working Party makes a reference to the provision contained in
Article 9(3) of the Council of Europe Convention for the Protection of
Individuals with regard to Automatic processing of Personal Data (Convention
108) which also allows further use for statistics or scientific research but
only in cases where “there is obviously no risk of an infringement of the
privacy of the data subjects”.
Unfortunately,
it is my opinion that the present revised version of the Legal Notice does not
go sufficiently far to remove any such risks as referred to in Article 9(3) of Convention
108.
Another
statement by the Article 29 Working Party in the Opinion (pg 28) which has
direct relevance to the mechanics being introduced by means of the revised
Legal Notice is the following:
“In order to ensure appropriate
safeguards, the term 'measures or decisions' should be interpreted in the
broadest sense. First, they should be understood to cover any 'measures or decisions'
irrespective of whether they are taken by the controller or by anyone else.
Second, 'measures or decisions' do not only cover formal decisions and measures
in a formal procedure. In other words: any relevant impact on particular
individuals - either negative or positive - should be avoided.”
Irrespective
of the noble scope of the revised Legal Notice, the text leads to the
conclusion that the very essence of this text is to have an “impact on
particular individuals” – something that Opinion recommends against.
In
this sense the position of the Article 29 Working Party is crystal clear – that
even the positive impact of such measures and decisions taken by Education
Authorities without the full consent of the data subjects, should be avoided.
This
position is further strengthened by other relevant pronouncements by the
Article 29 Working Party where it distinguishes between the initial data
controller (the Educational Institutions) and processing for research carried
out by third parties (such as the Education Authorities):
“it will also be relevant to
distinguish between situations where the further processing will be carried out
by the initial data controller and those where personal data will be
transferred to a third party. In this context, some research projects may require
very precise protocols (rules and procedures) to ensure a strict functional
separation between participants in the research and outside stakeholders. This
may include technical and organisational measures, such as securely key-coding
the personal data transferred and prohibiting outside stakeholders from
re-identifying data subjects (as in the case of clinical trials and
pharmaceutical research) and possible other measures” (Pg 29).
Sadly,
the revised Legal Notice is completely void of any such “precise protocols
(rules and procedures) to ensure a strict functional separation between
participants”. The revised Legal Notice just distinguishes between the
Education Authorities and Educational Institutions but does not provide any
further guidance or procedure as being recommended by the Article 29 Working
Party or ensuring the functional separation between these two bodies.
On
the aspect of functional separation, the opinion states at pg 30:
“When it comes to the safeguards to be
adopted, the notion of functional separation may be of particular relevance.
This means that data used for statistical purposes or other research purposes
should not be available to 'support measures or decisions' that are taken with
regard to the individual data subjects concerned (unless specifically
authorized by the individuals concerned). To comply with this requirement,
controllers need to guarantee the security of the data, and take all other
necessary technical and organisational measures to ensure functional separation.”
In
relation to situations where pseudo-anonymisation is envisaged, the Opinion (Pg
31) provides that:
“Partial anonymisation or partial
de-identification may be the appropriate solution in some situations when
complete anonymisation is not practically feasible. In these cases, various techniques
(including pseudo-anonymisation, key-coding, keyed-hashing, using rotating salts,
removal of direct identifiers and outliers, replacing unique IDs, introduction
of 'noise', and others) should be used to reduce the risk that data subjects
can be re-identified, and subsequently, that any measures or decisions can be
taken in their regard. In addition, there will also often be a need to
complement these techniques with other safeguards in order to adequately
protect the data subjects. These include data minimisation, as well as
appropriate organisational and technical measures, including effective 'data
silo'-ing, to ensure functional separation.”
I
contend that the revised Legal Notice, whilst introducing the concept of
pseudo-anonymisation, fails to provide sufficient clarity as to how this will
work in practice and what safeguards will be put in place by the different
stakeholders.
The
Opinion also states at Pg. 27 that “When
trying to identify technical and organisational measures that qualify as
appropriate safeguards to compensate for
the change of purpose, the focus often lies with the notion of isolation.
Examples of the relevant measures may include, among other things, full or
partial anonymisation, pseudonymisation, or aggregation of the data, privacy
enhancing technologies, as well as other measures to ensure that the data
cannot be used to take decisions or other actions with respect to individuals
('functional separation'). These measures are particularly relevant in the
context of further use for ‘historical, statistical or scientific purposes’”.
Of
particular relevance is however the pronouncement made by the Article 29 Working
Party in relation to data about children. In light of the fact that most
student data as contemplated in the revised Legal Notice will inevitably relate
to children, one seriously has to question why the requirement of consent is
not present when it comes to targeted decisions (possibly based on ‘research’)
taken by Education Authorities.
In
fact the Opinion clearly states that (pg32) :
“further processing of personal data
concerning health, data about children, other vulnerable individuals, or other highly
sensitive information should, in principle, be permitted only with the consent
of the data subject”.
Conclusion
As
further highlighted in the new General Data Protection Regulation, consent is
king. Unfortunately, certain aspects of processing by Education Authorities as
included in the revised Legal Notice still do not require the consent of data
subjects, especially when specific targeted decisions might be taken against
such individuals. This has also be considered in the light of the position taken
by Article 29 Working Party which opined that data about children should only
be permitted with the consent of the data subject.
The
text needs to further cater to strengthen the principle of functional
separation in light of the concept of purpose limitation. The role of the
Education Institutions as ‘buffers’ has to be increased. This can be done by
ensuring that the Education Authorities would never and can never arrive to the
identification or re-identification of data subjects and if any specific further
targeted initiatives should be ‘offered’ to certain students, Education Authorities
could, on the basis of the pseudonymous data processed, simply inform the
Education Institution that they have to forward such offers to the students who
would be free to opt in for such targeted schemes and consent to such processing
but never in a way that the Education Authorities would be able to identify the
students which are being approached by the Educational Institution.
Furthermore,
a serious revision of the proposed ways in which research is carried out has to
be undertaken in order to ensure there is no way in which any form of research
undertaken by Education Authorities, irrespective as to whether such research
is justified under the Education Act or otherwise, can lead, following
re-identification to any specific decision affecting the data subject without
his/her prior consent.
The
various questions that the revised Legal Notice is raising in relation to
personal decisions taken following research, have to be looked into not only in
light of our own Data Protection Act but also the principles enshrined under EU
law.
The
revised Legal Notice does indeed point towards the right direction but the
uncertainties and ambiguities that the present text contains have to be
addressed in order to ensure that the fundamental right to privacy of students,
our children, is truly safeguarded.