Search This Blog

Monday, September 1, 2014

Processing of Children/Student Data and the proposed revised Legal Notice – An open submission as part of the official consultation process


Introduction

The publication for public consultation of the revised version of what is now being generally referred to as LN76/2014 has essentially proved that the initial version of the said Legal Notice was far from perfect and that the reservations raised some months back were not simple scaremongering.

For my analysis of the original Legal Notice 76/2014 please read my opinion piece found at http://ictlawmalta.blogspot.com/2014/04/processing-of-childrenstudent-data-and.html.

Version 2.0 is indeed a big step towards the right direction on many fronts and is evidence of the effort and time dedicated by the Office of the Information and Data Protection Commissioner, which, in conjunction with a dedicated working group set up by the Commissioner, has looked into this issue for the past months. This is laudable and highly welcome.

Unfortunately however, not all that glitters is gold and the draft subsidiary legislation barely scratches the surface in some aspects, especially in relation to issues pertaining to research as well as re-identification of personal data used for such purposes.

LN76/2014 Version 2.0 in a nutshell

The revised version comes in the form of Regulations contained in an ad-hoc Subsidiary Legislation to be issued under the Data Protection Act. As opposed to the initial version, a Legal Notice issued under the Employment and Training Services Act, version 2.0 has been strongly linked with an enabling act which makes sense, that is the Data Protection Act.

Immediately one can note that any ID Card requirement has been removed and there is no mention of the Minister for Education as being a data controller. Instead, the draft Subsidiary Legislation distinguishes between Educational Authorities and Educational Institutions. Whilst Educational Authorities are the Directorates as established under the Education Act as well as the National Commission for Further and Higher Education, Educational Institutions refer to the schools or other institutions which control data regarding to students.  This creates the most important and valid distinction between the categories of data controllers which could process personal data regarding to students and is indeed the right approach.

The draft Subsidiary Legislation lays down how processing by Education Authorities should take place (Regulation 3) as well as processing by Educational Institutions (Regulation 4). It also provides for the recipients of data (Regulation 5), the type of consent required for processing (Regulation 6) but still contains special, and in my opinion, highly controversial, provisions regarding processing for research and statistics purposes (Regulation 7).

Version 2.0 introduces the concept of pseudo-anonymisation but also contains certain provisions regarding the re-identification of pseudonymous data following the carrying out of ‘research’ which can lead to dangerous, highly questionable processing which might not be in line with applicable EU Directives (namely EU Directive 95/46/EC), forthcoming EU Regulations (the new EU General Data Protection Regulation)as well as published opinions of the Article 29 Data Protection Working Party, especially Opinion 03/2013 on purpose limitation adopted on the 2nd April 2013.

Scope and Background

On the 24th August, in its introduction to the launch of the public consultation regarding the revised Legal Notice regarding the Processing of Personal Data within the Education Sector (http://msdc.gov.mt/en/Public_Consultations/MEDE/Pages/Consultations/ProcessingOfPersonalDataEducationSector.aspx) ,the Ministry for Social Dialogue, Consumer Affairs and Civil Liberties stated that:

“Government has an obligation to address deficiencies in the education system resulting in a good number of students with little or no qualifications and lack of skills or capabilities to enter the labour market. To address this deficiency, as promised in the electoral manifesto, the need is felt to enhance our educational system to include and integrate all students and avoid drop outs and early school leavers to the detriment of the students themselves and of Maltese society at large.”

The objective that no student should be left behind is indeed noble and this statement sets the stage for the purposes behind the revised version of the highly controversial Legal Notice.  In its statement, the Ministry added that:

“To implement the necessary measures, the personal data of students have to be processed but this has to be done in accordance with the Data Protection Act to reach the necessary balance between the need for processing and the right to protect and safeguard personal data.” 

As already noted, the revised version of the Legal Notice is much improved but does it strike the right, or even legal, balance between electoral promises to address certain deficiencies in our educational systems and the fundamental right to privacy of our children students? Does our Data Protection Act, and in particular the latest version of the revised Legal Notice, fully transpose the provisions and the spirit of the applicable Directives and the learned opinion of the Article 29 Data Protection Working Party? The answer, as will be further detailed below, is mixed. Is the revised text of the Legal Notice, consciously or subconsciously, “abuse” of the term ‘public interest’?

Definitions and Terminology

Sadly, the draft Subsidiary Legislation is replete with terminology that is not properly defined. Whilst I would accept that a policy document, or a strategy document, would include undefined terminology, having a legislative instrument built upon undefined terms is undesirable and which leads to textual ambiguities, especially in technical areas such as data privacy.

Terms such as “targeted policies and/or initiatives” and even “student” itself remained undefined. Other terms that suffered the same fate include “reconciliation”, “active participation in employment opportunities”, “specialised services”, “follow-up action”, “alignment of jobs”, “best interest of the students” and “re-identification of students”. Such approach could lead to reducing substantially the integrity and cohesiveness of the legal texts or, far more dangerously, be prone to wide and potentially abusive interpretations.

A Two-Tier Approach

The distinction between the roles, duties and responsibilities of Educational Institutions and Educational Authorities is the star introduction of the revised Legal Notice. This is in stark contrast with the original version of the Legal Notice where the Minister of Education and Employment became a new data controller with unrivalled rights of collection and processing of personal data relating to students. Clearly making reference to the powers already available to the Educational Authorities as found under the Education Act is also positive. But this does not necessarily mean that the powers presently available at law provide sufficient legal basis for the processing by way of “research” of student data by such Authorities and whether the revised Legal Notice should legitimise targeted decisions in relation to data subjects, irrespective of the honourable cause that lies behind such decisions.

The revised Legal Notice does provide a certain level of separation between the role of Educational Institutions and Education Authorities but a clear analysis of the legal text raises a number of legitimate concerns as to whether such separation (as further explained below) between these two different data controllers goes sufficiently far.

The proposed Regulation 3(1) regarding the processing by Educational Authorities provides that such authorities “may process personal data in relation to students and where specifically required in the best interest of the students, personal data of parents and legal guardians, may also be processed to carry out their functions as provided under the Education Act.”

Does this simply mean that such personal data can be processed to fulfil the functions as established under the Education Act (which mainly relate to the drafting of policy and strategies and which would not lead to any personal decisions affecting the data subject) or merely for the “best interests of the students”? After all, who will decide what is in the “best interest of the students”? Will this be a subjective decision by some official within the Education Authorities themselves? Will it be a politician? Surely, the Education Act, and the powers available to the Education Authorities established under such Act does not speak about the “best interests of students”.

Regulation 3 (3) of the revised Legal Notice provides that:

“Where data regarding educational attainment and ability in relation to the student held by Educational Institutions is required by the Educational Authorities in order to fulfil their functions as laid down in the Education Act, identifiable data shall be substituted by pseudonymous data, provided that any follow-up action is to be carried out by the educational institutions which transmitted the data as instructed by the Education Authorities.”

Again, the text does not provide sufficient clarity. Whilst these new powers are limited in scope by the Education Authorities’ functions as found in the Education Act, the draft Regulation 3(3) does not provide explicit and clearly understandable provision regarding who will be responsible for the substitution to pseudonymous data.

Will it be the Education Authorities or the Education Institutions? How will this be done? What technical parameters will be used? Who will oversee that such data is substituted in a way that no re-identification will be possible?

It appears that Regulation 3, especially sub-regulation (6) is introducing a concept where the Educational Authorities do act as a buffer and are responsible for the onward transmission of the student personal data to the Authorities but the text proposed is not sufficiently clear and prone to contrasting interpretations. The methodology used for the Educational Authorities to ‘decide’ as to whether any specific student requires the “benefit” of targeted/policies and/or initiatives, is also questionable.

It is also dubious what is the scope behind Regulation 3(8) which deals with national initiatives. Whilst the difference between a targeted policy and a national initiative should be clear, one cannot completely understand why personal data is required to pursue a national initiative. Does this mean that under the guise of a “national initiative”, the personal data of all students over compulsory school age in Malta will be required? Cannot the Educational Authorities forward any information they receive regarding national initiatives directly to their students who may then opt to avail of such initiatives without the need for the Education Authorities to obtain the details of such students? After all, a national initiative, is, as the name implies, national and not ‘targeted’.

A Question of Research and Public Interest

Our own Data Protection Act provides under Article 8 (b) that “personal data kept for historical, statistical or scientific purposes shall not be used for any decision concerning a data subject”. The law here is very clear. Our law further provides in Article 16 (3) that “personal data may be provided to be used for the purposes” of research and statistics and provided that the processing is necessary as stipulated in Article 9(e), “unless otherwise provided by applicable rules on secrecy and confidentiality”.

Article 9(e) of the Data Protection Act provides that personal data may be processed only if “processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed”.

The pertinent question is therefore twofold: (i) can the research/processing contemplated under the revised Legal Notice fall under Article 9(e) of the Data Protection Act and (ii) can such research be used as the basis for any decision concerning a data subject?

In order to arrive to an answer of these two questions, one has to look at the transposition of EU Directive 95/46/EC into Maltese law, the new General Data Protection Regulation and the work of the Article 29 Data Protection Working Party.

It seems that the wording used by the Maltese legislator can lead to certain vagueness of the term “research”. This vagueness is not found in the EU Directive which makes it clear that research can be of three forms: historical, statistical and scientific. Are we therefore faced with a situation where the revised Legal Notice is extending the word “research” beyond the historical, statistical and scientific realms?

This discussion gains further relevance when one looks at the text proposed in Regulation 7 of the revised Legal Notice which states that:

“(1) When processing of personal data is required for research and  statistics purposes, all identifiable data shall be rendered anonymous,  unless in the case of research, the identification of the data subject is required to fulfil the purposes of such research.

(2) Within the limits of these regulations, where, for the purposes of implementing specific targeted policies, the research being conducted would require the identification details of students, data controllers shall process such data by replacing personal identification data with pseudonymous data, and eventually limiting the re-identification of students only to those cases which specifically fall within the parameters of the target policy.”

The proposed Regulation 7 however distinguishes between processing for research carried out by the Education Authorities and processing for research carried out by other entities not being Education Authorities. In fact Regulation 7(3) provides that when other entities are carrying out research, the specific consent of the data subjects or their legal guardians/parents will be required. Furthermore, in the case of research carried out on pseudo anonymous data by other entities Regulation 7(4) stipulates that such other entities have to ensure that:

“a) personal data are not processed for any other purpose that is incompatible with the specific purpose of the targeted policy and/or initiative, and in particular not for the purpose of supporting measures or decisions with respect to the student,  either specifically related to the targeted policy and/or initiative or otherwise;
b) data enabling the attribution of information to an identified or identifiable data subject are kept separately from the other data;
c) adequate organisational and technical safeguards are in place to protect the personal data against any unlawful forms of processing;
d) personal data shall not be retained for a period which is longer than necessary and all identifiable details shall be rendered anonymous, deleted, or destroyed, following the completion of the policy and/or initiative implementation.”

It is highly questionable why the restrictions laid down in Regulation 7(4) only apply to other entities and not to the Education Authorities.

Research under EU Directive 95/46/EC

Recital 29 of the Data Protection Directive states that: “Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual”.

Recital 34 of the Data Protection Directive additionally states that “Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals”.

It is immediately evident that the present Directive establishes a higher level of protection with respect to the processing sensitive personal data justified by important public interest in relation to scientific research and government statistics. To the effect, rightfully so, the revised Legal Notice provides that any research involving sensitive personal data must be pre-approved by the Information and Data Protection Commissioner.

Article 13(2) of the Data Protection Directive adds that: “Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.”

But Article 12 of the Directive only speaks about the right of access to be provided to the data subject and nothing more. This does not mean however, as confirmed by this Article, that any processing for scientific research can lead to measures or decisions regarding particular individuals as found in Article 8(b) of our own Data Protection Act. Also, will the Education Authorities actually perform scientific research or just ‘research’ in the general sense of the word?

Is this not in stark contrast with the provisions contained in Regulation 3 and 7 of the revised Legal Notice?

Research under the new EU General Data Protection Regulation

In addition to the provisions already contained in the EU Data Protection Directive, the legal basis behind processing for the purposes of research is being further strengthened under the text (as amended by the European Parliament) of the upcoming new EU General Data Protection Regulation.

Recital 126 of the EU General Data Protection Regulation provides that:

“Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research and in addition should take into account the Union's objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. The processing of personal data for historical, statistical and scientific research purposes should not result in personal data being processed for other purposes, unless with the consent of the data subject or on the basis of Union or Member State law.”

Emphasis is being made here on the fact that any personal decision emanating from the research would require the consent of the data subject or be taken on the basis of Member State law (as is in the case of the revised Legal Notice). It is questionable however whether the revised Legal Notice would be in line with the provision as contained in the new EU Data Protection General Regulation especially Art. 83.

Article 1(e)  of  the EU General Data Protection Regulation also provides that personal data shall, amongst others,  be “kept in a form which permits direct or indirect identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research or for archive purposes in accordance with the rules and conditions of Articles 83 and 83a and if a periodic review is carried out to assess the necessity to continue the storage, and if appropriate technical and organizational measures are put in place to limit access to the data only for these purposes (storage minimisation);”

Article 83 of the EU General Data Protection Regulation then provides specific rules in relation to the processing for historical, statistical and scientific research purposes:

“In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
(a)     these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;
(b)     data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.”

Since, the proposed Regulation 7 of the revised Legal Notice explicitly speaks about “re-identification” and “specific targeted policies”, one seriously questions whether such provision can be considered to be in line with Art. 83 of the new EU General Data Protection Regulation as well as the prohibition contained therein to arrive to any personal decision on the data subject in light of such “research”.

Purpose Limitation, Functional Separation and the opinion of Article 29 Data Protection Working Party

Opinion 03/2013 on purpose limitation adopted on the 2nd April 2013 by Article 29 Data Protection Working Party (the “Opinion”) provides a very detailed analysis on the concepts of purpose limitation, functional separation and their application within processing for research purposes. Such analysis is of extreme relevance to any discussion regarding the revised Legal Notice as it expounds on various issues being raised in the said Legal Notice. Of particular interest is Section III 2.3 of the Opinion specifically dealing with processing from historical, statistical or scientific purposes.

The Working Party (Pg.28) states that the present Directive 95/46/EC allows for further processing for historical, statistical and scientific research as long as the controller compensates for this change by implementing “appropriate safeguards and in particular by ensuring that the data will not be used to support measures or decisions regarding any particular individuals”. The question is therefore whether the revised Legal Notice, when dealing with research processing contains such “appropriate safeguards”. 

In my opinion, it does not.

Furthermore, the Revised Legal Notice appears to justify “measures or decisions regarding any particular individuals” as the main objective behind the research to be carried out!

Commenting on Recital 29 of the Data Protection Directive (as referred to above), Article 29 Working Party adds that (Pg 28):

“As noted in recital 29, the purpose of the safeguards is typically to 'rule out' that the data will be used to support measures or decisions regarding any particular individual. The term ‘rule out’ suggests that the safeguards should indeed be strong enough to exclude or at least minimise any risks to the data subjects.”
Here, Article 29 Working Party makes a reference to the provision contained in Article 9(3) of the Council of Europe Convention for the Protection of Individuals with regard to Automatic processing of Personal Data (Convention 108) which also allows further use for statistics or scientific research but only in cases where “there is obviously no risk of an infringement of the privacy of the data subjects”.

Unfortunately, it is my opinion that the present revised version of the Legal Notice does not go sufficiently far to remove any such risks as referred to in Article 9(3) of Convention 108.

Another statement by the Article 29 Working Party in the Opinion (pg 28) which has direct relevance to the mechanics being introduced by means of the revised Legal Notice is the following:

“In order to ensure appropriate safeguards, the term 'measures or decisions' should be interpreted in the broadest sense. First, they should be understood to cover any 'measures or decisions' irrespective of whether they are taken by the controller or by anyone else. Second, 'measures or decisions' do not only cover formal decisions and measures in a formal procedure. In other words: any relevant impact on particular individuals - either negative or positive - should be avoided.”

Irrespective of the noble scope of the revised Legal Notice, the text leads to the conclusion that the very essence of this text is to have an “impact on particular individuals” – something that Opinion recommends against.

In this sense the position of the Article 29 Working Party is crystal clear – that even the positive impact of such measures and decisions taken by Education Authorities without the full consent of the data subjects, should be avoided.

This position is further strengthened by other relevant pronouncements by the Article 29 Working Party where it distinguishes between the initial data controller (the Educational Institutions) and processing for research carried out by third parties (such as the Education Authorities):

“it will also be relevant to distinguish between situations where the further processing will be carried out by the initial data controller and those where personal data will be transferred to a third party. In this context, some research projects may require very precise protocols (rules and procedures) to ensure a strict functional separation between participants in the research and outside stakeholders. This may include technical and organisational measures, such as securely key-coding the personal data transferred and prohibiting outside stakeholders from re-identifying data subjects (as in the case of clinical trials and pharmaceutical research) and possible other measures” (Pg 29).

Sadly, the revised Legal Notice is completely void of any such “precise protocols (rules and procedures) to ensure a strict functional separation between participants”. The revised Legal Notice just distinguishes between the Education Authorities and Educational Institutions but does not provide any further guidance or procedure as being recommended by the Article 29 Working Party or ensuring the functional separation between these two bodies.

On the aspect of functional separation, the opinion states at pg 30:

“When it comes to the safeguards to be adopted, the notion of functional separation may be of particular relevance. This means that data used for statistical purposes or other research purposes should not be available to 'support measures or decisions' that are taken with regard to the individual data subjects concerned (unless specifically authorized by the individuals concerned). To comply with this requirement, controllers need to guarantee the security of the data, and take all other necessary technical and organisational measures to ensure functional separation.”

In relation to situations where pseudo-anonymisation is envisaged, the Opinion (Pg 31) provides that:  

“Partial anonymisation or partial de-identification may be the appropriate solution in some situations when complete anonymisation is not practically feasible. In these cases, various techniques (including pseudo-anonymisation, key-coding, keyed-hashing, using rotating salts, removal of direct identifiers and outliers, replacing unique IDs, introduction of 'noise', and others) should be used to reduce the risk that data subjects can be re-identified, and subsequently, that any measures or decisions can be taken in their regard. In addition, there will also often be a need to complement these techniques with other safeguards in order to adequately protect the data subjects. These include data minimisation, as well as appropriate organisational and technical measures, including effective 'data silo'-ing, to ensure functional separation.”

I contend that the revised Legal Notice, whilst introducing the concept of pseudo-anonymisation, fails to provide sufficient clarity as to how this will work in practice and what safeguards will be put in place by the different stakeholders.

The Opinion also states at Pg. 27 that “When trying to identify technical and organisational measures that qualify as appropriate  safeguards to compensate for the change of purpose, the focus often lies with the notion of isolation. Examples of the relevant measures may include, among other things, full or partial anonymisation, pseudonymisation, or aggregation of the data, privacy enhancing technologies, as well as other measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals ('functional separation'). These measures are particularly relevant in the context of further use for ‘historical, statistical or scientific purposes’”.

Of particular relevance is however the pronouncement made by the Article 29 Working Party in relation to data about children. In light of the fact that most student data as contemplated in the revised Legal Notice will inevitably relate to children, one seriously has to question why the requirement of consent is not present when it comes to targeted decisions (possibly based on ‘research’) taken by Education Authorities.

In fact the Opinion clearly states that (pg32) :

“further processing of personal data concerning health, data about children, other  vulnerable individuals, or other highly sensitive information should, in principle, be permitted only with the consent of the data subject”.

Conclusion

As further highlighted in the new General Data Protection Regulation, consent is king. Unfortunately, certain aspects of processing by Education Authorities as included in the revised Legal Notice still do not require the consent of data subjects, especially when specific targeted decisions might be taken against such individuals. This has also be considered in the light of the position taken by Article 29 Working Party which opined that data about children should only be permitted with the consent of the data subject.

The text needs to further cater to strengthen the principle of functional separation in light of the concept of purpose limitation. The role of the Education Institutions as ‘buffers’ has to be increased. This can be done by ensuring that the Education Authorities would never and can never arrive to the identification or re-identification of data subjects and if any specific further targeted initiatives should be ‘offered’ to certain students, Education Authorities could, on the basis of the pseudonymous data processed, simply inform the Education Institution that they have to forward such offers to the students who would be free to opt in for such targeted schemes and consent to such processing but never in a way that the Education Authorities would be able to identify the students which are being approached by the Educational Institution.

Furthermore, a serious revision of the proposed ways in which research is carried out has to be undertaken in order to ensure there is no way in which any form of research undertaken by Education Authorities, irrespective as to whether such research is justified under the Education Act or otherwise, can lead, following re-identification to any specific decision affecting the data subject without his/her prior consent.

The various questions that the revised Legal Notice is raising in relation to personal decisions taken following research, have to be looked into not only in light of our own Data Protection Act but also the principles enshrined under EU law.

The revised Legal Notice does indeed point towards the right direction but the uncertainties and ambiguities that the present text contains have to be addressed in order to ensure that the fundamental right to privacy of students, our children, is truly safeguarded.


No comments:

Post a Comment