The publication for public consultation of the revised version of what is now being generally referred to as Legal Notice 76/2014 (Processing of personal data in the education sector) has essentially proved that the initial version of the said Legal Notice was far from perfect and that the reservations raised some months back were not simple scaremongering, Dr Antonio Ghio said, speaking with The Malta Independent.

PN MP Joe Cassar said that a meeting has been set between the Nationalist Party and the Data Commissioner sometime today.

“Version 2.0 is indeed a big step towards the right direction on many fronts and is evidence of the effort and time dedicated by the Office of the Information and Data Protection Commissioner, which, in conjunction with a dedicated working group set up by the Commissioner, has looked into this issue for the past months. This is laudable and highly welcome,” Dr Ghio argued.

Dr Ghio believes that the draft subsidiary legislation barely scratches the surface in some aspects, especially in relation to issues pertaining to research as well as re-identification of personal data used for such purposes.

In a nutshell

The revised version comes in the form of regulations contained in an ad-hoc Subsidiary Legislation to be issued under the Data Protection Act. As opposed to the initial version, a Legal Notice issued under the Employment and Training Services Act, version 2.0 has been strongly linked with the Data Protection Act.

Dr Antonio Ghio explained; “Immediately one can note that any ID card requirement has been removed and there is no mention of the Minister for Education as being a data controller. Instead, the draft Subsidiary Legislation distinguishes between Educational Authorities and Educational Institutions. Whilst Educational Authorities are the Directorates as established under the Education Act as well as the National Commission for Further and Higher Education, Educational Institutions refer to the schools or other institutions which control data regarding to students.  This creates the most important and valid distinction between the categories of data controllers which could process personal data regarding to students and is indeed the right approach”.

“The draft Subsidiary Legislation lays down how processing by education authorities and educational institutions should take place. It also provides for the recipients of data, the type of consent required for processingbut still contains special, and in my opinion, highly controversial,provisions regarding processing for research and statistics purposes,” he said.

Version 2.0 introduces the concept of pseudo-anonymisation (written under a false name) but also contains certain provisions regarding the re-identification of pseudonymous data following the carrying out of ‘research’ which can lead to dangerous, highly questionable processing which might not be in line with applicable certain EU regulations.

Scope and Background

Dr Ghio explained that on 24 August, in its introduction to the launch of the public consultation regarding the revised Legal Notice regarding the Processing of Personal Data within the Education Sector,the Ministry for Social Dialogue, Consumer Affairs and Civil Liberties stated:

“To implement the necessary measures, the personal data of students have to be processed but this has to be done in accordance with the Data Protection Act to reach the necessary balance between the need for processing and the right to protect and safeguard personal data.” 

Dr Ghio puts forward a rather intriguing question.“Is the revised text of the Legal Notice, consciously or subconsciously, ‘abuse’ of the term ‘public interest’?”

The draft Subsidiary Legislation is replete with terminology that is not properly defined, Dr Ghio explained. “Terms such as ‘targeted policies and/or initiatives’ and even ‘student’ itself remained undefined. Other terms also suffered the same fate. Such approach could lead to reducing the integrity and cohesiveness of the legal texts or, far more dangerously, be prone to wide and potentially abusive interpretations”.

A Two-Tier Approach

The revised Legal Notice does provide a certain level of separation between the role of Educational Institutions and Education Authorities but a clear analysis of the legal text raises a number of legitimate concerns as to whether such separationbetween these two different data controllers goes sufficiently far, Dr Ghiostated.

The proposed Regulation regarding the processing by Educational Authorities provides that such authorities “may process personal data in relation to students and where specifically required in the best interest of the students, personal data of parents and legal guardians, may also be processed to carry out their functions as provided under the Education Act.”

“Does this simply mean that such personal data can be processed to fulfil the functionsas established under the Education Act or merely for the ‘best interests of the students’? Afterall, who will decide what is in the ‘best interest of the students’?” he asked.

A Question of Research and Public Interest

The Data Protection Act provides that “personal data kept for historical, statistical or scientific purposes shall not be used for any decision concerning a data subject”. Our law further provides that “personal data may be provided to be used for the purposes” of research and statistics and provided that the processing is necessary as stipulated “unless otherwise provided by applicable rules on secrecy and confidentiality”.

The Data Protection Act adds that personal data may be processed only if “processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed,”Dr Ghio explained.

“Can the research/processing contemplated under the revised Legal Notice fall under the Data Protection Act and can such research be used as the basis for any decision concerning a data subject?”Dr Ghio asked.

This discussion gains further relevance when one looks at the text proposed in Regulation 7 of the revised Legal Notice which states that when“processing of personal data is required for research and statistics purposes, all identifiable data shall be rendered anonymous, unless in the case of research, the identification of the data subject is required to fulfil the purposes of such research. Within the limits of these regulations, where, for the purposes of implementing specific targeted policies, the research being conducted would require the identification details of students, data controllers shall process such data by replacing personal identification data with pseudonymous data, and eventually limiting the re-identification of students only to those cases which specifically fall within the parameters of the target policy.”

Dr Ghio argued that the proposed Regulation 7 however distinguishes between processing for research carried out by the Education Authorities and processing for research carried out by other entities not being Education Authorities. “In fact Regulation 7 provides that when other entities are carrying out research, the specific consent of the data subjects or their legal guardians/parents will be required”.

It is highly questionable why the restrictions laid down in Regulation 7only apply to other entities and not to the Education Authorities, Dr Ghio said.

Research under the new EU General Data Protection Regulation

Dr Ghio explained that the EU General Data Protection Regulation provides that “The processing of personal data for historical, statistical and scientific research purposes should not result in personal data being processed for other purposes, unless with the consent of the data subject or on the basis of Union or Member State law.”

Emphasis is being made here on the fact that any personal decision emanating from the research would require the consent of the data subject or be taken on the basis of Member State law (as is in the case of the revised Legal Notice). “It is questionable however whether the revised Legal Notice would be in line with the provision as contained in the new EU Data Protection General Regulation,” Dr Ghio added.

Purpose Limitation, Functional Separation and the opinion of Article 29 Data Protection Working Party

“Opinion 03/2013 on purpose limitation adopted on the 2 April 2013 by the Data Protection Working Party (the “Opinion”) provides a very detailed analysis on the concepts of purpose limitation, functional separation and their application within processing for research purposes. Such analysis is of extreme relevance to any discussion regarding the revised Legal Notice as it expounds on various issues being raised in the said Legal Notice,” Dr Ghio argued.

“The Working Party states that the present Data Protection Directive allows for further processing for historical, statistical and scientific research as long as the controller compensates for this change by implementing “appropriate safeguards and in particular by ensuring that the data will not be used to support measures or decisions regarding any particular individuals”. The question is whether the revised Legal Notice, when dealing with research processing contains such “appropriate safeguards”. In my opinion, it does not,” Dr Ghio said.

Dr Ghio’s conclusion

“As further highlighted in the new General Data Protection Regulation, consent is king. Unfortunately, certain aspects of processing by Education Authorities as included in the revised Legal Notice still do not require the consent of data subjects, especially when specific targeted decisions might be taken against such individuals,” Dr Ghio added.

Dr Ghio believes that the role of the Education Institutions as ‘buffers’ has to be increased. This can be done by ensuring that the Education Authorities would never and can never arrive to the identification or re-identification of data subjects and if any specific further targeted initiatives should be ‘offered’ to certain students, Education Authorities could, on the basis of the pseudonymous data processed, simply inform the Education Institution that they have to forward such offers to the students who would be free to opt in for such targeted schemes.

http://ictlawmalta.blogspot.com/