The ICO’s has updated its information on the regulatory approach it will take during the coronavirus public health emergency and after.

Full details here

12 points that all businesses need to consider and adjust their policies and procedures to reflect in preparation for then post Brexit world.

In the new post Brexit world what are the implications for the EU imposed GDPR and PECR and the New UK regulations on data protection, GDPR and PECR –

THE DATA PROTECTION PRIVACY AND ELECTRONIC COMMUNICATIONS (AMENDMENTS ETC) (EU EXIT) (NO.2) REGULATIONS 2019

With the first UK fine under the GDPR being issued in December 2019, £275,000 to a pharmacy for insecure record storage and disposal no company or organisation can afford to neglect the latest UK GDPR legislation.

Concrew Training’s courses on data protection are regularly updated and explore all the latest changes and developments, but to stimulate thought on the 12 points above read our thoughts on them here

Header image: based on BREXIT by ChralJon used under CC BY 2.0 text “GDPR Post” added and top/bottom image removed

Running online classrooms and meetings presents a very real risk of breaching privacy and data protection legislation in many ways and at multiple levels.

The Coronavirus has led to a huge increase in the use of online learning, classrooms, meetings and webinars. Video conferencing as it is known has become mainstream virtually overnight.

Everybody seems to be jumping on the bandwagon and many say nothing will ever be the same again, but what is waiting in the wings?

A few weeks ago I took a call from a trainer, friend, I know who had been asked by one of his clients, a local council, to move his face-to-face training courses to online delivery. A Skype conference called to discuss it further and wanted to test his system.

I called him last week to ask how he was getting on. It was ecstatic, over the moon and glowing in his praise for video conferencing and online classrooms. “It’s so easy, I don’t have to travel, I record the sessions, I have got rid of the paperwork, I just show the verifier the recordings. It’s brilliant”

What about the GDPR, privacy and data protection? I ask ….. The reply, the council will have that covered I don’t need to worry about it. The council may well have it covered, their web site implies they have data protection agreements in place with all suppliers and use impact assessments in place to protect service users’ privacy.

At the end of the day I wasn’t convinced, I got the impression, rightly or wrongly, that privacy and data protection hadn’t even been thought about in respect of the proposed move to delivering training on line.

To be honest I wasn’t overly surprised. Looking at the privacy policies, where you can find them, of other organisations offering online learning many appear to have paid scant regard to privacy.

Couple poor attention to privacy and data protection with the huge uptake in video conferencing and it becomes pretty clear that trouble is in store.

As we said above, for the unwary running online classrooms and meetings presents a very real risk of breaching privacy and data protection legislation in many ways and at multiple levels.

The ICO can impose fines of up Euro 20million for data breaches but more worryingly the “no win no fee” lawyers may well be waiting in the wings too.

To be honest we can understand, but certainly not condone, why people may wish to brush data protection under the carpet. Normal learning and meetings are virtually impossible and video conferencing at first look offers an easy non complicated way to replace it.

But dig deeper into the GDPR, data protection and privacy and a whole raft of potential issues arise.

Below we outline some of the issues anyone planning to run video conferences, online training and meetings needs to consider.

If you don’t understand the questions or know the answers you need to familiarise yourself with the GDPR or ask your Data Prevention Officer to help you complete a privacy impact assessment.

If you identify any lack of knowledge or potential problems with video conferencing, online classrooms and meetings you will probably have problems elsewhere too. Concrew Training’s courses on GDPR and Privacy Impact Assessments may help. We can even tailor content to reflect on the development needed of your own policies and procedures or incorporating a privacy impact assessment of your video conferencing or online learning into the course.

Online Learning Platforms, Data Controllers and Data Processors
It is very important that those organising meetings, webinars and online learning through video conferencing platforms understand what role the platform is taking in respect of controlling processing.

In very simple terms the controller takes responsibility for overseeing GDPR compliance and agrees with the processor what they can/cannot do with the data. In the event of breach the data controller is held liable.

Many online classroom/meeting platforms see themselves as data processors and not as data controllers in the context of their video conferencing service.

This means that the person or organisation hosting the course or the meeting could be deemed responsible for compliance with the GDPR, which may include liability for any illegal processing by the processor. If the platform breaches the GDPR and a user complains the person/organiser of the course/meeting may be held liable and potentially face a fine of up to 20million Euro!

Self-Auditing GDPR compliance
These are the sorts of issues and questions we believe you need to consider to make your video conferencing, online learning and virtual meetings GDPR compliant. If you, your colleagues or your data protection officer need a better understanding of GDPR and data protection privacy impact assessments contact Concrew Training, we deliver training on your premises. Please note the questions below are designed to stimulate thought, not provide a definitive guide on impact assessment.

1.First Steps

• have you discussed video conferencing with your data protection officer and clarified that everything you plan to do is GDPR compliant.
  • Can you evidence this?
• do you understand the GDPR requirements for data controllers and data processors?
• Have you completed/recorded the outputs from a Privacy Impact Assessment
  • Do you know what a privacy impact is and how to complete one for video conferencing scenarios?
  • Did you think about, participant disclosures of confidential or inappropriate information
  • What about information that may be seen via the camera, wall charts etc

2. Platform/Supplier Compliance

• Does the platform/supplier you want to use comply with EU data protection legislation?
• Are they promote themselves as a data controller or data processor?
• Are their privacy policies acceptable to you?
• Do you have copies of their privacy policies?
• Do they share your data with anyone?
  • if so what?
  • Is it clear and acceptable?
• What data do they retain/share?
• Where is the data stored?
  • what about the data that is shared?
  • does any data go outside of the EU ?
    • if so to where?
    • can you evidence appropriate data security for every location?
  • Is more data, than is strictly necessary, being collected, stored or shared?
  • Is the length of time the data is retained for clear and reasonable?
    • do they detail specific time periods for each type of data?
    • “as long as needed” is poor practice.
  • Do they detail the complaints procedure?
    • who their data officer is
    • how they may be contacted?
  • Will you have agreements in place that details all the information relating above and below?

NOTE: if you are accessing the platform via a third party supplier the same questions apply to them equally

3. User Consent

• Has every user been told about all the data that is being collected/processed
  • are you sure?
    • do not forget any hidden data, eg: location, recording, attention tracking, online identifiers etc
  • are they using any form of personal profiling?
  • Is profiling data processing explained and consent gained?
  • do you know what personal profiling is?
• Do you have the users consent to process their data
  • do you know what consent means under the GDPR and how to evidence it?
  • can you evidence consent for all users? That is to say do you have a specific opt record for each user – not generic acceptance
  • what can each user can request happens to their data, at any point in time?
  • will you be able to supply all data to the user if requested to do so?
  • will you be able you delete all the users data if requested to do so?
  • What about recordings or data that is integral to the system?
  • do you know what specific categories means under the GDPR?
  • Is any specific category data likely to be shared ? do you have consent?
  • have all users been made aware of and agreed to the risks associated with online learning and meetings?

4. Your Own Organisation’s Privacy Policy

• Does your organisation have a published privacy policy?
  • If not why not?
  • Is it current?
• Is it easy to read and understand?
• Can it be found easily
• Is it supplied to those joining online training/meetings?
• Does it specifically detail your approach to privacy in respect of online learning, classrooms and meetings etc and the platform/s you may use?
• Does it highlight the potential risks associated with online line learning/classrooms and how you have mitigated them?
• Does it detail data that is being collected in respect of online classrooms/meetings
  • how their data may be used?
  • who will have access to it?
  • how users can request their data be destroyed?
  • how long their data will be retained for?
• Do they reflect the online learning/meeting platform provider or third party suppliers’ own privacy policies?
  • where changes are made in the platform providers policies are these updated in your policies without delay.
• Do you have a clear and easy to follow policy for handling complaints?
• Do they detail who your data protection office is?

5. Minimising Risks
Final thoughts, have you minimised all the risks for the user and thus yourself too?

• Is your video conferencing platform secure?
  • Has it suffered data breaches in the past?
    • If so have these issues been addressed?
  • does it encrypt data?
• Do you or will you have policies and procedures in place for joining and behaviour in the classroom/meeting
  • are they implemented within the system, eg passwords, entrance rooms?
  • are unacceptabe language, equalities, sensitive issues etc covered?
  • have all users agreed to these policies and procedures?
  • does he course/meeting leader know how to respond in the event of an issue occuring?

image credit: WolfVision corporate / telepresence & video conferencing application by WolfVision GmbH used under CC BY2.0 – GDPR related white font text added. Note Concrew Training does not use or endorse this product nor do we recieve any monies for using this image.

Update your knowlege on data, protection, GDPR and PECR.

Data protection doesn’t stand still; every time the ICO (Information Commissioners Office) updates their guidance or takes action can change the way the legislation is interpreted.

The introduction the GDPR lead to most companies revisiting their data protection policies and procedures. Some extended this review to include their approach to the PECR (Privacy and Electronic Communications Regulations) too.

The most astute organisations and data protection managers identified that the most effective way to meet the demands of GDPR and PECR was to embed privacy as a core principle in every project, assignment, initiative, policy and procedure which lead to the introduction of Data Protection or Privacy Impact Assessments.

But data protection doesn’t stand still; every time the ICO (Information Commissioners Office) update their guidance, issue a penalty or enforcement notice has the potential to change the way the legislation is interpreted.

The large number of organisations that have been fined is a good indication of how easy it is to misinterpret the legislation and get things wrong. Some of these organisations may have inadvertently forgotten, or deliberately decided not, to adjust their policies, procedures and approaches; but either way the penalties have been steep and those caught only the very tip of the iceberg.

Cookies are a prime example, even the ICO had to admit that it had got it wrong and change the way they manage their web site cookie notification and opt-in procedures. Their guidance on cookies has been updated but even the quickest of quick checks on web sites shows that a huge number of organisations have not followed the latest guidance.

Data Protection doesn’t stand still. Its nearly 2 years since the GDPR was introduced. Most the fines, penalties and enforcement action taken can be attributed to human error, people not understanding laws, policies and procedures, people not following them or people just ignoring them.

This is a high risk high cost position to be in.

Concrew Training’s one-day #training #course on #DataProtection, The #GDPR and #PECR allows #management and #staff at all levels to be reminded of the latest legislation and good practice and have the importance of adhering to the organisations data protection and privacy policies reinforced.

This is a highly cost effective route for reducing risk in what is for all organisations a high risk high cost situation.

Concrew Training’s support can also be adapted to focus on PECR, Privacy Impact Assessments or a hands on review of existing policies and procedures.