A teacher requested their pupils to prepare a video and send it to him by e-mail or Messenger so that they could check whether the kids performed the assignment that was given to them in a practical class (e.g. physical education). The teacher did not request the consent of the kids or their guardians for this and did not provide any information about the data processing. Can this be OK? How are children protected after the conversion to online education and what are the responsibilities of children, parents, teachers and schools? What should they to do if they want to act lawfully? In this article, we discuss these questions with Adrienn Dömők, a data protection expert of CERHA HEMPEL Dezső & Partners, and highlight what actions might be needed.
A person’s face and image qualify as personal data, and any picture or video footage taken of their face (or, in fact, any action performed with such data) qualifies as data processing. So, the video footage qualifies as personal data, and the teacher processes data. But why does the teacher process data? In order to perform the educational tasks of a public educational institution with an independent legal personality (i.e. the school). Therefore, the data controller is not the teacher but the school, which carries out mandatory data processing and performs a public function – and therefore a consent from the kids or their parents is not required.
The principle of progressivity or how should a school limit its intervention in a child’s private life?
Is it reasonable for the teacher to choose the above solution right away? Question zero should be whether there are other ways to confirm that the assignment in question was performed, or, if the processing of personal data is unavoidable, whether it can be done in a less intrusive but still efficient manner. The obvious goal is that that the teacher / school should select the solution with the least amount of risk for the privacy of the children. According to the Hungarian data protection authority (NAIH), there are several options: a parent can confirm that assignments given in a physical education or other form of practical class were performed, but a solution that allows real-time observation and communication (online video chat) can also be effective, as both solutions represent less risk for the kids’ privacy. The NAIH is aware that the practicality of this recommendation is greatly influenced by the number of pupils in a class and the number of hours the teacher spends in classrooms.
Greater protection for children
Online education is not a regulated area, although the introduction of regulations would be a good idea. On the other hand, there are rules of ethics, recommendations, policies and other documents in place the school system that can used as a guide. Consequently, the NAIH recommends to schools that they should request kids (or their parents) to send photos or video footage in accordance with such ethics and other rules. However, if data processing does take place, information must be provided about it (including, for example, the application of digital devices or the use data processors), data subjects must have the ability to exercise their rights (such as the right to access or erasure), and other data protection requirements must also be met. The purpose and legal basis of processing must also be stated. Additionally, fundamental data protection principles must be observed in the processing of personal data, which is the responsibility of the data controller, i.e. the school. On the basis of the principle of accountability, the data controller has certain documentation and registration responsibilities, but it must also act in line with the principles of data minimisation, storage limitation, integrity and confidentiality, transparency, and data accuracy and security.
Data security
Although the NAIH lists a few dos and don’ts, it also emphasises that schools as the data controllers are liable and responsible during every step of data processing for selecting the appropriate technologies and for regulating of the use of such technologies by teachers.
Teachers perform a public function when they check whether their pupils have performed a given assignment, and they may only do so within the limits of strictly regulated rules. Pursuant to the Act on Public Education, teachers have an obligation to keep secret any information that they learn about their pupils. If a teacher misuses a child’s personal data or does not process the data lawfully, they may be charged with the felony offense of misuse of personal data under Hungary’s Criminal Code.
It is important to bear in mind that until a relevant regulation is introduced, schools will have an obligation to provide information about their data processing operations. It is a good question, however, just how many schools have been able to comply with this obligation since the start of the epidemic and the declaration of the state of emergency, or how many have even realised that they have this obligation.
Dr. Tamás Polauf
Partner
+36 20 381-3609
tamas.polauf(at)cerhahempel.hu
Dr. Adrienn Dömők
Attorney, Head of Data Protection
06-70-703-9300
adrienn.domok(at)cerhahempel.hu