The Exciting and Wonderful World of . . . Data Protection

Important Information for Anyone Working with at Munich International School 1 A Super Short History of Data Protection in Germany

• 1977 – First Federal Data Protection Act in Germany • 1983 – Judgment in a case involving the 1980 Census: Right to informational self-determination. • 2018 –The EU General Data Protection regulation (GDPR) directly applicable in all EU Member States.

2 Why Should We Care About Data Protection?

• Strict Laws

• Serious Attitude About Personal Data

• Consequences

• Individual Responsibility

3 Advantages of efficient Data Protection

• Competitive advantages The organization will win the confidence of staff members, students, parents and business partners through the responsible handling of their data. • Protection from significant financial risks Disruption in business continuity cost money! e.g. data-loss, sabotage, unauthorized access. • Avoid Remedies and sanctions The remedies and sanctions available to DPAs under the GDPR are significantly greater. In particular, the GDPR allows DPAs to issue fines for serious infringements up to a maximum of the greater of €20 million or four percent of worldwide

turnover. 4 Where do the laws and guidelines come from? 1.) The EU General Data Protection regulation (GDPR) The GDPR will be directly applicable in all EU Member States from May 25, 2018. Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own national rules.

3.) German Federal Government On 25 May 2018 not only the EU General Data Protection Regulation (GDPR), but also the new German Act (BDSG-new) apply. The BDSG-new complements, specifies and modifies the GDPR. It provides rules for specific topics, e.g. for data processing in the context of employment, the designation of a data protection officer (DPO), scoring and credit checks as well as profiling.

5 Future laws ? The ePrivacy Regulation The European Commission has made a proposal for a new ePrivacy law, this proposal will not take effect in 2018. It is expected to be adopted in the later part of 2019. The purpose is to regulate how to handle the processing of electronic communications data as well as the use of cookies and other similar technologies. This proposal is not just about cookies as it covers all technologies used in the processing of data, whether personal or not. Also – at this stage – this is a proposal and one that has to go through the Brussels legislative process and until then we won’t know exactly what it will state.

6 Personal data

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Examples of personal data a name and surname; a home address; an email address; a cookie ID;…

The GDPR applies to both electronic records and structured hard copy records. Data about organizations and corporations is not covered. Anonymised Data are not considered personal data. 7 Sensitive Personal Data

Sensitive Personal Data are special categories of personal data that are subject to additional protections. In general, organizations require stronger grounds to process Sensitive Personal Data than they require to process "regular" personal data

Examples of Sensitive Personal Data Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

While it has not yet been fully established by law, students’ academic performance and special learning needs may well qualify as “sensitive personal data”.

8 Some definition: Third party and processors

“third party” means: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9 Anonymous versus Pseudonymous Data

Anonymous data Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person. Ensuring that there is no way in which individuals can be identified is a technically complex task.

Pseudonymous data Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.

10 The 7 GDPR personal data processing principles view source: Serve IT

it.

11 EU 7 Basic Principles of Data Protection

#1. Fair, lawful and transparent processing (art. 5(1)(a))

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The requirement to process personal data fairly and lawfully is extensive. Lawfulness needs to be interpreted strictly: there must be a law allowing the processing.

12 EU 7 Basic Principles of Data Protection

#2. The purpose limitation principle (art. 5(1)(b)

Personal data may be collected only for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible, purpose than those mentioned to the data subject at the time of collection. A specified, explicit and legitimate purpose doesn’t just mean that there must be a purpose, it also literally means that the purpose needs to be limited.

13 EU 7 Basic Principles of Data Protection

#3. Data minimisation (art. 5(1)(c))

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

The principle of data minimization is essentially the idea that, subject to limited exceptions, an organization should process only the personal data that it actually needs to process in order to achieve its defined purposes.

14 EU 7 Basic Principles of Data Protection

#4. Accuracy (art. 5(1)(d))

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

15 EU 7 Basic Principles of Data Protection

#5. periods (art. 5(1)(e))

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

In general the rule is: data that is no longer essential for achieving the original purpose for which the data was collected must be deleted.

16 EU 7 Basic Principles of Data Protection

#6. (integrity and ) (art. 5(1)(f))

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees).

17 EU 7 Basic Principles of Data Protection

#7. Accountability (art. 5(2))

In order to be able to demonstrate compliance with this Regulation, the DPO should implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, companies/organisations should ensure that personal data is processed with the highest privacy protection (for example, only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).

18 Guaranteeing the rights of the data subject

• Transparent information and communication • Information obligations: Data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information. • Rights of access: In order to allow data subjects to enforce their data protection rights, EU data protection law obliges controllers to provide data subjects with access to their personal data. • Rectification and erasure ("") free of charge • Right to restriction of processing • Notification obligation vis-à-vis third parties regarding rectification, erasure or restriction. The data subject is also entitled to request information about the identities of those third parties. • Right to data portability (e.g., to move account details from one online platform to another). • Right to object, where the lawful basis is either "public interest" or "legitimate interests", data subjects may have a right to object to such processing. 19 GDPR Lawfulness processing. Source : https://www.i-scoop.eu/gdpr/consent-gdpr/

20 Consent is one of the six legal grounds for lawful processing

Consent of the data subject means: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“ To the extent that MIS relies on consent as the lawful basis for any of its processing activities, MIS should ensure that data subjects are provided with a clear explanation of the processing to which they are consenting. Please note that pre-ticked boxes do not constitute valid consent.

Conditions applicable to child's consent in relation to information society services (e.g. Facebook) “The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” 21 Example of a consent

Please note that prior to the capture of your personal data you are obliged to give your consent. If you do not consent to the processing of your data you will not be able enter that data and subsequently unable to use this function of our website.

Personal Data is stored electronically as well as in hard copy at Munich International School (MIS). Electronically stored data will only be stored on MIS managed IT-systems or on such IT-systems of providers which are carefully selected by MIS and contractually bound to all applicable Data Protection Rules by a Data Processing Agreement (DPA) under European Data Privacy Laws. Relevant data will be stored electronically for period of 50 years as long as MIS is not obliged to store data for a longer period by law. No data will be stored longer than is necessary for the purposes for which the personal data is processed. After that period all and any stored data will be deleted. MIS guarantees to observe all applicable data protection rules, especially the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and applicable German Data Protection laws. All parties are subject to the legal requirements of Article 85 of the Bay EUG. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal and such data which MIS processes on legal basis.

Controller of the data is MIS, represented by the Head of School Mr. Timothy Thomas. The Data Protection Officer of MIS is Mr Bernard Columberg, e-mail: [email protected]. The purpose of any processing of the stored data is either a legal obligation of MIS to store the data, legitimate interests or other reasons. You are entitled to request from MIS access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing. MIS assures the right to data portability. You are entitled to lodge a complaint with the supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht ( www.lda.bayern.de).

By ticking the checkbox, you declare your consent that your data is stored and processed in all School systems. 22 Essential Rules for Teachers and Staff

- Please use only IT systems approved by the School.

This includes Schoolbase, ManageBac, Edublogs, ITS-Learning, Microsoft Office 365 / One Drive, etc. Please do not use Google online tools (Google Drive, Google Docs, Google Calendar, etc.) or Dropbox for school purposes. Google, Dropbox and many other online platforms do not comply with the EU's new regulation. If you are not sure about a specific tool, please contact one of our IT professionals to find out if it is an approved tool/system.

Source: Email from Head of School 24.05.2018 23 Essential Rules for Teachers and Staff

- Please do not distribute any personal data of students or their families.

If parents or even students ask you for contact details or other information about children or families other than their own, please direct the person with the inquiry to a school office. Many of our families do not wish for their contact details to be shared in the community and doing so without their explicit permission is illegal.

24

Source: Email from Head of School 24.05.2018 Essential Rules for Teachers and Staff

- Please do not take photographs or videos of students with private devices.

Holding photographs of students or families on private devices without their explicit permission is illegal. Additionally, many devices automatically upload copies of photographs and videos to so-called cloud servers. In many cases it can be nearly impossible to prove that such uploaded images have ever truly been deleted. If you intend to take photographs or videos of students for school purposes, please ensure that you use school-issued devices and that you heed the “no-photograph” list.

Source: Email from Head of School 24.05.2018 25 Essential Rules for Teachers and Staff

- If you make a mistake, report it!

Although one’s reflex may be to cover up any breaches in data protection, the law is very specific about this. You are obligated to report any breaches in data protection (included ones caused by you) to the DPO or Head of School immediately. We must report the case to the Data Protection Authority in Bavaria. If we report the case promptly and demonstrate that we are trying to rectify it, the chances of punishment are much lower.

26 So how should teachers handle student data?

- Collect and keep only what you need. - Return what you don‘t need to students. - Destroy records that are no longer needed. - Use only the school‘s systems for storage. - Be mindful of keeping both physical and digital private data in secured spaces. - Use lockable cabinets for grade books, narrative evaluations, marked student work and portfolios when you‘re not there. - When in doubt, please ask!

27 Regulation on Student Documents based on Bavarian laws

Usage of school data

 The student records may only be used without consent, as far as this is to fulfil the tasks assigned to the schools by law  Access to the student records is limited under the following conditions:: o To the SLT, to the extent it serves an educational purpose o Only for those students taught by the teacher o Consulting teachers and school psychologists, insofar as this is necessary to fulfil their pedagogical psychological and legal tasks within the framework of school counselling.

 After the student has left school access to the student records is only possible by the school or for administration the persons inwho particular have been cases, granted which consent are requir ed to the fulfil legal  duties Consent must be given in written form.  For students between 14 and 18 year of age , both students and the legal guardians must consent to the release of documentation  For students under 14, the legal guardians must consent.

Source: http://www.gesetze-bayern.de/Content/Document/BaySchO2016-G6 Bayerische Schulordnung Teil 5 Schülerunterlagen effective as of 01.01.2018

28 Retention and deletion periods (I) based on Bavarian laws

Type of document Retention and deletion periods The student's master record contains: 50 years from the end  personal information regarding the student, the parents, the guardians of the school year in entrusted with raising the child, any job training and the school education which the student left according to the specimen issued by the State Ministry, school

 The graduation documents and diplomas or - if the student did not graduate - a copy of the documents issued in lieu,

 Copies of any documentation granting access to higher education such as subject-specific or general qualification to enter universities of applied sciences or universities, intermediate school leaving certificates,

 Other general reporting or reports granting access to the next level of 1 year from the end of education, the school year in which the student left  The education records including any findings, observations and school recommendations relevant for the further schooling or educational training with an overview of any disciplinary action taken;

 The transcripts which - depending on the school type –reflect in particular, the results of written, oral and practical tests taken by the individual students and related remarks,

 Intermediary reports, in cases where such reports replace the semester reports according to the school regulations,

 Any written information on measures taken and diagnostic plans for students requiring special assistance and documents on compensation of disadvantages and protection against unfair grading,

Source: http://www.gesetze-bayern.de/Content/Document/BaySchO2016-G6 Bayerische Schulordnung Teil 5 Schülerunterlagen effective as of 01.01.2018 29 Retention and deletion periods (II)

Type of document Retention and deletion periods  BE CAREFUL!!! There has been a recent reform to the law in 2017. 1 year from the Yes, documentation that the child was given 25% Extra time and a PC end of the school year in  Written comments on special educational assistance requirements, especially the which the expert opinion on special education requirements and the report issued after such student left requirements have been established, school

 All special assistance plans,

 Student lists for junior and middle school, Senior School

 All other written documents on events relating to individual students, which are an absolute requirement for a comprehensible and transparent documentation of the education records.

Performance records composed of 2 years, the year beginning upon  written performance records including final examinations, orientation tests, expiry of the comparative tests, seminar papers, reports on internships and tests of basic school year in knowledge and form tests, and which the  Practical performance records, especially work pieces and drawings. performance was rated

Source: http://www.gesetze-bayern.de/Content/Document/BaySchO2016-G6 Bayerische Schulordnung Teil 5 Schülerunterlagen effective as of 01.01.2018 30 Transfer of school data

Passing on data in cases of change of school

 If a student moves to a public school, the originals of the student's master record and the education records must be sent to the new school. o Other documents relating to the student must be passed on in the original or, if originals are no longer available, in the form of copies if this is relevant for the further schooling of the student. o Any recommendations concerning special-assistance arrangements on individual educational requirements or a special-assistance report will be passed on only if consent has been given or if a particular impairment of members of the school community is to be feared (Art. 41 (5) no. 2 BayEUG); Sec. 3 (3) applies mutatis mutandis. o The school which the student is leaving will retain copies of the documents pursuant to sentence 1.

 If a student moves to a state-accredited alternative school, the student's master record and the education records must be passed on as copies; copies of any other student documents may be passed on only with prior consent.

 If a student moves to any other school, his/her documents (in the form of copies) may be passed on only with prior consent. Sec. 3 (3) applies mutatis mutandis.

 A student's documents may not be passed on to any other institutions without prior consent. Art. 85 (2) BayEUG is still applicable.

31

Access to school data

 The following individuals are entitled to review their own student file and – upon completion of the admissions procedure, the final examination or other school performance tests - their own performance records pursuant to Sec. 2, no. 2:

 Students above the age of 14,  Legal guardians and former legal guardians for students who are above 18, but below the age of 21, if regulations of the Bavarian Law on Education and Schooling or the school rules allow for such information to be provided,  Former students.

 Inspection is inadmissible if the data of the students concerned are linked with third-party data in such a manner that separation is not possible at all or only with disproportionate effort.

 In this respect, authorised persons, such as the SLT, are entitled to information on existing data relating to the students concerned.

 Inspection and information may be refused or restricted if this is necessary to protect current or former students or current or former legal guardians.

32 Frequently Asked Questions:

What if I don‘t have access to any lockable cabinets?

Then we need to get more. There may be some appropriate cabinets in storage. If not, then more may need to be ordered. Please speak with your school principal.

33 Frequently Asked Questions:

Actually, Tim, I have lockable cabinets in my room, but I don‘t have any of the keys and don‘t know where they are. What should I do?

The companies from whom we obtain our cabinets can provide more keys. Using the number on the locks (in most cases), new keys can be ordered so that the cabinets can, again, be locked. Please speak with your school principal.

34 Frequently Asked Questions: If we have physical documents with students‘ private data that we need to shred or destroy, how are we supposed to do that?

Document drop-off boxes. The shredding will be done for you!

Junior School Middle School Senior School 35 Frequently Asked Questions:

Cloud services, like Google-Docs and Dropbox, are soooooo convenient, Tim! How can you tell me that I can‘t use these?!

Google, Dropbox, Facebook, etc.  ✗

Microsoft One Drive?  ✅

36 Frequently Asked Questions:

How do we handle moderation of assessment and other tasks that require other teachers to see student work?

Generally, moderation of assessment has a compelling justification (validation of evaluation). Teachers should nonetheless be mindful not to transmit student data beyond what is necessary to achieve the goal.

37 Frequently Asked Questions: How long do we need to keep student work in order to justify our grades? Can‘t parents appeal a grade for up to two years?

According to the judgment of the Bundesverwaltungsgericht on the 25.04.1983, parents in Germany may legally contest a course grade only when that course grade significantly changes the access that child has to further educational opportunities.

Parents may, of course, appeal to the school Director, who may decide within the framework of the school to change the grade: VGH Beschluss 27.01.1988: While teachers are generally entrusted with assigning grades, school directors can, in individually contested cases, decide on the final awarded grade.

38 Frequently Asked Questions:

How serious is this, Tim? What if I ignore these rules or refuse to follow them?

The updated GDPR (General Data Protection Regulation) stipulates harsh new penalties for employees and organisations that do not comply with data protection rules.

You could be put in jail for up to three years or face fines up to a maximum of €20,000,000. There could also be civil penalties, if another person were to suffer damages or negative consequences because you failed to adequately secure their data.

39 More Questions?

40 Data Protection Final Exam

1. Data Protection laws protect the data of . . .

A. Individuals. B. Companies.

41 Data Protection Final Exam

2. DPO stands for . . .

A. Designated Party Organiser.

B. Data Protection Officer.

42 Data Protection Final Exam

3. Data that are no longer needed must be . . .

A. Archived. B. Deleted.

43 Data Protection Final Exam

4. Securing data can include . . .

A. Locking cupboards

B. Using secure passwords

C. Storing data in locked offices

44 Data Protection Final Exam

5. If you accidently break DP rules you must . . .

A. Hide it quickly

B. Call your mother

C. Report it to DPO or HoS

45 Data Protection Final Exam

6. Your obligation to protect students’ data means . . .

A. You cannot collect any data about them.

B. You cannot really teach them anything.

C. You must take care when collecting, processing and storing their data.

46 What if I have further questions after this meeting has concluded?

We‘re happy to answer questions and to help find solutions to problems.

MIS Data Protection Officer = Mr. Bernard Columberg [email protected]

HoS = Mr. Tim Thomas [email protected]

Director of IT Systems = Mr. Alexander Barlage [email protected]

47