Protection of Personal Data
Our Office continues to receive many petitions relating to the protection of data. The handling of personal data by public education institutions tends to raise highly sensitive questions. Namely, schools may engage in any processing of personal data only if they are expressly authorised to do so by the law, or if the parties concerned (students and teachers, i.e. all parties whose personal data are affected) have given their consent thereto. However, the consent to the use of personal data provides an appropriate legal basis for the use of data only if it can be deemed to be a voluntary, explicit and informed expression of the data owner's will. Consent is regarded voluntary only if the students can be sure that they will not suffer any disadvantages for refusing to consent to the use of their personal data. If the students have grounds to be concerned that the school may act in such way that may be disadvantageous to them, their consent should not be deemed voluntary. The management and the teachers of the school, on the one hand, and the students of the school, on the other hand, are not in the same position at a school, as students are dependent on the school management and the teachers in many areas of school life. Due to the nature of this dependency, students may have grounds to be afraid of suffering disadvantages in some areas of school life if they refuse to give their consent, even though such disadvantages may be not expressly or directly linked to their refusal. Under such circumstances, a voluntary consent to the use of personal data is precluded, in other words the students or their legal representatives are unable to give a voluntary, explicit and informed consent that would provide an adequate legal basis. This will put at risk the essence of the right to dispose of personal information, namely the possibility of giving voluntary consent to the use of personal data.
Educational players are often uncertain as to what kind of data education and teaching institutions can lawfully process.
A parent turned to our Office with the following problems. The school his child attends is about to install a magnetic entry system at the gate of the school which records the time of entry and leave in a way so that these data can be checked and retrieved. The system is directly linked to the electronic class book which therefore can immediately log any absence or late-coming. The parent found it injurious that if a student forgets his or her card at home it will be registered as unjustified absence from the class. The parent also disapproved of the school not having asked for the opinion of the parents and the students in advance. Although the students protested against the system at a subsequently held student forum, the school management responded that the maintainer local government had already made a decision on the matter. The parent also found it injurious that the students would have to pay for the magnetic card.
In his declaration, the head of the institution informed our Office of the following. Currently, there is no magnetic entry system in operation at the school. They are indeed planning to introduce such a system to record the entry and leave of persons entitled to enter the school (i.e. students, teachers and other school employees). The school will process only those data this way which it already handles in a traditional form (in respect of employees: attendance sheet, in respect of students: progress book for the administration of absences and late-comings). According to the principal the data will be recorded on a computer which is stored in a separate and closed room used solely for this purpose. Unauthorised persons will not be able to access these data, in other words, only the school management, the system administrator and the staff of the security service will be entitled to access these. They would use the data managed by the system and would post these data in documents (this, however, would be done manually and not in an automatic way). The data would be retained in electronic format until the end of the given school year (whereas these data would be kept in a written format for the period specified by the relevant statutory provisions). The entry system would not prevent anyone from leaving the school during the instruction sessions, it would only record its time. The principal stated that they would not register it as unjustified absence if a student forgets his or her card at home since the school management is also aware that this would be unlawful. In his declaration the principal also informed us that it was not the maintainer who decided on the setting up of the system, as this falls within the competence of the institution. The teaching staff of the institution and the parents' organisation seconded the introduction of the system; during the preparations the institution also requested an opinion from the student union. According to the principal students would not have to pay for the card, but they would be required to put down a deposit in return for the card.
We arrived at the following conclusions in the case. Based on the provisions of point 1 of Article 2 of Act LXIII of 1992 on the protection of personal data and the publicity of data of public interest, personal data are data which can be associated with a (identifiable or unidentifiable) particular natural person (hereinafter: person concerned), the conclusion which can be drawn from the data relating to the person concerned. Personal data keep their above defined quality in the course of data handling until their connection with the person concerned can be restored. A person is regarded identifiable especially if he or she can directly or indirectly be identified on the basis of name, identification mark, or one or more factors that are typical of his or her physical, physiological, psychological, economic, cultural or social identity.
Pursuant to point 9 of Article 2 of the Data Protection Act data handling means irrespective of the procedure applied, any or all operations carried out with personal data, collecting, registering, recording, processing, storage, change, utilization, forwarding, publication, harmonisation or connecting, closing, deletion and elimination of personal data, and the prevention of their further use . Photographs, audio or video recording and the recording of physical attributes suitable for identifying the person concerned (such as fingerprints or palm prints, DNA-sample, and iris image) shall also be considered data handling.
In consequence of the above, the use and operation of the planned entry system qualifies as data handling. Based on the provisions of Article 3 (1) of the Data Protection Act personal data may be handled if the person concerned agrees thereto or it is ordered by an Act or a local government decree on the basis of the authorisation of an Act, within the sphere defined therein. In our case data handling is authorised by statutory provisions as the school must record student absences and late-comings in the class book. This type of entry system could help the institution meet this obligation.
According to Article 5 of the Data Protection Act personal data may only be handled for a particular purpose, exercise of rights or fulfilment of obligations . Each phase of data handling shall comply with this purpose. Only such personal data may be handled which are indispensable for accomplishing the purpose of data handling, are suitable for achieving the purpose, and only to the extent and for the time required for the accomplishment of the purpose. The requirement of particular purpose is met in the case of the planned system as the handling of data will serve the fulfilment of a statutory obligation.
At the same time, we called the attention of the head of the institution to the fact that the installation of the entry system was decided by the institution, and it would therefore be unlawful to make students bear in any form or to any extent the related costs. Thus it is not proper to ask for deposits from the students in advance for the magnetic entry cards. If a student causes damage to the card, he or she can be compelled to recover such damage subsequently. In view of the above, we established that the introduction of the entry system - if implemented according to the plans outlined in the principal's declaration - does not infringe students' educational rights. (K-OJOG-179/2005.)
A school principal inquired in his letter if it was legal to equip the school with security cameras in order to prevent thefts.
Video recordings made and transmitted by cameras - provided that the persons on the recordings are recognisable and identifiable - contain personal data and therefore the operation of such equipment qualifies as data handling. Pursuant to the provisions of Article 3 (1) of the Data Protection Act personal data may be handled if the person concerned agrees thereto or it is ordered by an Act or a local government decree on the basis of the authorisation of an Act, within the sphere defined therein.
In the case presented by the head of the institution, equipping cameras (in a public education institution) is not authorised by the law as in effective Hungarian law only a few organisations (e.g. the police, public area surveillance bodies, organisers of sports events) are entitled to operate such cameras, and obtaining the consent of the persons concerned is not a feasible option since this would require that all the persons who enter the school (students, parents, teachers, other school employees, etc.) give their consent. Approval by a board which consists of a few people authorised for representation (e.g. the board of parents) cannot substitute the consent of each and every person concerned.
Our Office's position coincides with the position adopted by the Data Protection Commissioner in similar cases. The recommendation of the Data Protection Commissioner concerning video recording equipment operated for the purpose of monitoring and data collection also contains the following. Video recordings present a set of problems in terms of data protection, as these record and store - in an identifiable and replayable manner - the events observed and thereby the presence, behaviour and actions of certain people at a given location. The recording and the storage for a specific period of personal data is only lawful in the cases and in the manner regulated in the Data Protection Act.
According to Article 5 of the Data Protection Act personal data may only be handled for a particular purpose, exercise of rights or fulfilment of obligations . Each phase of data handling shall comply with this purpose. Only such personal data may be handled which are indispensable for accomplishing the purpose of data handling, are suitable for achieving the purpose, and only to the extent and for the time required for the accomplishment of the purpose.
Within the meaning of Article 4 of the Data Protection Act unless an Act provides exemption, any other interests attached to data handling may not violate the right attached to the protection of personal data and the right to privacy of the person concerned. According to the Data Protection Commissioner the safeguarding of financial interests or security through the use of video recording equipment is achieved at the expense of violating constitutional human rights. Such interest can therefore not justify recordings that violate the right of the persons concerned to the protection of personal data, unless authorised by the law.
In addition to the Data Protection Act, Article 80 (1) of Act IV of 1959 on the Civil Code also contains relevant provisions, according to which any misuse of the likeness or recorded voice of another person shall be deemed as a violation of inherent rights.
Based on the above we did not deem it lawful to equip the security cameras on the corridors of the school. In our view, a camera could be installed at the school entrance which would not record but only transmit images directly to a monitor on which these could be followed up. In essence, this is a technical apparatus which could replace personal monitoring, and even more, as with the help of this technology (e.g. zooming in) it allows for a broader scope of surveillance than the presence of a person does. Also in this case, in accordance with the provisions of the Data Protection Act, the persons concerned must be informed that they are monitored and of the manner in which it is accomplished. Pursuant to Article 6 of the Data Protection Act prior to recording the data, the person concerned shall be notified whether the data supply is voluntary or mandatory. The person concerned shall be informed clearly and in details of every circumstance associated with the handling of his or her data, thus especially of the purpose and the legal basis of data handling, of the identity of the persons authorised to handle and process the data, of the duration of data handling and of the persons to whom these data may be disclosed. Information must also include the data handling related rights of the person concerned and the options for remedial action. Hence it must be ensured that the camera is not operated as a secret surveillance device but in the place of the person authorised to perform surveillance. To this end it must be installed in a clearly visible manner and the persons concerned must be notified of its presence also in other ways. (K-OJOG-36/2005.)
We also had a case where it was the activity of the school's maintainer that gave rise to concern with regard to data protection.
A school principal was interested whether the questions asked in the course of a survey the district local government wished to undertake to examine the disciplinary level of students violated any personal rights. She also attached the questionnaire the students were to complete.
The first question in the attached questionnaire served the identification of the student. This was worrying in view of the statutory provisions on data handling. The legal regulations in effect do not authorise the local government to collect the data - and also indicate the name of the respondent - featured in the questionnaire. First of all, it must be ensured that the questionnaires are anonymous. The Teaching Services Centre can request students to supply the data listed in the questionnaire without disclosing their names. To maintain anonymity, in each and every phase of data handling proper care must be taken so that it doesn't happen for example that the head teacher can identify the respondent on the basis of his or her handwriting.
It is important to keep in mind that data supply can only be voluntary because the students are not required to do so by the law. As the persons concerned are minors, their parents (legal representatives) must also agree to the supply of their data.
Pursuant to Article 10 (1) of Act LXIII of 1992 on the protection of personal data and the publicity of data of public interest, the data handler, or in his or her scope of activity the person processing the data, shall provide for the security of the data, shall take the technical and organisational measures and establish the procedural rules which are required for the enforcement of the Data Protection Act and other rules related to the protection of data and secrets. Therefore, it is expedient to draw up a data protection plan prior to the collection of data which can specify all rules and criteria that serve as a guarantee and should be observed during data handling. Compliance with these rules ensures that several problems related to personality rights can be prevented during the procedure. (K-OJOG-37/2005.)
The above case also demonstrates that it is often difficult for institutions to decide whether they can let third parties - either within or outside the institution - access certain personal data, in other words, if they are entitled to forward these.
A principal requested our position concerning the following problem. One of the teachers of the school posted the results of the tests she gave on the wall of the classroom. The teacher drew a tree on which she put the names of the students based on their test results starting from the root up to the crown of the tree. One of the parents protested and filed a complaint with the head of the school. The principal wanted to know if test results should be regarded as personal data or if these can be displayed on the wall of the classroom where not only the teachers and the students concerned but also others can view these.
We established that the results of a test qualify as personal data and its publication as data handling. According to Annex 2 to Act LXXIX of 1993 on Public Education the data relating to the assessment of student conduct, diligence and performance may be disclosed within the class and the teaching staff concerned, to the parents, the Examination Board, the organiser of practical training, the party concluding a study contract, and, if the assessment is not made by the school, to the school, and in case of changing schools, to the new school, and to the person ensuring professional control.
Considering the above, we are of the view that the data of students can only be displayed on the wall of the classroom if the students (in the case of minor also subject to the consent of the legal representative) have given their consent thereto. (K-OJOG-1312/2005.)
The Equal Treatment Authority requested our position with regard to the following problem. An elementary school student received a warning from the principal for serious breach of obligation. The parent of the child objected to the disciplinary sanction having been announced in front the study-room class as this way they humiliated the student. The children who were present spread the news and the next day the whole village knew of the case. Ever since then the residents of the municipality have been hostile to the family. The president of the Authority requested our position on the issue whether it had been lawful to announce the sanction in public.
According to Annex 2 to Act LXXIX of 1993 on Public Education the data relating to the assessment of student conduct, diligence and performance may be disclosed, among others, within the class and the teaching staff concerned, and to the parents. The law seeks to ensure that, as education is an activity pursued in a community, recognitions as well as disciplinary measures and sanctions that are related to education are delivered in front of the members of this community. Based on the petition, it can be concluded that no disciplinary proceeding took place. Warning from the principal is a disciplinary measure which the head of the institution, acting in his competence as principal, is entitled to deliver at his discretion.
Consequently, we take the position that the educational rights of the student were not infringed. (K-OJOG-324/2005.)
In accordance with the Data Protection Act the person concerned can request the correction or - except in cases of statutory data handling - the deletion of his or her personal data. As a result, the data handler shall correct data which do not correspond to the facts.
A head of institution asked for our opinion on the following matter. The parents of one of the school's students had divorced and the new husband of the mother adopted the child. As a consequence of this change, a new birth certificate with the new name of the student was issued, a copy of which was sent to the school. At the end of the school year the parents asked the school to issue a new year-end report indicating the new name of the student. The principal wanted to know if he could revoke the student's old report and issue a new one with his new name.
We informed the head of the institution of the following. Pursuant to Article 40 (4) of Act LXXIX of 1993 on Public Education and as defined in its Annex 2, an institution of public education shall register and process the data pertaining to the student status of students. Such data are the name, place and date of birth, citizenship, domicile, residence, phone number, etc. of children and students. Therefore, the school registering and using the data qualifies as a data handler under Act LXIII of 1992 on the protection of personal data and the publicity of data of public interest, and as such shall comply with certain specific obligations with regard to data handling. Within the meaning of Article 11 (1) of the Data Protection Act, a person concerned may request the correction of the data registered by the data handler, and pursuant to Article 14 (1) the data handler shall correct the data which do not correspond to the facts.
The parents of the student concerned are therefore entitled to request the correction of the data that are related to his student status and are registered by the school, and based on their notification, it is the school's responsibility to issue the year-end report which contains the modified data. (K-OJOG-645/2005.)