Remote working causes new data protection headaches
In one of the DPC's case studies, students were inadvertently given access to a recording of an online video conference, including lecturers' discussion of other students' work. Picture: iStock
An educational institution accidentally shared recordings of student presentations with the students themselves who were then able to view their lecturers’ personal remarks about them, some of which were posted to social media.
That data breach is one of 31 case studies detailed in the annual report of the Data Protection Commission (DPC) published this morning.
In that instance, the breach resulted from pandemic restrictions which saw presentations by students before lecturers conducted via video conference and recorded in order to enable external examination, “though it was not intended that students would have access to recordings of their presentations”, the report said.
“In fact, all invited participants, including the students who presented, had access to recordings of their sessions and were automatically emailed a link to the relevant file on the institution’s server,” it said.
The case highlights the potential risks posed by the use of video conferencing and similar technologies, the DPC said, and that the organisation in question had since deleted the recordings in question.
The incident is not the only example in the report of educational institutions falling foul of data protection law in 2021.
In a second case study, a university notified the DPC that job applications and CVs it had received ended up dispersed after an employee working from home placed printouts in a recycling bin only for it to blow over in high winds thus spilling its contents. This was notwithstanding the fact that the university had “instructed employees working from home to minimise printing and to destroy documents before disposal”.
The DPC said of the matter that it highlights how controllers, in this case the university, have responsibility to provide appropriate devices such as shredders for employees working remotely to deliver “the required standard of protection”.
Other case studies detailed include an attendee at a funeral complaining to the commission about their personal data being breached by the parish which had livestreamed the event (a complaint which was not upheld) and an employee complaining to the DPC that their data had been improperly processed by their employer when it used its dispatch system to verify their expense claims.
Headline figures from the DPC’s report include an increase of 7% in queries and complaints to the regulator in 2021 to 10,888, with 10,645 cases concluded by the commission over the year. It said that just under 52% of complaints, 1,771, were concluded within the same calendar year.
For reported breaches, such notifications were down slightly on 2020 figures to 6,549, the DPC said.
Of that number, the most frequent cause of reported breaches was unauthorised disclosure, the report said, which accounted for 71% of all notifications. That was a significant drop from the 86% noted the previous year, however.
The main topics for queries and complaints meanwhile, included subject access requests, disclosure, direct marketing, and the right to be forgotten which can see web searches for affected individuals delisted from search engines.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
