Data Protection Policy
Data Protection Policy for processing of personal data at AcadeMedia
AcadeMedia processes large quantities of personal data every day. This is necessary to perform our work in an efficient and legal manner. It is important for all such processing to be performed correctly and avoid the risk of violating the privacy of the individuals whose personal data we process, such as our employees, children, students and participants. If personal data that we have collected is used for purposes other than those intended, processed improperly, or if they fall into the wrong hands, this could result in serious harm to individuals’ privacy. Many of the data concern children, whose data deserve special protection.
Protecting the privacy of our children, students, guardians, adult participants and employees is an important issue for AcadeMedia. This means that we who work at AcadeMedia must manage data in a secure and responsible manner.
The purpose of this policy is to clarify what AcadeMedia’s must do in order to ensure that the privacy of our participants, guardians and employees is respected and that all personal data are processed in accordance with the data protection regulation and other applicable data protection legislation. This policy contains information on (i) the allocation of responsibility for these issues within the AcadeMedia Group, (ii) the data protection regulation’s purpose and important concepts, (iii) detailed description of what constitutes personal data and (iv) what we at AcadeMedia must generally bear in mind when we process personal data.
AcadeMedia’s organisation for personal data processing
At AcadeMedia, the controller’s role for personal data belongs to the operation that directs the processing of personal data concerning children, students, guardians, adult participants and external customers and contacts. This means for example that Vittra AB has the ultimate responsibility for personal data processing performed at Vittra’s preschools and schools. AcadeMedia Support AB is the controller for personal data processing for all employees in Sweden. AcadeMedia’s operations outside Sweden are the controllers for all processing of personal data in their respective countries, including data about employees.
Every segment within AcadeMedia must ensure that there are specific guidelines for the application of this policy and that all employees comply with and are familiarised with the guidelines and associated procedures. The segments are also responsible for ensuring that all of their staff complete the Group’s web-based training on data protection, and otherwise provide their employees with sufficient skills and conditions to comply with the data protection regulation.
Each segment must ensure that the operations that make it up have at least one data protection officer with the operational supervisory responsibility for the segment’s personal data processing, as well as the responsibility for updating the segment’s list of personal data processing operations.
Information about data protection is gathered on AcadeMedia’s Swedish website, which also has policies, guidelines and templates that may be needed when addressing personal data issues.
The data protection regulation
The data protection regulation, or GDPR, is applicable law within the EU and thus Sweden as of 25 May 2018. It replaces the previous Swedish Personal Data Act (PuL). The data protection regulation is intended to protect people’s privacy when personal data are processed. The data protection policy applies to both manual and electronic processing of data, as long as the data are searchable.
Personal data are all types of information that can be directly or indirectly linked to a living natural person.
Personal data processing
Every action or combination of actions taken with regard to personal data, regardless of whether or not they are compiled automatically, such as collection, registration, organisation, structuring, storage, processing or change, production, reading, use, issue through transfer, dissemination or supply by other means, adjustment or compilation, restriction, deletion or destruction.
The party that determines the purposes and means of processing personal data (i.e. why and how the personal data are to be processed), acting alone or with others. The controller is nearly always a legal entity, company or organisation.
Data Protection Officer
A natural person who, after being appointed by controller, shall independently ensure that personal data are processed legally and correctly.
A natural person or legal entity, outside the organisation serving as controller, that processes personal data on behalf of the controller.
What is personal data?
As mentioned above, personal data are all types of information that can be directly or indirectly linked to a living natural person. Therefore personal data may be anything from a name and address to marks, absences, home environment, salaries, photos or audio recordings. AcadeMedia’s data protection assumes that personal data belong to the individual, and we only borrow them.
All personal data must be processed with the appropriate security and respect. The more sensitive the personal data are from a privacy perspective, the stricter the requirements are for protection and security. Therefore, when we process personal data we must continually consider and assess the sensitivity of the data from a privacy standpoint and tailor our security approach accordingly. Therefore we can divide the personal data into the following three categories for this purpose.
Non-sensitive personal data
Ordinarily data on names, addresses, marks, preschool, employer and customer relationships are harmless personal data.
Sensitive personal data
Sensitive personal data are a separate category in the data protection regulation, in must be processed with particular care. Sensitive personal data are defined as personal data that reveal information about the following:
- race or ethnic origin,
- political views,
- religious or philosophical beliefs,
- union membership,
- genetic data,
- biometric data,
- sex life, or
- sexual orientation.
Personal data that are sensitive from a privacy standpoint
There are several types of personal data that do not necessarily meet the data protection regulation’s definition of sensitive personal data above, but that are still sensitive from a privacy standpoint. Some examples are data about a person’s personal ID number, home environment, finances, behaviour problems and offensive treatment of others. As with sensitive personal data, such data must be processed with extra care, and only if necessary.
What is required when processing personal data?
The data protection regulation poses requirements for factors including how, where, when, how long and by whom personal data may be processed. The core aspects that we must bear in mind when we process personal data are listed below.
We must have support in the data protection regulation to process personal data. As long as we process data in order to perform our mission according to the Swedish Education Act, we can refer to the legal grounds that we are performing a task in the public interest or as part of our exercise of public authority.
Other legal grounds that are relevant to personal data processing in our operations are:
- Legal obligation. For example we are obliged to process personal data in order to fulfil our obligation to keep accounts in the Swedish Accounting Act or to fulfil our obligations under collective agreements.
- Contracts. To fulfil or enter into employment contracts, customer agreements and supplier agreements for example, we must process personal data (but only the data needed to fulfil the agreement).
- Balancing of interests. It is also possible to process personal data after a ”balancing of interests” if we can show that our interest in processing the data outweighs the individual’s right to privacy. In many cases we can use the balancing of interests as grounds for processing personal data in marketing and direct advertising.
- Consent. Another option is to ask the permission of the person concerned to process data about him/her. This is called obtaining the person’s consent. Consent must be a freely given and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her. The person must receive clear information about which data are collected and for what purpose in order to be able to provide their consent. We must be able to show using written documentation that we received consent. We only use consent when none of the legal grounds above are applicable.
On legal grounds in the processing of sensitive personal data in particular. The basic principle of the data protection regulation is that processing of sensitive personal data is prohibited. However there are exceptions to this basic principle. Sensitive personal data may be processed if there are particular legal grounds for such processing. The legal grounds for processing of personal data are somewhat stricter and fewer in number compared with the grounds for other personal data.
A vast amount of sensitive personal data is processed in our operation, for example in the context of student health and in the management of support needs and allergies. The legal grounds for our processing of sensitive personal data can, in most cases, be supported on the legal grounds that it is necessary in view of an important public interest.
When we collect information about a person, we must inform the person concerned and/or guardian about how their or their child’s personal data are processed. The information that must be provided includes who is the controller, the personal data collected, the legal grounds for the processing, the purpose for which the data are to be used, how long the data are to be stored, where the person can lodge complaints and the right of the person to have access, for example, to their personal data and request correction of incorrect data. All information must be gathered at trygg.academedia.se. The respective controllers at AcadeMedia are responsible for keeping their information updated.
Collect only the data needed for the purpose
Personal data may not be collected or saved data because they are good to have. We must ensure that the data we want to collect are necessary for the purpose of the processing.
Use only the data for the purpose described during collection
Personal data may only be collected for particular, explicitly stated and justified purposes. The data may not be processed later in a way that is incompatible with these purposes. This means that data collected for a particular purpose may not be subsequently used for completely different purposes. Thus we may not collect student data in order to keep a register of computers that have been lent out, and then use the data to market our other schools.
Ensure that the data are correct
The personal data that we record must be correct and updated. Therefore, the party processing personal data must take all reasonable steps to ensure that incorrect personal data are deleted or corrected without delay. This means that if a student contacts the school and notifies the school that the student’s address is incorrect in our systems, the school is obligated to correct the data.
Save for as short a time as possible
We may not save personal data for longer than needed for the purpose. Once they are no longer needed for the purpose for which they were once collected, they must be deleted. For us, for example, this means that data about students or participants who no longer attend our schools must be removed from IT systems and other places where they were saved. However in some cases we need to save the data for a longer time, for example when this is legally required or it is necessary to save the data for other reasons.
See AcadeMedia’s purging and archiving plan for information on which data must be saved and for how long. [Swedish version in preparation during spring term 2018.]
The rights of individuals
According to the data protection regulation, the people whose personal data we process have certain rights. For example, they have the right to access their personal data, as well as to have their personal data deleted or corrected. All requests from a data subject to exercise these rights must go through the operation’s data protection officer. In the event of uncertainty about how to respond to a request, the data protect officer must always contact Legal and/or IT.
All personal data within AcadeMedia must be processed using appropriate security measures that are tailored to the sensitivity of the data. Therefore we employ the following security measures at AcadeMedia:
- Authorisation management. Only those with a need for data may process them.
- Encryption. E-mail within AcadeMedia is encrypted when it is sent over the internet, and in addition there is the ability to password protect a file, which ordinarily means that the contents are also encrypted. Our cloud-based storage services (Google and OneDrive) are stored in encrypted form in the cloud.
- Sharing platforms. It is possible to share a document stored in a cloud service (such as Google Drive) rather than e-mailing it, which means that it is possible to control access to the information afterwards as well.
- Strong authentication. Selected services within our IT environment can have strong authentication, such as single-use passwords or BankID.
- Anonymisation & masking. Data displayed in many of our systems can be anonymised in order to avoid showing data at an individual level.
Personal data breaches
Examples of a personal data breach may be a USB memory with personal data that is lost, a data intrusion into one of the company’s servers, or an employee viewing personal data without authorisation. All personal data breaches must be reported to the data protection officer immediately. See also AcadeMedia’s information security policy, which describes the response to information security incidents.
Data processing agreement
If we have an external party such as Schoolsoft or Benify process personal data on our behalf, an agreement that governs the processing of personal data must always be signed. Among other stipulations, the agreement must state that the supplier may only process the personal data according to our instructions, and that the supplier is obligated to maintain satisfactory security. AcadeMedia’s template must be used for the Swedish operations; Legal or IT must always be involved in the case of any exceptions.
Camera surveillance entails the processing of personal data. All recorded video material must be regarded as personal data that are sensitive from a privacy standpoint, and the material must be treated as such. Camera surveillance should not be the first solution chosen. There are frequently other ways to address disturbances and the like, and they should be preferred over camera surveillance.
For an operation to be allowed to mount surveillance cameras, there must be an interest in surveillance that outweighs the interest in privacy. The head of the educational facility in question is the one who must demonstrate that there is legal support for the camera surveillance. The operations manager must always contact Legal for support in this assessment and advice on the regulations.
Protected personal data
See AcadeMedia’s documentation for managing protected personal data, which is available on the employee website in Swedish.