Are you planning to conduct a survey within your organisation? And do you sometimes wonder when you should or should not carry out a data protection impact assessment (DPIA)?
The Belgian Data Protection Authority (BDPA) published on Monday a decision of its Litigation Chamber that contains various tips in this respect.
The case concerned a school that conducted a wellbeing survey for pupils through a popular digital platform for schools in Belgium, Smartschool. The Litigation Chamber criticised the manner in which the school set up the survey, and ended up fining the relevant controller (in the present case, the school board rather than the school itself, due to its role as school authority in Belgium) the sum of 2000 EUR. In addition, the Litigation Chamber required the school board to bring the processing in line with data protection legislation.
Key takeaways can be summarised as follows:
1. Is personal data (including identification) needed for a survey? [data minimisation]
The GDPR requires controllers to ensure that personal data are "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (principle of "data minimisation").
In this particular case, the surveys not only involved the collection of personal data regarding pupils themselves but also regarding other pupils mentioned by the one completing the survey. However, the school board appears to have admitted to the Litigation Chamber that fully anonymised survey responses would have been sufficient for the purpose of the processing, described here as "pupil support". Based on this admission, we assume this was not personalised pupil support.
Taking this into account, the Litigation Chamber considered that the processing described was excessive and that the purpose could have been achieved by other means. Put differently, this particular survey did not require identification and the survey responses should have been properly anonymised, according to the Litigation Chamber.
In addition, because identification is required prior to any use of the platform in question (Smartschool), the Litigation Chamber stated that it was important to determine for future surveys whether anonymous surveys through the platform in question enable (re)identification – in other words, if fully anonymised responses are a possibility. This reasoning is relevant for all platforms through which a survey is carried out: how anonymous are the responses in reality?
In practice: When preparing a survey, check whether you need identification or whether anonymous responses are sufficient. Also check all questions to limit the processing of personal data wherever possible.
2. Does a privacy link in the footer suffice for information purposes? [information & transparency]
Under the GDPR, the controller is required to provide information to data subjects in relation to the contemplated processing.
In the present case, according to the Litigation Chamber, the school board did not provide sufficient information to pupils. The school board had suggested that it had provided sufficient information through its request for participation. However, the Litigation Chamber disagreed, stating that pupils (younger than 13 years old), when receiving this request, could not be expected to consult the privacy statement and the school regulations.
In practice: When conducting a survey, consider your audience when deciding how to refer to your privacy statement. Based on this decision, a link in the footer to the survey participation request will not likely be sufficient for information to young data subjects in the eyes of the BDPA; it may instead be safer to include introductory wording in the body of the survey request.
3. Is a data protection impact assessment (DPIA) required? [accountability]
When contemplating any "high risk" processing activity, a controller must carry out a data protection impact assessment (DPIA).
The concept of "high risk" gave rise to the publication by a pan-EU group of supervisory authorities (the Article 29 Working Party or WP29) of guidance on DPIAs, with 9 criteria that enable controllers to determine whether their processing activities are "high risk" or not. This WP29 guidance was later confirmed by the WP29's successor, the European Data Protection Board (EDPB). The rule of thumb with the WP29 guidance was that if 2 criteria or more are met, the processing is automatically "high risk". According to that same guidance, processing activities started before 25 May 2018 (the date on which the GDPR became applicable) meeting those WP29 DPIA criteria do not require a DPIA, unless there is any change to the risks since then.
In Belgium, the BDPA adopted its own list of 8 scenarios in which a DPIA is automatically required (with many of these scenarios combining two or more of the WP29 DPIA criteria in practice).
Under the WP29 guidance, the contemplated survey would have required a DPIA:
- it involved minors, which are a vulnerable category of data subjects (similar to employees and patients) – itself a WP29 DPIA criterion;
- some of the questions related to the mental and physical health of the pupils, i.e. special categories of personal data within the meaning of the GDPR – and the processing of such forms of sensitive personal data is also a WP29 DPIA criterion.
However, the contemplated survey does not fall within any of the 8 DPIA scenarios of the BDPA.
The Litigation Chamber therefore considered the actual processing:
- There was processing of sensitive personal data, but this was not large-scale processing given that it only concerned first-year pupils, not a large number of data subjects "at regional, national or supranational level" (note that "large scale" is one of the WP29 DPIA criteria).
- Inasmuch as the controller processed health-related data, this was "indeed an existing processing activity with a high risk", but there was no change to the processing activity since 25 May 2018.
This reasoning raises more questions than it answers, insofar as the Litigation Chamber does not state on which basis it considers this particular processing activity to be high risk. If it based itself on the WP29 DPIA criteria, why did it mention the "large scale" criterion rather than focussing on the "vulnerable data subjects" one? If it applied the BDPA criteria, why did it reach the conclusion that the processing was "high risk", given that it does not match any of the BDPA's DPIA scenarios?
In any event, it shows that it is crucial for organisations to document their choice on whether or not to carry out a DPIA.
In practice: Always document the process that leads you to decide whether or not to carry out a DPIA. If your contemplated processing is not covered by the BDPA's list of 8 mandatory DPIA scenarios but meets one of the WP29 DPIA criteria, be prepared to justify your choice.
This case shows that organisations still have a way to go in implementing and embracing the principles of data protection. At the same time, as the reasoning on DPIAs shows, the regulators themselves appear to be searching for their own interpretation of the rules. It is a learning process for both sides, so if you feel like you need assistance in the process, do feel free to reach out.
The decision is currently available in Dutch only.