For a long time, the Danish Data Protection Authority has focused on the use of Chromebooks and Google Workspace (formerly G Suite for Education) in the municipalities. The use is widespread nationwide, but concretely the Data Protection Authority has had a pending case in Helsingør Municipality.
Thus, the Data Protection Authority made a decision in September 2021, where Helsingør Municipality i.a. was ordered to carry out a risk assessment of the municipality’s processing of personal data in the primary school using Chromebooks and Workspace. The Danish Data Protection Authority has now, on the basis of the documentation and assessment of the risk for the data subjects prepared by Helsingør Municipality, established that the processing does not meet the requirements of the GDPR on several points.
“Helsingør Municipality has done a great and skilled job to map how personal data is used in the primary school, but it also highlights the data protection legal problems that can be with the big tech companies’ ways of solving the task,” says Allan Frank, who is an IT security specialist and lawyer at the Danish Data Protection Authority.
The Norwegian Data Protection Authority finds that the municipality has not assessed any concrete risks in relation to the data processor construction. In addition, the data processing agreement states that information can be transferred to third countries in support situations without the necessary level of security.
Seen in light of the decision from September 2021, the Danish Data Protection Authority has now made a decision. It contains, among other things:
- Suspension of Helsingør Municipality carrying out processing where information is transferred to third countries without the necessary level of protection
- A general ban on processing with Google Workspace until adequate documentation and impact analysis has been made and until the processing is brought into compliance with the regulation
- Serious criticism of the municipality’s processing of personal data
The Danish Data Protection Authority draws attention to the fact that many of the conclusions in this decision will probably apply to other municipalities that use the same processing structure. The Danish Data Protection Authority therefore expects these municipalities to take relevant steps themselves based on the decision – even if the Danish Data Protection Authority is currently finalizing a number of cases concerning other municipalities.
Technology and its use are advancing very quickly. For a few years, computers and tablets have been used as work “tools” in many educational centers for students. As a father and technical specialist in cyber intelligence, there are several things that have always concerned me in the use of these tools.
On the one hand, a while ago, I wrote an article about this topic. I asked a student and her parents to show me what Google knew about that student. The student and her parents in front of her saw that Google knew things about the student, for example, that she had been watching on YouTube all the time. Google knew things, but the student and her parents did not know anything about this topic. The educational center did not inform them of how her daughter’s privacy would be managed while she used the Chomebook and Google Workspace. That’s why I wrote an article (view here).
In addition, those responsible for the center told me personally that they can have access to the content of what the user does with the computer and would also have access to geolocation, as they are administrators of the school’s computers. This would give options for someone to have access to very sensitive data. Then privacy is not guaranteed by Google or the educational center.
I have already commented on an important point, privacy. The second point would be the rights of students. Why can only Google be used? Students who wish to use a different email account or another service that is not Google, could not do their work, then the rights of free choice would be coerced, forced to carry out work with a tool that they do not want or that parents considered unsafe.
The dependence on technology is so great that many and many people do not care what violations it does, they do not think about whether or not it protects the privacy and rights of people.
What would happen if all fathers and mothers knew %100 how this system works? What would be its consequences?
For fathers and mothers, students… Search the Internet: “google my activity”, here you can see what information, from any Google account, Google saves. You will have options to disable tracking and “wipe” data.
A recommendation, if when you browse the Internet you have your logo with a photo or initials in the upper right, it is that you have the Google session started. In this way Google records your follow-up, you have to close the session, the same with the rest of social networks.
More info: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2022/jul/datatilsynet-nedlaegger-behandlingsforbud-i-chromebook-sag-