In response to my blog , I was asked if I could explain social media and webcare by educational institutions in relation to the ). Take a seat, it will take you 10-15 minutes to read but afterwards, you will be totally informed.
GDPR / AVG in (very) short
The GDPR / AVG is a European regulation which replaced the Dutch Personal Data Protection Act (Wbp) from 1995. The GDPR / AVG was adopted by the European Union in 2016 but will only take effect starting on 26 May 2018. The 1995 law had become obsolete as a result of the changes in the field of online communication.
There can be both large implications of the GDPR / AVG for companies and institutions as well as large fines. The GDPR / AVG has consequences for every institution that processes personal data. Personal data are data that can be connected to an individual or with which an individual can be identified including by: name, photo, telephone number, address, bank account number, e-mail address, IP address, fingerprint, medical data, etc.
Impact of GDPR / AVG: All organizations
The impact of this new law is so great because, among other things, it applies to all organizations that work with personal data. These range from the obvious parties such as hospitals and tech giants such as Google and Facebook to the bridge club in the village with an Excel list with e-mail addresses of everyone who ever comes bridge on Wednesday morning. And all organizations in between.
The following rules must be followed:
- Transparency: The person whose data are processed (stored in a system or lists) is aware of this, has given permission for this and knows their rights
- Goal limitation: The personal data are collected for a specific legitimate purpose and may not be used for other purposes. In the case of analysis, no data may be stored in a way that is traceable to an individual.
- Data limitation: Only the data that are necessary for the intended purpose may be collected
- Correctness: The personal data must be and remain correct. Everyone has the right to inspect and review information that has been processed
- Storage restriction: Personal data may not be kept longer than necessary for the intended purpose
- Integrity and confidentiality: Personal data must be protected against unauthorized access, loss or destruction
- Accountability: The controller must be able to demonstrate compliance with these rule
What do we mean by social media and webcare at educational institutions?
The subject GDPR / AVG is huge, so for this blog, I am limiting the discussion to social media and webcare. Thus I am not going to discuss P&O / HR and also education-supporting aspects of GDPR / AVG. Nor do I go into the use of CRM systems for purposes such as recording alumni data (for community building and lifelong learning) and companies (for collaboration and financing), although that is definitely something that educational institutions should also look at.
The description of social media and webcare at educational institution is the following:
The use of non-proprietary platforms for monitoring, interaction and content creation where:
- monitoring the search of keywords (including hashtags) for relevant (combinations of) keywords for the educational institution
- interaction can be divided into reactive and proactive where:
- reacting to questions that are asked
- proactively addressing themes and topics that the educational institution believes will affect the institution
- the placement of one’s own content on platforms, with the aim of strengthening the image, brand, news distribution, recruitment and promotion of interaction and sharing.
Social media: Online platforms where users (with an account) are able to interact and where users can build their network by connecting virtually through their existing network. Services such as WhatsApp and Facebook messenger are therefore not covered by this definition, but I will discuss them since these services are used to carry out webcare.
Interpretation of the GDPR / AVG for social media and webcare at educational institutions
First, I would like to say that the Personal Data Protection Act already contained a great deal about the protection of privacy and also that most institutions have been working on this for a long time. Furthermore, I think it is both good and useful for the regulations to be tightened across Europe.
According to the GDPR / AVG, personal data in the context of social media and webcare include Twitter handle, Facebook name, personal URLs of, for example, LinkedIN and information from a bio that can be traced back to an individual.
Relevancy of the GDPR / AVG for social media and webcare at educational institutions
You must indicate that your educational institution processes personal data with a purpose and with the consent of the user. Incidentally, there is a difference between agreement and consent, and it must be consent.
It is important that you make the privacy statement accessible (a hyperlink to the statement) in the places where your visitors disclose personal information to you and that you make it obvious. A simple example would be a link to your privacy statement in your contact form.
In case of an open day or another event where you will send additional information at a later date, additional information is necessary. Everyone must be able to indicate that they do not want to be contacted and you have to abide by that.
This is also required for, for an example, a prospective student on WhatsApp. If someone asks a question about admission requirements for a course and you need, for example, their country of origin, previous education and additional information to answer the question. Further, if you cannot answer this question directly, you must then share the case and thus also the personal data with someone else, possible inside or outside your team or inside or outside your department. As long as the information cannot be traced back to the specific person, there is no problem. As soon as it can, you must first have permission from them.
The conversation may then not be used for any purpose other than answering the question. After answering the question, the organization must remove the personal data from their systems (after the communicated retention period). You have to record how you are ensuring this, as an organization, for example in a protocol or process description.
The purpose of data processing must be legal and clear and the data may not be used for any other purpose.
The purpose of retaining data in webcare at educational institutions is to answer future questions. This can be a question that is asked directly at the educational institution, but it can also be a question that is asked but is not addressed to your institution. For example: “I am looking for a training X but I still do not know in which city. Does anyone have a suggestion? “After answering the question, the purpose of processing of the data has expired. Do not save it.
When carrying out analysis, you could reach the level of personal information. To continue with the same example: you could do an analysis of everyone who is interested a course on public channels but who has not yet made a choice. This would provide a list of people who you would like to contact with a mailing about the field or a relevant conference. Since you have never requested permission for this data and you are not allowed to process and use the data of anyone on the list. However, you can report within your institution about trends, questions that arise and sentiments so long as the reports do not offer the possibility to obtain individual personal data.
You may not request more data than is necessary for your purpose at the time. You should be aware of this when running webcare. If someone asks: “Can you tell me what time the open day will start tomorrow?,” you cannot ask for their e-mail address so that you can send them a leaflet. Asking for their e-mail address would only be justified if this if the person asks if you can send them more information. You cannot approach people who register for an open day to attend a different kind of event at a difference time.
The personal data must be and remain accurate. The person in question must always be able to view the data and to change it.
You are obliged to remove the personal data that you have lawfully obtained for a specific purpose if that purpose has been accomplished. For example, you use a video on your Facebook channel that clearly shows students from your educational institution. You have requested permission to use that video for an article on your Facebook page. On the request form you have listed the names and e-mail addresses of the students and their signature. Once the article is placed, you have to delete that data. That is not very handy because you want to be able to keep that declaration of permission for a period of time in case there is a complaint. Then you have to reformulate the form to request consent in a different way. Instead, you could say on the form: “We want to keep this data for a year after the date.” After that, you will delete the data.
Events, such as open days, are a good example of a place where you will feel the influence of the new law. In principle you cannot keep the data of applicants for an open day longer than the event and its follow up, unless you can demonstrate need the data for longer. You must indicate in advance how long and for what you will use that data and then communicate this explicitly to the attendees of your open day via your privacy statement.
Integrity and confidentiality
You must store personal data in such a way that they cannot fall into the hands of an unauthorized person. This means that you have to store the data in a safe environment. Determining if the institution’s network, the software or the cloud solution you use is satisfactory is the responsibility of you and your IT department. Saving a spreadsheet file on your own PC may not be a good idea. In any case, you must actively control and review the data that you store and ensure timely and complete deletion after the retention period that you committed at the time of the collection.
Should a data breach arise from personal data, then you as an organization are obliged to report this to the . That is already the case under the current law. The AVG does impose more stringent requirements on registering a data breach.
As an institution you are responsible for being able to prove that you comply with the AVG regulations. Upon request, you are obliged to show that your institution complies with the AVG. You could do this by, for example, showing that you have a good privacy statement and that you have created protocols and process agreements for processing data. Another example would be to schedule a reminder to delete the list of people who have asked a question via Facebook.
The question of how you, as an institution, treat the AVG can be asked during an audit by the regulator. Under the new rules, these audits will no longer only be set up at institutions suspected of having problems (such as a reported data breach), but regulator can also decide to conduct a sector-wide audit. If another institution has problems, it may mean that you will also be investigated. This is even more reason to have your business (demonstrably) in order.
Platforms change conditions and functionalities
Educational institutions often conduct part of their online communication using non-proprietary channels such as Facebook, Twitter, and Instagram. These platforms themselves are carrying out a number of changes in anticipation of the AVG. Already there is less insight from Facebook events, Facebook groups, Instagram followers, hashtags and locations available. These developments have been accelerated by the debacle of Facebook and Cambridge Analytica. The expectation is that the platforms will now start examining the possibilities of what is still permitted. As we approach 26 May – and in the period following – we will hopefully gain more insights.
Responsibility systems versus educational institutions
The responsibility for meeting the GDPR / AVG lies with the educational institutions themselves. That is known as the processor responsible in the GDPR / AVG. A supplier provides a system that serves as a replacement for your own system. The supplier is called the processor by the GDPR / AVG. The processor must also comply with GDPR / AVG’s requirements. The higher education institution is then obliged to demonstrate that it has opted for “a processor that offers adequate guarantees regarding the application of technical and organizational measures to ensure compliance with the AVG’s requirements and that the protection of the data subjects is guaranteed.” This can be accomplished in the agreement you have with the processor.
You can ask the suppliers of systems that process personal data for you to draw up such a processor agreement. Most large companies and institutions will have already offered such an agreement or are likely do so in the coming weeks.
Our partner meets the GDPR / AVG for the products that OBI4wan carries (webcare, reputation management and bots) and is responsible for data protection as a processor of personal data. The purpose of processing the data is described in the of OBI4wan. OBI4wan lists its responsibility and will be ISO 27001 certified to provide even better information security.
Settings at group or page level
It is a good idea is to check the privacy settings of groups or pages and to update them if necessary.
According to GDPR / AVG guidelines, you are not allowed to collect personal data from platforms such as Facebook and LinkedIn, even if users have made this information public (the data being public says nothing about if it is permissible to use). A user of a platform may approach others within that platform (this is a social platform after all). This also applies to your webcare: questions that are asked to you via LinkedIn or Facebook can be answered within the platform.
On Facebook pages you can, for example, choose not to allow tagging of people, to set an age restriction or to turn on a filter for unwanted words.
It is a good idea to link to the disclaimer page or privacy statement on your website from your group, page or corporate account on a social platform. Then it should include information about how you deal with personal data on social platforms.
Principle considerations by the educational institution
As an educational institution, you can decide not to use platforms that you believe are not in compliance with the AVG or according to your own standards and values. The leakage of data from Facebook by Cambridge Analytica seems to violate the notions of both “integrity and confidentiality”. You could take a position by saying that you do not use Facebook for webcare and content creation so that you do not expose your users.
As I already argued in my previous blog, I believe it is too late to decide to not use platforms such as Facebook for webcare and content creation