 Good afternoon. I'm here with Marie Cruz Carrierejo, who will be having a session today around data protection law for educators, and we'll be asking the question, how much do you think you know? So over to you, Marie Cruz. Okay, thank you, Johnny. Good afternoon. Buenas tardes. Thank you very much for joining this session. Before we start, it's just to let you know, I'm not myself an expert in data protection law, and it would be very pretentious to me to say that I know everything about data protection law. I am a digital learning expert or learning technologist or educator, like I imagine that most of you that are joining the session. But I think during the last year, I was involved in data protection impact assessment, which is something I'm going to talk about in my presentation. And I was really, I have the honor and the privilege to work with our information governance department and our data protection officer in the institution I am currently working with. And I learned a lot about data protection. And I thought, well, the latest changes that has happened and the impact that they have when we assess learning technologies, when we recommend learning technologies, when we use learning technologies with our students and our staff, I thought this is something definitely that my fellow educators and colleagues should know. And I am very happy to have this interactive session. Don't worry, it will not be me talking about data protection law, but I am very happy to have this interactive session to raise awareness and to raise debate. And just to let you know that just always contact your data information office, your data governance department. That would be the key message from this session. And I must say, well, at this very moment, and for this interactive presentation, there are two technologies that are new to me. One is a string yard that I have a first session with Emma on Monday, and this is my second session. And on top of that, before knowing a string yard was the software used for this conference, because I was expecting collaborate all throughout teams, I have the happy and I don't know if a brave idea of having a interactive quiz using turning point as the tool for the quick, for the quick, sorry. So I'm going to run a presentation in a small laptop using two technologies that one of them is relatively new and the turning point I have practiced over the weekend. But I cannot see both screens at the same time when I go to PowerPoint to launch a turning point, I will not see this screen. So if there is something which is not working or the screen has been sharing, or you have an issue, you can hear me or something, please shout at me because I will not be able to see the chat. And I think there will be time for answering your questions if I come at the very end of the session. And I think without further ado, I go now to my PowerPoint presentation. You are seeing the first slide. Just a couple of things of operational points I want to make. We are going to use an interactive quiz using turning point. We will do the quiz first. You will be able to see what is the right answer. There is only one right answer. Is it true or false, or choose the right answer. If turning point does not work in your end, you don't need the app. But if turning point does not work in your end, don't worry. Just write down what you think is the correct answer of the quiz. And when we finish the quiz, we will go through the answers. And I will use some feedback and some information about data protection law and the last updates. Hopefully we will be in time. We will be finishing in time. And now without further ado, let's start the quiz. As I say, let's go to the quiz first. We see the correct answer and we go through the explanation later. And you don't need the app of the turning point for those who are new. You just type the URL I am showing in this slide. It's www.ttpoll.eu. And you will be asked for a session ID. This is the session ID. If you don't, it can open turning point or it doesn't work to you, just write down the answers. And now a finger crossed the poll will be running. I have to start. Sorry. Just going through the poll as well. Sorry. My apologies. This looks like it's not picking up the turning point up for whatever reason. That's why we have the initial issues. So I just want to try again. I'm going to try last time opening the PowerPoint. But if not, I have a plan B. And I apologize for this, which is using a PowerPoint presentation with no turning point quiz at all. It's just a normal PowerPoint presentation. So let me just go through this one more time. Through this one. No, it's not running. So what I think what we are going to do is we are not going to use turning point. And I give you some time to write out around the answers and the correct answer. And then the presentation will show the correct answer if that's okay. Okay. So I just want to share again and the presentation. I'm sorry for this again. So for a reason, I think I would have to restart the laptop. I'm not going to do that. So what we are going to do is I am going to give you some time so that you can write out your answers. And then you will see the correct answer. I hope everybody is happy with that. And I hope you are seeing my screen. Johnny, if you can let me know if the screen, my screen is being displayed and everybody is okay with that. Hello. The screen is certainly there. I can see it now. Okay. Because as I said, I cannot see the chat in the laptop screen. So with this one, I think also already that the correct answer is the D because I accidentally revealed that one. So we go to the second question, which is according to the data protection app 2018 would be legally responsible for complying with the new UK general data protection regulation. So I give you a couple of seconds so that you choose. And the answer is the data controller. And we will see the explanation later. So the third question. When students complete an online survey on digital literacy, they have the right to, if you want to select the right answer, what you think is the right answer. And the right answer is A, being informed about how the data are being used. Question number four, when we use learning technologies, these learning technologies must never be used to record spatial category data. And because only certain systems can record a spatial category data and without spatial authorization. And you need to choose if the statement is true or false. And the correct answer is false. Question number five. And I think I'm not going to read the questions because I distract your attention. And I want you to read the question and to decide which is the right statement, if it is true or false. And the correct answer is B. Question number six, there is only seven questions for the quiz. And this question and question number seven are the mocks complex questions and keeping an eye on the time. But these are the most complex questions. So I'm going to give you just additional seconds so that you can decide and you can read the three statements and choose. Don't worry if you don't know the right answer because we will see all the questions. And I'm going to now reveal the correct answer which is question number six. As I say, this question and the next one are complex and we will go through the explanation in brief. And finally, the last question and the correct answer is question number A. Nothing has changed until the UK loses its adequacy status for the European Union. I'm going to stop sharing my screen for a second because I want to go back to the stream yard window and I want to know through the chat, apart from this technical issue that we couldn't use turning point. I have my whole family testing it over the weekend and now it didn't work. But apart from that, how do you find the quiz easy, difficult? As you saw, I chose examples that are relevant to our daily activity as a learning designer, as learning technologies, as a digital educator. So could you just comment through the chat how you find the quick easy. I know some of the questions are tricky and I must say this quiz has been checked by our data protection expert and you might think some of the questions were right to me, but there is always a little detail that made the question wrong. But I would have failed the quiz myself, I must say, but I'm glad that our data protection expert provide feedback and review the quiz. So can you just through the chat, I imagine, I don't know if they can, participants can use the microphone or no, but I imagine they come back and can you tell me, did you find the quiz easy, did you find the quiz difficult? Yeah, yeah, I mean, I was looking at the commentary of people who were answering the questions in real time as they were answering them. And I think it would be fair to say not 100% of people got them right 100% of the time. I think that would be a fair summation. So yeah, I think people would have found them to be difficult. Yeah, yes, I think, well, some of them, they were easier than others. But the last two, I must say I have to research myself and I have to look at several documents I'm going to share with you. But I didn't pretend that you knew all the answers. And as I said, I'm not an expert. What I wanted is that this session is like a for raising awareness so that to raise debate so that you know about data protection law about what the changes that are happening, I must say before I discuss the feedback or the results with you and give you the explanation, the questions and the answers, the legislation or the provisions I'm going to give you are in vigor at this very moment and this very month. It might be that in January, in the next three months, in the next four months, they are incorrect. There are some changes, because I do know that there are changes coming. There is a possibility that the United Kingdom might lose their adequacy status. There's something that my data protection officer told me, but we are now focused at that very moment on what is correct and what is in vigor at this very situation. So now I'm going to go to share my screen with you and we are going to go through the explanation. Because I share the PowerPoint screen with you, I don't see the chat. So, Johnny, I think you tell me if my voice fades or the screen, there is something drawn or there is a question in the chat that I should look at. Please give me a shout and let me know. Yeah, and I am conscious of the time as well, so I just tell me when it's five minutes too, so that we need to finish. I think this is the first question and I think this is the easiest one. I just wanted to give you an overview of what is the main data protection legislation currently in vigor, which is the United Kingdom General Data Protection Regulation, which is very much the previous European Union General Data Protection Regulation that has now been embedded and is retained as a domestic law, but the United Kingdom has now the independence to have this legal framework and the review and the government can make changes, and is the UK General Protection Regulation alongside with an amended version of the previous Data Protection Act. This Data Protection Act has three parts, as you know, only the second part, general processing is relevant to universities, to colleges, institutions, and to very much to us. There has been an amendment, there is one of Chapter 3 of this part that has been changed because now we have the UK General Data Protection Regulation, but I don't think I'm going to go into details because they wouldn't be relevant to our daily work, so it's just so that you know that this is the main legal framework. That was the explanation which I have just been told you. These are the two sources that I would like to share with you and these are the two sources that I have been using for the whole interactive quiz, which is the government page on data protection and the United Kingdom Information Commissioner Office, which is something, I don't expect you to go there and I don't expect to read obviously everything which is there, but keep those two links as reference points because if you work in data protection and you have to do data protection impact assessment, you will probably will need these two links. So now we go to the next slide and this one according to the DPA 2018 would be responsible for complying with the UK GDPR and the answer is the data controller and let's see why. Well these are the legal terms defined by the DPA, so the controller is the institution, the authority, the body that decides the purpose and the means for processing the personal data. The processor is the agency authority institution or body that processes that the personal data on behalf of the controller. In terms of, sorry, just gonna go to the, just yeah, who is legally responsible for complying with the UK GDPR legislation, the data controller are legally accountable and I'm using the term legally accountable. The processors have also accountability if there is any data breach, but the entity or the body who is legally accountable and responsible for any data breaches that their processors might have done is the data controller and in this case, if we work in universities, if we work in colleges, we are, usually we are the data controller, so we would be legally accountable if any of our data processors have any data protection breach, if there is any breach in the data that we allow our processors to record, to save and to process and we also have the data sites where the individuals with personal data is collected. We have the term personal data, which is different than the term spatial categories data. Personal data is any data that can be used to identify an individual, either if it is directly or indirectly via a combination of factors. And I want to highlight the terms indirectly, because when you are working with learning technologies, I have seen a lot of course leaders and I have seen a lot of fellow technologies that they think it is not personal data because you can not, it's not your name, your last name or your address, but it can be a personal data when it records a particular characteristic or attribute of someone that alone or in combination with other attributes or characteristics can identify potentially that individual. For example, if you are recording the location or you are recording if someone is a British or no British citizens by itself, that is not personal data, but if you are in another department in which you know there are 10 members and only one of them is not a British citizen, that could be then that record if someone is British or someone has a British passport or not could be seen as personal data because you could identify which member of your department is that person. So that's why we need to emphasize that there are many data that we might record and use when you are using learning technology that could be seen and could be considered personal data as well. So question number three, and this is a very common example, we have students or staff that complete an online service, they have the right to be informed about how the data is being used. What happened with the other two questions, do they also have the right or not? So what the data protection law and the regulation says is the data subjects, our students under certain conditions, and I highlight these certain conditions that they are in the DPA, they have the right to ask their personal data and to delete their personal data, but this does not apply when the data are being kept anonymized, when that data cannot be there for use to identify the data subject. It is very common that people think no, data subject, students and staff always have the right to access all the data and to know their data and to delete their data. Well, this is true only partly and only under certain conditions. We don't have time now to see all those conditions and I think that's how I have given you the link at the very end about data protection and the DPA of course, so that you know which conditions students and staff and data subject can be granted access to their personal data and can request that their personal data can be amended or deleted. Obviously, if you don't want to read the whole circumstances, always the data protection officer is the first contact person and I'm sure he or she will know this very well. Question number four, this is something also a common myth, a common misunderstanding that in learning technologies we never and we usually we never record spatial category data and I'm going to explain what they are because only certain systems can do that. Special category data are data of very, very sensitive nature. If you can say, for example, someone's sexual orientation, someone religious affiliation, someone if they have any disease, any disability, so these spatial category data are protected by the Article 6 and personal data is also protected by Article 6 and Article 9 of the DPA, so they have like an extra provision to protect when this data can be recorded and when and how this data can be processed. It's a very common myth and a multi-technologies, I have seen that in learning technologies we never record spatial category data because this is very sensitive, we don't do that, that's wrong. We do sometimes have to record spatial category data and we do that for the sake of equal opportunities. For example, we need to know if someone has a disability or not or we can use technologies that allow us to identify if someone has a disability or not and that's fine provided we fulfill the requirements for storing and recording spatial category data and what are these provisions? Article 9 states 10 circumstances or 10 assumptions under which we can record and process spatial category data, but usually when it comes to learning technologies we do that because the recording and the processing of the data, spatial category data is based on explicit consent from the data side yet, but be careful because if we use learning technologies and record spatial category data based on consent we need to provide mechanisms as well so that the data side yet can withdraw their consents. So what we do in data protections assessment or when we need to record spatial category data is we use the assumption that the recording and the processing is in substantial interest and is necessary for monitoring and promoting equal opportunity. For example, always as an extra precaution learning technologies can record spatial category data as long as the processing does not involve any of these two assumptions that is carried out when the data side yet has as to stop processing the data and when can cost a substantial damage or substantial distress to the individual. So as long as these two assumptions are not happening learning technologies can record spatial category data as long as is under any of the 10 assumptions of circumstances described in article number nine. Question number five and just checking the time I think I need to speed up a bit. Well we use and this is a real example an online service and we use experiments and we think they cannot they do not include personal data so an impact assessment is not needed and that's their own assumption. When we run a data protection assessment when we collect or use personal data when we use free software or software that requires approval and obviously when the processing involves high risk to individual assessment software always have a data protection impact assessment in place. When we use online surveys and online experiment software even if we don't record explicitly personal data we might record a trail of online interactions of the of the participants and that could potentially help to identify specific individuals and that's what a data protection impact assessment is needed but always when you buy new software and you use your software always check with your data protection officer if a data protection impact assessment is needed or not or which parts of the assessment will be needed. Question number six I think in this case the answer is the at this very moment if questions see and I'm gonna go I just gonna go quickly through the answer to this. This is the what is gonna be the new legal framework and the new provisions for data protection law these are the ICO has a public consultation that ended in October and this public consultation document included a new risk assessment risk transfer assessment and tool that is is gonna be used for transfer of international data with three countries like the United States so and also this consultation document include a new international data transfer agreement which is addressed at the moment and the expectation is that this new international data transfer agreement should will be used for those services that involve the transfer the international transfer of data with other countries and which countries that do not have the status of adequacy for the United Kingdom government and I will explain what adequacy means in brief. Very important adequacy I just tell you this a country is considered adequacy when the legal framework of that country data protection wise has been assessed and has been considered adequate to provide legal safe work to of the data is the the United Kingdom government the United Secretary who decide which countries has adequacy regulations in place to consider that is safe to exchange data with those countries the United States are not yet in the list of countries that the United government consider adequacy so that would not apply when that not apply there is another legal mechanism which is standard contractual clauses and this is a mechanism that can also be used and the ICO recommends to use this as a legal safe work to comply with the transfer that the restricted transfer rules that a supervised or that regulates this change of data between countries countries when I use the term restricted transfers is because in the ICO consultation document they call this international transfer restricted transfer this is a term that they introduce and they explain restricted transfers are for example transferred between the United Kingdom and an organization in the United Kingdom and an organization in another country and just to mention these standard contractual calls the ICO provide a template to use those clauses if you want to use as a legal safe work guard this one you don't probably have to worry so much but the data protection officers in your organization the translation of this is they might have to modify and they are probably modifying the templates that you use at the moment or the data protection in past assessment of if you are using data protection agreement with third party countries countries which are not in the European Union and they will have to make changes to incorporate these new dispositions the last question I think Johnny just tell me we are okay I just finished with that is well in this case the the provider is within the European Union is a European provider so this is how the adequacy regulations came in place this is for you I'm going to provide at the end of the presentation the link so that you can download but I think for the sake of the time you don't I'm not going to explain now how adequacy regulations came in place just to let you know both the United Kingdom and both the European Union consider adequacy regulations adequacy status as the best way to transfer data between organizations which are in two different countries as long as both countries fulfill this adequacy condition so the United Kingdom has a lot of countries that fulfill these adequacy decisions so the United Kingdom government stipulates and considers that the data protection law and regulations in those countries is safe enough to allow the transfer of data from the UK and to protect our rights as data side yet and then when that's the case you don't need standard contractual clause or you don't need extra data protection agreement when a country is considered adequate or when there is adequacy status it's fine to exchange data from the United Kingdom and I think I I'm going to stop sharing now as I said I just want to see how is the general feeling through the chat and pick up things I mean I just want to share the screen with you and I just tell me Johnny if I mean anything in the chat about that I don't think the participants cannot talk no they're unable to talk here no so um there was I think we were talking earlier I think it's it's a complicated subject I think it's difficult for everyone to have handle on all of the conditions one thing that did come up was Kate been saying that she doesn't know how this applies to an EU country so this is another layer of complexity over the top of what people think they know about GDPR just because they're not entirely sure how we how we affected post Brexit and there was some some lively discussion around what constitutes personal data and Neil said it's images voices or personal opinions yeah someone was saying photographs of hands if they have identifying features or scars or fingerprints even so it be quickly you know it was there were a lot of observations around that particular element of what you were talking about so in terms of questions that they were mean your explanation was quite full so I think people you know found that adequate you know and fulfilling but um but there were just a few a few comments around that so um so my my my last key point and thank you all of you for for bearing me through this planation that is it's really there are going to be changes coming the way we do our data protections assessment might change because the it's likely we are going to have to do now if we exchange with third countries like the United States which are not have adequacy we have to do something else our information governance officer they will tell us and I think the message from the European Union is and I double check this with our data protection officer if you use a provider which is in the European Union at this very moment it's fine you don't have to do anything because we have adequacy status both the UK and the countries within the European Union and the other thing is please if you use free software or when you think by software through procurement always run data protection impact assessment when I is very common and I did myself when I was teaching in university courses I do use free software I did not go I confess I did not go through any data protection impact assessment but that's an example of what you never use you might not have to do a whole assessment just check with the your information offices but it's always good to have in mind these data protection kind of mindset that we cannot use any software or any third parties of which is always internet without making sure that we safeguard legal rights of our staff and students our data science and that the data that is recorded there is protected and is in well sense I think to share the presentation with them it would be through out Johnny so you could put it in the discord chat or if you put it in the private chat now I can post it into the comments you you mean the presentation or I thought you're going to link to the presentation or the presentation do it through through walls yeah um yes I do but I have closed the just let me just one thing and people I have the link here so I might be able to share the if you share the link with me and I can put it into the comments so that you don't have to yeah well thanks very much for that Marie Kluth that is a fascinating subject but like all sort of paralegal matters it does quickly get very very complicated as anyone who's got a passing interest in copyright will be able to attest so I just shared the link with you thank you everybody for joining my session thank you very much and I hope you have enjoyed the rest of your evening thank you very much Marie Kluth okay so uh you've finished bye everybody