Treatment and protection of data in the educational field
Information on data processing and protection within the scope of the procedures of the General Directorate of Human Resources
staff +education ‣ Treatment and protection of data in the educational field
General information related to the processing of personal data
The personal data provided in the procedures managed by the General Directorate of Human Resources are included in the processing for which it is responsible and which form part of the Register of Processing Activities of the Ministry of Education and Youth of the Community of Madrid.
These data are collected through different forms that exclusively contain the essential fields to be able to provide the requested service and that are strictly necessary, adequate and pertinent for its purpose and will not be used for purposes that are not compatible with the purpose that originated its collection.
In each form in which personal data is collected, the existence of the processing of this data and its main characteristics are expressly reported in compliance with article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council. of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (RGPD)
The security measures implemented to guarantee the security of personal data correspond to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of January 8, which regulates the National Scheme of Security in the field of Electronic Administration.
You can check the Register of Processing Activities of the Community of Madrid.
For any question related to data protection, you can contact the Data Protection Delegation of the Ministry of Education and Youth:
protectiondata.educacion@madrid.org
Calle Alcalá 32 - 28014–Madrid
Phone 91 720 4068
You can exercise your rights in terms of data protection by following the instructions indicated in this Internet address of the Community of Madrid. You must submit your application through the official registry.
Record of treatment activities
Registry of Treatment Activities of the Council (RAT)
It collects the information about the processing of the data and is incorporated, for information purposes, into the forms provided to the interested party for the management of each procedure.
It will indicate aspects such as the legal basis and purposes of the treatment, types of data, exercise of rights, term of conservation of personal data, etc.
What are the legal bases on which the processing of personal data is protected?
- Unequivocal consent, that is, a clear manifestation of the interested party's will.
- Contractual relationship: the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures.
- Compliance with a legal obligation applicable to the data controller.
- Vital interests of the interested party or of other people. It occurs in very special situations: for example, in a pandemic such as Covid-19, when a case or outbreak of COVID-19 appears in the educational center.
- Public interest or exercise of public powers.
- Legitimate interests of the controller or by a third party, provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail over said interests, in particular when the interested party is a child.
Where is the RAT of the Ministry?
In the page "Record of Processing Activities (RAT)" of the portal of the Community of Madrid, which is accessed by following the sequence "Government action", "Legal information and legislation", "Data protection", "Record of treatment activities (RAT)".
Exercise of data protection rights
- What rights can the interested party exercise?
Right of information, access, rectification, deletion, limitation of treatment, opposition, portability of your data, as well as not being the subject of an individual decision based solely on automated treatment, including profiling.
- Before whom can we exercise our rights?
Before him Data Protection Delegate of the Ministry or before the person in charge of the Treatment of the data, in its field of competence.
- Who is responsible for data processing?
It is the person who determines the proper management of personal data in accordance with the provisions of the General Data Protection Regulations (RGPD) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of rights. digital. In addition, it is also responsible for the people who are part of the organization (employees), who in the performance of their work or functions have access to personal data, make correct use of them. Finally, he is responsible for responding to requests for the exercise of data protection rights within his area of competence.
- How can the interested party exercise their rights?
By submitting a request to the Department of Data Protection of the Ministry. The person responsible for the Treatment must decide whether or not to respond to the request within a month, which may be extended to two months due to the complexity of the query or due to a high number of requests.
- Where can the interested party find the request to exercise the rights?
On the page of the Community of Madrid dedicated to "Data protection: My rights and their exercise", where the procedure is explained. The link to the form is as follows:
Obligations
The public employee has obligations both prior to acquiring the status of public employee, and in the performance of the job.
Obligations prior to acquiring the status of public employee
Obligation to interact telematically with the Administration
From August 24, 2021, it is mandatory that the personnel at the service of the Administration of the Community of Madrid and the participants in selective processes relate to this administration exclusively by electronic means (Decree 188/2021, BOCM 23.07.2021).
Therefore, people who want to acquire the status of public employee, who do not have an electronic ID, an identification system (IDentifies, Cl@ve) or a digital certificate, they must start the necessary procedures to obtain it as soon as possible.
Through the Telematic Notifications Service, the notifications made by the administration of the Community of Madrid will be received by electronic means. When accessing for the first time, you will be REGISTERED in the Telematic Notifications system.
Participation in selective processes
From August 24, 2021, it is mandatory that the personnel at the service of the Administration of the Community of Madrid and the participants in selective processes relate to this administration exclusively by electronic means (Decree 188/2021, BOCM 23.07.2021).
In accordance with the provisions of articles 12 and 14 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the use of electronic means is mandatory in the completion and presentation of applications for participation in the selective procedures managed by the General Directorate of Human Resources, except in duly justified cases established in the calls themselves.
Likewise, participants who have an electronic DNI or one of the identification systems or electronic certificates recognized by the Community of Madrid, may also access certain data of interest, as well, in the "Electronic Headquarters" section of the portal of the Community of Madrid www.comunidad.madrid, the following options are available:
- "citizen folder”, from which to check the data of the file and the documents that have been attached to the application, as well as the provision of documents during the processing of the file within the deadlines established for it.
- "Electronic processing guide”, a document that explains how to carry out the procedures and procedures of the administration of the Community of Madrid online.
For the practice of notifications, when they have to be made, the General Directorate of Human Resources uses the Telematic Notification System of the Community of Madrid, so that citizens who participate in the selective procedures must register with it.
To do so, you can consult the instructions established on the portal www.comunidad.madrid, following the sequence "Electronic office", "Electronic Processing Guide", "Receive", "Electronic notifications".
Obligations in the performance of the job
Decalogue of good practices
The Data Protection Delegation has drawn up a Decalogue of good practices for the protection of personal data in the educational field. It is available in pdf format: "Presentation Decalogue PD"
Mandatory for teachers to use telematic means for distance training
The Educational Center is entitled to determine the technical resources that the teaching staff must use to meet the objectives of their educational project and the teacher is obliged to comply with them using the tools that the center has made available to them and that are appropriate at all times to that all students receive the same information in conditions of fairness and equal opportunities.
educational activity
Videoconferences and recordings can be made for educational activity and it is legal [article 6.1.c) and e) of the General Data Protection Regulation] because the educational function, which includes the use of all kinds of tools, is granted by the LOE, it is an obligation for the Administration to exercise it and the consent of those who receive it or those who impart it is not required for this. However, what cannot be done without consent is to broadcast (even if it is only to one person) or publish the recordings, because this constitutes another purpose, which can lead to a crime against privacy or an infringement of the Organic Law of Data Protection and guarantee of digital rights.
The classes can be broadcast live or recorded at the teacher's choice, and the cameras must focus only on the area where the teacher is located in the classroom, to avoid recording the students in person, the teacher being the one who must have control of the images and materials displayed to students.
The teacher's profile must be the administrator of the group and he is the one who gives the entrance to the class, directs the session, records it in his case and closes it.
The information with educational or audiovisual content that is generated for the educational activity belongs to the Community of Madrid, regardless of the copyright that the teacher may have due to their creations or publications.
Hosting personal information on servers other than those of the Ministry should be avoided, so teachers should try to store all types of personal data in the Media Library with restricted access, in the Virtual Classroom or in the cloud or Cloud of Educamadrid and avoid doing so on your personal devices (laptop, computer, external memory, etc.), because in the event of loss, misplacement or unauthorized access, there may be a security breach that should be reported to the Spanish Data Protection Agency.
Obligations in the use of corporate mail
The email service that the Community of Madrid makes available to its staff will be fundamentally for professional use, avoiding in any case its inappropriate use in a way that could lead to abusive consumption of network resources, fraudulent activities, etc.
The use of electronic mail is facilitated by the Community of Madrid, for the purposes of communication between an employee and another, or with persons or organizations abroad, for the purpose of professional activity.
The creation and forwarding of so-called "chains" (messages addressed to a group of recipients who are explicitly asked to forward them to a new plurality of individuals or groups) is expressly prohibited.
For security reasons, emails addressed to a plurality of recipients must be sent in such a way that each of them does not have the possibility of knowing the rest (with a blind copy).
Users should be aware that the Community of Madrid is identified under the domain name madrid.org or educa.madrid.org associated with their email address. Consequently, users will apply the strictest rules of professional courtesy, good faith and loyalty to the organization when writing emails.
Electronic communication on systems owned or supplied by the Community of Madrid may not contain content that may reasonably be considered offensive or disturbing, destructive or attacking the fame or honor of natural or legal persons or Institutions.
Those contents that, considered offensive, are sent to a generality of individuals, particularly if said generality is indiscriminate, will be considered especially serious.
Those contents that imply the knowledge and use of personal data or special protection, in accordance with current legislation on the protection of personal data, will be considered exceptionally serious.
Access to email must be done with a personal and non-transferable user ID and password. Consequently, the collective use of mail is prohibited. The user will have the necessary diligence to guarantee the custody of their passwords.
Obligations in carrying out non-face-to-face educational activities in educational centers of the Community of Madrid
GENERAL CONSIDERATIONS
The Spanish Agency for Data Protection (AEPD), in its "Recommendations to protect personal data in situations of mobility and teleworking", makes a series of recommendations addressed to the personnel that participate in the treatment operations, and that is applicable to the teaching activity in schools:
- Respect the information protection policy in situations of mobility defined by the person in charge.
- Protect the device used in mobility and access to it.
- Guarantee the protection of the information that is being handled.
- Save the information in the enabled network spaces.
- If there is a suspicion that the information may have been compromised, immediately report the security breach.
Recommendations
Recommendations in terms of Data Protection and useful guides on Data Protection
Recommendations for the transfer of data to the legal representatives of the workers
The workers' representatives exercise surveillance and control functions, as established by current regulations (Statute of Workers1, -hereinafter ET- and Organic Law 11/1985, on Freedom of Association), and this legitimizes them to collect from the corresponding organizations (companies, entities of the Administration, etc.) certain information, which may eventually contain personal data of the workers. In addition, the representatives of the workers have in turn the duty to keep their constituents informed.
From the point of view of personal data protection, requests for information made by employee representatives must meet the following conditions:
- The processing of personal data must always respect the principles that inform data protection (art. 5 of the European General Data Protection Regulation2, hereinafter RGPD). Specifically, it is required that the data be processed in a lawful, loyal and transparent manner in relation to the interested party (RGPD art.5.1.a). The possibility of processing and transferring data from the workers to the representatives must be weighed against the legitimate exercise of the control functions that are attributed by law to the collective representation bodies of the workers in the company.
- The request must include the reasons for the need and the purpose for which the information is required.
- The information requested must be provided for the purpose described.
- Requests for information that are of a general nature will only be attended to after statistical consolidation, dissociation or anonymization of the data, as appropriate.
- The request for information must also include the reason for legitimation, in compliance with data protection regulations. In most cases, the legitimation will consist of one of the assumptions referred to in the regulations that regulate union activity or the Workers' Statute.
- The Data Controller that communicates the data must ensure that it has the worker's consent in those cases that require it (eg, information regarding the collection of the union dues in the payroll payment).
staff +education ‣ Treatment and protection of data in the educational field