The Danish Data Protection Agency expresses serious criticism that the Danish Agency for IT and Learning (STIL) as a data processor did not comply with the requirements of Article 32 of the Data Protection Regulation, as STIL failed to implement measures appropriate for the subsequently identified risk level when testing the Digital Trial Guard. .
In the spring of 2019, the Danish Data Protection Agency chose on the basis of media coverage to examine the monitoring program The Digital Trial Guard of its own operation.
On March 7, 2019, a general test was conducted by Netprøver.dk containing the program The Digital Trial Guard, where approx. 8,000 students chose to install and test the Digital Trial Guard, which processed personal information about these students.
In the opinion of the Data Inspectorate, STIL had not implemented measures appropriate to the risk level subsequently identified in the general test. STIL thus did not comply with Article 32 of the Data Protection Regulation, which the Danish Data Protection Agency expresses serious criticism of.
In general, the Data Inspectorate must emphasize that, when developing and testing programs, the necessary attention must be paid to the processing of personal data. If production data is used as part of the development, an assessment must be made of the risk of the data subjects’ rights and, accordingly, appropriate security must be established before the processing begins. Furthermore, in all cases where the risk to the data subject may be high, an impact assessment must be carried out before the processing of personal data is started.
As the development of the Digital Trial Guard program is currently on hold, and as STIL has, based on the risk assessment, decided to restart as soon as possible. When commissioning a new separate risk assessment and an impact assessment must be carried out, the Data Inspectorate finds that the Supervisory Authority does not currently have a basis for deciding on the processing of personal data using the program going forward.
It is clear from the decision sent to STIL on March 6, 2020, that the Data Inspectorate expected to hold a meeting with STIL and the Ministry of Children and Education in order to discuss the data protection law issues in connection with a possible further development of the Digital Trial Guard.
This meeting has not been held due to the special circumstances surrounding COVID-19.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA