DIGITAL LIBRARY
PERSONAL DATA PROCESSING IN EDUCATIONAL INSTITUTIONS: ANONYMISATION AND PSEUDONYMISATION
Mykolas Romeris University (LITHUANIA)
About this paper:
Appears in: ICERI2020 Proceedings
Publication year: 2020
Pages: 9989-9997
ISBN: 978-84-09-24232-0
ISSN: 2340-1095
doi: 10.21125/iceri.2020.2262
Conference name: 13th annual International Conference of Education, Research and Innovation
Dates: 9-10 November, 2020
Location: Online Conference
Abstract:
Educational institutions collect vast amounts of personal data from students and staff. This personal data is vital for schools and universities to operate. Therefore, clear and well-documented processes need to be in place. The General Data Protection Regulation (GDPR) provides the regulation to manage and protect this data while creating consistent policies and practices. The GDPR applies to organisations in all sectors including educational institutions. With the GDPR in place, organisations need to determine the lawful basis for processing personal data, so it is essential properly to identify the type of personal data. Personal data anonymisation or pseudonymisation can bring some considerable benefits and play an important role in facilitating the implementation of GDPR in the organisation. Pseudonymisation does not remove all identifying information from the data but merely reduces the linkability of a dataset with the original identity of an individual. Anonymisation is definitely one of the best ways to ensure the safety of data collected. This extra measure of security lets freely exploit data collection in ways that wouldn’t be legally permissible when it comes to non-anonymised data. Both pseudonymisation and anonymisation are encouraged in the GDPR and enable its constraints to be met. Non-compliance with the GDPR poses financial, legal and reputational risks to organisations. The main purpose of this article is to develop a theoretical model of personal data processing after anonymisation and pseudonymisation under the GDPR. This model could help organisations to understand the application of the GDPR requirements for the processing of personal data including their anonymisation and pseudonymisation. It is very important for educational institutions to ensure adequate protection of personal data. The research methods used in this academic article include comparative analysis, systematic analysis and generalisation analysis. A conceptual framework is grounded in the literature review. Based on the generalisation method, conclusions are drawn.
Keywords:
Educational institutions, GDPR, personal data, lawful basis for processing, pseudonymisation, anonymisation.