-Automatic translation

The Directorate of Education and School Services is a service and knowledge institution that works in the interest of children and young people in the field of education and training throughout the country in accordance with the law, government policies, best knowledge and international standards.

The Directorate of Education and School Services places emphasis on ensuring that all treatment of personal data is in accordance with the provisions of the Act on the Protection of Privacy and the Processing of Personal Data no. 90/2018. The goal of the data protection policy is to help individuals understand what information the institution collects, why and what is done with it. The Directorate of Education and School Sercives has also established a special information security policy that covers all activities of the institution and includes the registration, processing, communication, distribution, storage and destruction of information at the institution.

The Directorate's tasks include:

• support, promote and coordinate education, school services and other school activities throughout the country, including general and special education;

• provide high-quality and varied educational material for compulsory students and other students as may be assigned to the institution;

• to develop and manage the school resources and methods that support school activities and services, including quality criteria, procedures, tools, assessment tools and other tools for screening and checking of individuals or groups;

• support the implementation of the government's education and youth policy, including education policies and national curriculums.

The Directorate of Education and School Sercives also operates a support and advisory team, which has the role of supporting children, parents and staff at all levels of education who are in great need of support within the school, including because of serious incidents that have occurred or take place within the school. The team has the same authority to process cases as the disciplinary department for bullying cases under the law on elementary schools.

What personal data does The Directorate of Education and School Sercives use?

The Directorate of Education and School Sercives processes personal data in connection with tasks assigned to the institution on the basis of laws and regulations that apply to it and its tasks. The institution collects information either as a controller or as a processor.

General personal data

With reference to the role and tasks of The Directorate of Education and School Sercives, see Articles 1, 3, 4 and 6, see Articles 5 and 6 of the Act on The Directorate of Education and School Sercives no. 91/2023, the Directorate is authorized to process personal data to the extent necessary to carry out its statutory role under the law 91/2023 and other laws that apply to the Directorate, including for assessment, enrollment in secondary schools and personal counselling. The authorization covers personal data on students, school administrators, school staff and others who are covered by the statutory role of the Directorate.

This includes the following projects:

• Reading in pre- and primary schools.

• Assessment process

• Icelandic language test for applicants for Icelandic citizenship.

• Enrollment of students in secondary schools.

• Issues concerning the well-being of students, such as treatment of bullying cases.

• Recruitment and outsourcing of the Agency's staff.

• Contracting with contractors, including authors of educational material, and suppliers.

General personal data that The Directorate of Education and School Sercives may request are, for example:

• Registered information such as name, ID number, gender, address and e-mail address.

• Results of assessment and testimony in pre-, primary and secondary schools.

• Information on education, qualifications, employment rates, working conditions and professional development of school administrators, teachers and other staff in pre-, primary and secondary schools.

• Banking information necessary for the payment of employees' wages and payments to contractors.

The institution also registers contact information on individuals that come from them when they submit a message to the institution.

Sensitive Personal Data

With reference to the role and tasks of Articles 1, 3, 4 and 6, and Article 5 of the Act on The Directorate of Education and School Sercives No. 91/2023, the institution is authorized to process sensitive personal data and information of a sensitive nature, such as health information and information on the social situation of individuals, insofar as such processing is necessary for The Directorate of Education and School Sercives to perform its statutory role. The authorization also covers the processing of information on criminal and presumed criminal conduct, insofar as such processing is necessary for The Directorate of Education and School Sercives to perform its statutory role, unless the interests of the confidentiality of the personal data for the person concerned outweigh the interests of the processing. Among the tasks are:

• Treatment of bullying cases in primary and secondary schools in order to improve the well-being of students in schools and to promote better procedures for bullying cases by schools and municipalities. In cases where it is necessary for the processing of such cases, the institution may obtain information from parties other than schools such as from sports associations and from the health system, provided that the parties to the case have agreed to that data collection.

Sensitive personal data that The Directorate of Education and School Sercives may request in connection with the abovementioned projects are:

• Information on the well-being of students in schools.

• Information on the social status of students.

• Pedagogical, medical, psychological, special education diagnostics and other diagnostics and special resources for students

• Applications for special education, special educational programmes and individual curriculums.

• Shows and disciplinary actions.

• Information on the work methods, feedback, job performance, job satisfaction and well-being of school administrators, teachers and other staff in pre-, primary and secondary schools.

Personal identification and non-personal identification shall be erased when processing sensitive personal data, except where it is necessary for the purpose of the processing to store and process the data in a personal identifiable form.

Who has access to the Directorate's information

Individuals have the right to access the data that exists at The Directorate of Education and School Sercives about themselves. The Directorate disseminates information to public bodies in connection with the tasks that have been assigned to it. The Directorate of Education and School Sercives does not disseminate identifiable information to other parties unless they have legal authority to do so. The dissemination of identifiable data takes place, for example, in the following cases:

• Students' grades from the standardized assessment are delivered to the school concerned through Skólagátt, the school service area of the institution, and, as applicable, parents are requested specifically for earlier test results that are not available at the schools.

• Students' grades from tests related to the Reading Protocol are delivered to the school concerned through Skólagátt, the school service area of the institution.

• Data processed in connection with the handling of bullying cases in primary and secondary schools is shared, as appropriate, with the guardians of the children in question, schools and the school office of the local authority concerned. Care is taken to share personal data only in cases where it is necessary for the processing of the case.

In addition, cases are access controlled in the case file of the institution so that only the staff that are necessary for involvement in the processing of a case have access to personal data that the institution works with. All staff of The Directorate of Education and School Sercives are bound by the law to professional secrecy and preferential secrecy even if they are retired. The professional secrecy of The Directorate of Education and School Sercives is governed by the provisions of Article 18 of the Law on the Rights and Obligations of State Employees No. 70/1996 and the provisions of Chapter X of Administrative Law No. 37/1993.

In individual cases, the institution also uses external expert assistance, for example, in the recruitment of staff, opinions, analyses, etc. In such cases, an expert works with personal data on the basis of a written agreement or agreement.

All data and information held by the Agency is stored within the European Economic Area, or in states that Data Protection has considered to provide adequate protection for personal data, or in US companies, as per the Adequacy Decision concerning the transfer of personal data from Europe to the US, the decision is intended to provide adequate protection for personal data transferred from Europe to the US.

Preservation of personal data

The Directorate of Education and School Sercives is a returning entity under the Public Archives Act, No. 77/2014. As a result, the National Archives of Iceland does not have the right to delete documents and documents that it receives or creates, except with the permission of the National Archives of Iceland. The returning obligation also means that all documents and documents that are received or created by the National Archives of Iceland must be returned to the National Archives of Iceland, where they are stored for the future. Further information on the National Archives of Iceland can be found on the museum’s website:

Security of personal data

The Directorate of Education and School Sercives places a strong emphasis on the security of personal data. The Directorate of Education and School Sercives is working to implement an information security management system that meets the requirements of ÍST ISO/IEC 27001 - Information Security Management System - the standard and has established a policy on information security.

In order to ensure the security of personal data, there have been implemented organisational and technical measures such as:

• Access controls so that only those who need personal data for their work have access to them.

• Encryption for internal statistical processing.

• General computer protection, such as virus protection and firewalls, which are regularly updated.

• Active safety monitoring, such as internal and external audits and risk assessment, and active recording of safety failures.

• Active training for staff on security issues.

• The website of The Directorate of Education and School Sercives uses SSL certificates invariably, which means that all communications are over a encrypted carrier layer. This makes data transfer through it safer. Information about the website is preloaded in the main browser settings (HSTS preload) and therefore, you never need to connect to the website over an unencrypted carrier layer to receive a forwarding message elsewhere.

• The Directorate of Education and School Sercives uses an active security scanner to ensure that the agency's servers are up-to-date and properly installed and cloud services are properly defined.

• The Directorate uses Cloudflare with an active Web Application Firewall (Web Application Firewall) to protect web services from software attacks and DDoS.

• Domain The Directorate of Education and School Sercives uses DNSSEC to ensure that replies to domain queries through DNS are not falsified.

• In addition, printed documents containing personal data are stored in locked shelves at the workplaces of employees or in locked cabinets in a archive.

Cookies

Digital Iceland uses a web analytics tool from Plausible to analyse the use of the website. Its purpose is to obtain statistical information to improve and develop the website and the information published there. This information gives insight, for example, how many users open specific subpages on the website, for how long they are viewed, what content users search for in the search engine on the site, from which websites users enter the site and what type of browser they use to view it. No personally identifiable information is collected for this purpose.

Privacy officer

The role of the Data Protection Officer is to inform the institution or company concerned and their employees about obligations under the Data Protection Act, to conduct staff training, to conduct audits, to provide advice and to be present in case of issues in the field of data protection. The Data Protection Officer also receives inquiries and requests from the individuals that information is being processed on. The Data Protection Officer shall then be a contact point for the Data Protection Authority and work with it, as well as monitor compliance with the Data Protection Act. The Data Protection Officer of The Directorate of Education and School Sercives is Hörður Helgi Helgason, lawyer at Landslög, tel. 520-2900 and anyone can contact him regarding further inquiries about the processing of personal data at the institution.

Regulator

The Data Protection Authority monitors the implementation of the Act on the Protection of Privacy, regulations and special provisions in law dealing with the processing of personal data. Any registered individual or his/her representative has the right to lodge a complaint with the Data Protection Authority if he/she believes that the processing of personal data about him/her violates the law or regulation. The Data Protection Authority will decide whether an infringement has occurred. Further information on the Data Protection Authority can be found on the Agency’s website,

Responsibility

The Director General is responsible for the implementation and implementation of the Data Protection Policy.