Legislation and Data Protection – Risk Analysis (1).

1. Practice statement.

This practical exercise focuses on conducting a risk analysis of the legal issues associated with compliance with data protection regulations, with special attention to the required information security measures. The analysis will specifically focus on the student academic record management system for primary and secondary education in Spain. The country’s autonomous communities use computer systems to allow teaching staff to enter grades and track student performance and behavior. These records gather large amounts of data, collected by educational institutions and centralized on servers assigned by each autonomous community. Information security experts are requested to assess the legal risks associated with the use of ICT and the protection of personal data within these systems. The data stored on centralized servers include:

  1. Identifying data of educational centers.
  2. Identifying and personal circumstances data of the teaching staff.
  3. Identifying, personal circumstances, and academic records of the students.

Additionally, on the locally used computers located in educational institutions, in the education departments of regional governments, and in town halls, the following are managed:

  1. Personal data from the academic records of system users.
  2. Personal data of teaching staff.
  3. Databases with histories of academic records, transfers, and changes of center, among others.
  4. Personal data used in subsidized centers, such as names and addresses of those responsible.

It’s crucial to remember that many of these data pertain to minors. Based on this information, the following tasks are proposed:

  1. Identify ten possible threats to the security of personal data managed by the system, considering aspects such as availability, integrity, and confidentiality. Royal Decree 1720/2007 can serve as a guide to determine possible threats based on the established security measures.
  2. Analyze the vulnerabilities present in the system and reflect on these.
  3. Evaluate the impact of the identified threats using an impact scale from 1 to 5.
  4. Estimate the likelihood of occurrence for each threat, using a probability scale from 1 to 5.
  5. Calculate the inherent risk resulting from the combination of the impact and probability of each threat.

2. Proposed solution.

The following table provides answers to the five requested questions, limiting the number of threats to the ten requested.

To perform the analysis in a more visual way, the following color code has been considered:

  1. Grey color = values of very low severity of impact, probability, and inherent risk.
  2. Green color = values of low severity of impact, probability, and inherent risk.
  3. Yellow color = values of medium severity of impact, probability, and inherent risk.
  4. Orange color = values of high severity of impact, probability, and inherent risk.
  5. Red color = values of very high severity of impact, probability, and inherent risk.

For the calculation of the inherent risk, the following risk table has been developed, with a scale ranging from the value 1 to 25, the result of multiplying the impact value by the probability that the threat will materialize.

Below is the table developed with the risk analysis.

Regarding the topic of data processing for minors, the following points set by the AEPD (Spanish Data Protection Agency) must be complied with.

According to the AEPD, following the publication of Law 3/2018, of December 5, on Personal Data Protection and the guarantee of digital rights, in article 7 “Consent of minors”, it is established that:

  1. The processing of personal data of a minor may only be based on consent when the minor is over fourteen years old.

Exceptions are made in cases where the law requires the assistance of the holders of parental authority or guardianship for the conclusion of the act or legal business in which context the consent for the processing is obtained.

  1. The processing of data of minors under fourteen years of age, based on consent, will only be lawful if the consent of the holder of parental authority or guardianship is given, to the extent determined by the holders of the parental authority or guardianship.”

Similarly, in Royal Decree 1720/2007, of December 21, which approves the Regulation developing Organic Law 15/1999, of December 13, on the protection of personal data, in its “Article 13. Consent for the processing of data of minors.” It states that:

  1. Data of those over fourteen years old may be processed with their consent, except in those cases where the Law requires the assistance of the holders of parental authority or guardianship for its provision. In the case of minors under fourteen years of age, the consent of the parents or guardians will be required.
  1. In no case may data be collected from the minor that allow obtaining information about other members of the family group, or about its characteristics, such as data related to the professional activity of the parents, economic information, sociological data or any other, without the consent of the holders of such data. However, data on the identity and address of the father, mother, or guardian may be collected solely for the purpose of obtaining the authorization provided for in the previous section.
  2. When the processing concerns data of minors, the information directed at them must be expressed in language that is easily understandable by them, with express indication of the provisions of this article.
  3. It is the responsibility of the person in charge of the file or processing to establish the procedures that ensure that the minor’s age and the authenticity of the consent given, if applicable, by the parents, guardians or legal representatives have been effectively verified.

To undertake the appropriate certification processes, it is essential to conduct thorough prior audit planning, as demonstrated in our article “Principles, Program, and Planning of Auditing and IT Governance.

If you need an audit plan, you can contact us through our contact form.


No puedes copiar el contenido