Schools and educational institutions are in the fairly unique position of handling large amounts of personal and various types of special category data (medical records, religious beliefs, trade union membership etc), which can include children’s data.
Opinion Piece by Lindsay Charman
This means that additional and more stringent conditions must be met under GDPR legislation, including the appointment of a Data Protection Officer with a level of experience suitable to the complexity of the task.
The following is an overview of some of the specific considerations schools and educational institutions should be aware of.
Dealing with children’s data, in general, is not straightforward, particularly because of the lack of clear guidelines about the age of data consent.
For online services, children need to be over 13 years of age to consent themselves, but that is the only rule currently in place. This means if schools are using consent as the legal basis for processing they need to decide on an appropriate age, based on the type of data being processed.
This has to be documented and needs to be justifiable.
Particular attention needs to be given to the choice of language in any documents to ensure children understand what they are agreeing to. The competence of each child to understand may need to be considered as well.
Consent is only one type of legal basis that can be used. Because of the above issues, it is important to only use it when other forms such as contractual and legitimate interest are not suitable.
The Right To Be Forgotten and Subject Access Requests
Notwithstanding specific legal requirements in overriding regulation such as Safeguarding/Child Protection and SEND (Special Educational Needs) to maintain certain records indefinitely, schools and educational institutions must abide by the GDPR regarding a data subject’s Right to be Forgotten and to supply all relevant information if a Subject Access Request is submitted.
Particularly if a child provided consent, they are fully entitled to revoke that consent as an adult. SARs include all emails and written documents, meaning that proper data capture and purging processes need to be followed to avoid time wasting down the track.
If data is no longer required it must be deleted. This is particularly important for the handling of sensitive data, such as race, sexual preferences, health status, etc. Often data can be anonymised instead.
There are guidelines on retention policies, but it is up to each school to set policies for different types of data and processes and to be able to justify those decisions.
Many organisations have been misinformed regarding the need to seek reconsent (or double opt-in) to be allowed to send marketing material or newsletters to existing or past parents or students.
Consider if legitimate interest is a better legal basis of processing and conduct a Legitimate Interest Assessment.
This is the big one, and we have seen a lot of misinformed examples of this.
GDPR does not mean that you can’t communicate with your stakeholders, only that you need to make sure you are communicating only the information they have agreed to receive (or are legally required to receive).
Unfortunately, schools and universities across the UK and US (as well as some other countries) regularly fall victim to cyber security attacks.
With often limited resources, educational institutions need to be smart and diligent, both to comply with GDPR and to protect students, staff and volunteers. At a minimum, schools should be adopting guidelines such as the NCSC Cyber Essentials, that offer best practices for protecting networks and data.
Sadly, the highest risk to any organisation is usually from their staff.
In a way, this can be fortunate, because unlike the effort and cost involved with keeping up-to-date IT defences; staff, student and volunteer training can be conducted in a number of ways and should be engaging, regular and current.
Automated decision making / profiling
If you engage in automated decision making or profiling, for example for entrance exams or grading, it needs to be clear that this is occurring and you need to provide an option for a manual assessment if requested.
One area that is problematic is profiling donors and potential donors according to their wealth. While not restricted by GDPR, there is an increased obligation for transparency where such processing is taking place.
Appointing a DPO
Under GDPR all public organisations must appoint a DPO, including educational institutions. While there is a question mark over whether or not private schools are required to, most experts agree that it is highly recommended to do so.
The risks associated with not having a suitably qualified data coordinator overseeing the processing activities when children’s data and special data is being processed are high, because of the potential outcome for those whose data has been breached.
One could argue that the nature of educational facilities triggers another DPO obligation, being that the core activity of schools is regular monitoring of data subjects.
Under this interpretation, a DPO is required regardless of the ownership of the school, university or educational institution.