A Beginner's Guide To School Data Protection Policy

As an educational institution, you will have unique stakeholders who will be impacted by the General Data Protection Regulation (GDPR). The School Data Protection Policy guide will take you, step by step through the necessary actions you need to think about and conceptualise your compliance around.

Who will be impacted by this Data Collection?

The first step is for you to understand, as with any Organisation taking their first steps to comply, how data travels in your Organisation and who is it touched by through this process. The questions to think about here are the following:

Whose data are you collecting?

This for a typical school would include contracts of your teachers, teaching assistants, administrative staff, Principals and Vice Principals but also of caretakers and students. This will all be categorised as Personal information. This would also include any digital or other pseudonyms that a person can be identified with.

These are the types of data you must map:

Personally-Identifiable Information

Any data that can help identify an individual. It is also examples of personal data include name, location, personal identification number, the colour of your hair, the list of customers (parents, students) names and their addresses, IT usage data, traffic data, information about education, income and license plate.

Sensitive personal data

Like personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy. Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.

Biometric data

Any data that is used to identify a human being by his/her unique characteristics. Digital fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.

Updating the parents

As a school, you will naturally have a lot of students who will be too young to give you qualified consent. This essentially means that you have to inform the parents about all your data processing activities and obtain consent from them.

As providers of childcare as well as providers of education, it is important for you to create an atmosphere of trust and build up your reliability among parents pertaining to Data Protection. Steps to ensure that the parents and their families’ data is being adequately protected will reduce the subject access requests later.

Below are the important points you need to mention in your letter to the parents. Make sure you customize it to your need that is if you are a kindergarten, you will have different data collection and processing methods than if you are only a high school.

You should start off with a brief description of what The General Data Protection Regulation (GDPR), is. In this part, you should also inform the parents of their rights:

The rights of the data subject (individual):

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right, in this case, to express your point of view and to contest the decision. (EU GDPR, 2018)

Access for Parents

How they can access your privacy notice and data protection policy (this could include a link to your website). How you are complying with the new regulations:

  • what data you are storing
  • how you are storing it
  • how you are sharing it and with whom
  • how long it is retained for
  • how it is destroyed and when

Ideally, you should inform them who they need to contact (Ideally your Data Protection Officer) regarding any questions they may have on data protection or to request access to information.

A link to your Data Protection Authority website so parents can learn more about GDPR if they are interested.

You could also ask parents to review the information that you are storing on them/their child and to confirm if it is still current or make amendments as appropriate. Or to revisit consent for use of photographs of their child.

You may use this communication as an opportunity to ask parents to sign a new contract with your organisation that includes new data protection wording compliant with the GDPR

Using Online Tools in Schools under The GDPR
Check source here.

The GDPR and Data Protection Act 2018 says that only children aged 13 and above are able to provide their own consent for commercial internet services to process their personal data.

Online service is the only context in which the GDPR and DPA 2018 define the age at which children can provide consent.

A Child’s Consent Under the GDPR

Conditions applicable to child's consent in relation to information society services

  1.   Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

  1.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  2.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Services provided 'directly to a child'

This rule applies specifically to services which are considered to be provided “directly” to children, and where consent is the lawful basis for processing the child’s personal data.

“Directly to a child” means that a child can access the service independently – for example, via an app store. This is irrespective of whether the child signs up independently or whether the service is provided to them under a contract between the service and their school (or another organisation).

These services are referred to as “information society services” in the regulations, and include social media, educational apps and online platforms.

The rule described above is primarily directed at providers of such services. Typically, a child signs up and submits their personal data directly, so the provider needs a lawful basis to process this data.

Prerequisites for your Organisation’s Compliance

Document all personal data your Organisation holds

GDPR requires you to maintain records of processing activities. If you want a detailed guide on how to do this, read our blog on it.

Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so-called records of processing activities (RPA), to the competent data protection authority at all times.

The development of the records of processing activities is also a key step because it enables the Organisation to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!

Checking if your data processing adheres to the individual rights

Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.

Requests for subject access

Your organisation should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.

You will have a month to comply, rather than the current 40 days.

You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Data Protection Officer (DPO)

Probably your organisation has to appoint a DPO to take responsibility for the regulatory compliance.

This DPO will report to the highest position in the firm and has to make sure the Organisation will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.

Another option is a virtual DPO, that can help your Organisation be GDPR compliant. The best part is that it costs much less and reduces Organisation man-hours involved by 75%!

Data Protection Impact Assessment and Protection by Default and Design

Your Organisation has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.

If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risk. Important aspects to grant this security are pseudonymizing, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.

Data breaches and notifications

Your Organisation must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.

Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the Organisation and to the data subject regarding his privacy.

One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.

Applying the rule in a school setting

The rule becomes more complicated to apply in a school setting if you're using this type of service because consent will be between the child/parents and the service provider. So, if consent is refused, you won’t be able to use the service with those children.

Steps to take before you use any online service with pupils

  1. Determine whether pupils’ use of the service is necessary for educational purposes (see below). This will inform what lawful basis you can use if the school itself will be processing any personal data, and the measures you put in place to protect pupils’ data
  2. Conduct a data protection impact assessment to identify and minimize the data protection risks and determine whether you should proceed
  3. Look into the service provider to establish, to the best of your ability, whether it complies with data protection regulations.

What counts as necessary for educational purposes?

It's up to you to determine this in your own context, but Forbes suggested that, typically, a service will be considered necessary where the nature of it will require the school and service provider to share pupils’ personal data between them.

For example, an online platform that supports or enables standardised assessments and decision-making will help to achieve learning objectives and is likely to need to receive personal data from the school and send personal data back in return – such as pupils’ scores. This may be considered necessary for educational purposes. Similar principles are likely to apply to a homework portal.

However, if you want to use a social media platform to research photos in class, this may be considered more of a ‘convenience’, with a higher risk to children’s privacy if you do not have a data sharing agreement in place with the provider. There may also be alternative approaches available with less risk to children’s privacy. This would be harder to justify as necessary for educational purposes.

Identifying a lawful basis

If pupils’ use of the service will require the school to process any personal data – i.e. if you need to collect and share data with the service provider, or will receive data back from the provider – you'll need to identify a lawful basis for this.

If you can demonstrate that the service is necessary, then it’s most likely that you’ll need to justify this processing under the public task basis. Otherwise you'll have to rely on consent if using the service isn’t necessary for educational purposes.

If the school will not need to process any personal data in order for pupils to use the service – i.e. if pupils will sign up independently and the school will not receive any data from the provider – then you're not acting as a data controller and will not need to identify a lawful basis. However, this carries more risk and, as we explain later, you must not require pupils to use an online service where this is the case.

If the outcome of the data protection impact assessment is that you can proceed, take the steps below. If not, consider alternative ways to achieve the same aim with less risk to children’s data privacy.

Additional actions if the service is necessary for educational purposes

Note: this will be the safest option for you, and most likely the only justifiable one if you require pupils to use the online service.

Where you have determined and can demonstrate that using the online service is necessary for the education of a child, and justifiable under the public task basis, you should:

  • Enter into an agreement/contract with the service provider. This means you'll retain control of the personal data and therefore minimize any data protection risks. Make sure your contract covers the terms and information about data protection required by the GDPR
  • Share only the personal data that the provider needs to perform the services
  • Incorporate information about your use of the service and the personal data you exchange with the provider in relevant privacy notices. You can also link to any privacy information from the provider

Additional actions if the service is not necessary for educational purposes

In this situation, you cannot require pupils to sign up for the service.

Where you'll need to process personal data in order to use the service

You'll need to rely on consent as your lawful basis if you'll need to collect and share any personal data with the service provider, and/or receive personal data back when pupils are using the service.

Pupils or their parents/carers must be able to give or refuse consent freely.

You must:

  • Request consent, ensuring that your request meets the requirements of the GDPR, before using the service with the pupil.
  • Provide a privacy notice explaining what the programme or service does, why and how the school uses it, what data it will require from pupils, and what rights pupils have. You can do this by incorporating information on sharing data with third parties in your privacy notices, and by linking to privacy notices for the services you use in an appropriate place

You should also put in place a written data sharing agreement with the provider.

Where the exchange of personal data will only be between the pupil and the provider

In situations where a pupil will be signing up directly with the service, and no personal data will be exchanged between the school and the provider, the issue of consent and providing relevant privacy information will be between the provider and the pupil.

There will be no useful reason for you to obtain pupil or parental consent for this, as you'll not be processing any personal data in relation to the pupils’ use of the service.

As stated above, you will not be able to require pupils to use services in this case.

If the purpose of using a service where the exchange of personal data will be between the pupil and the provider is to support the delivery of the curriculum, you should seek safer alternatives. For example, using social media such as Instagram and Pinterest in school to research, and share, images is difficult to regulate and monitor. In this instance, the curriculum could be delivered using other resources such as search engines for researching images and secure cloud storage to enable students to upload and share images.

If you decide to use social media platforms, you should ensure that parents are fully informed as to how it will be used and the potential risks associated with its use. Mark suggested that you seek parental consent in this instance due to the potential safeguarding risks. As explained above, parental consent will not be needed for the processing of personal data.

As a school, your responsibility lies towards your students which would usually mean getting parents on board. This law is essentially empowering for both organizations and consumers. It allows for you to garner trust among parents as well as build an organization based on the principles of Data Protection.

If you have any questions or concerns as a school about the GDPR, book a time with us.

ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.

Hauke Holtkamp, CEO ECOMPLY GmbH