About GDPR in schools
Out of the fan of domains on which GDPR has made its mark, the education sector is among the first to feel the full effects of this regulation. Or, at the very least, the need to quickly align to its requirements.
Why? Firstly, because most of the personal data that schools process is children’s data, and children are, in the GDPR’s view, vulnerable individuals whose personal data must be even more rigorously protected. Secondly, because some of the data processed by schools are by their very nature special data (such as, for example, data relating to food allergies, medical history, essentially health data).
After a period of three years of being with educational institutions in their GDPR implementation process from the position of Data Protection Officer (DPO), I have extracted a few steps that I think any school concerned about the security of the personal data they handle should take, and that we have set out to describe in a few episodes in this blog.
Based on the specifics of schools’ activities, but also on the volume and type of personal data they process, particularly in the light of the obligation for schools to keep records of former students’ school records, I believe that the appointment of a Data Protection Officer (known as DPO or DPO) is a must.
Considering that the t0 moment of awareness of the need for GDPR regulation in schools has already passed, the first concrete step is to find that „someone” who will do the actual job. In other words, if we’re thinking about a school employee, we should identify that person who is willing to train in a new area – that of data protection, respond to the challenges the school faces in this area, and take on some specific responsibilities. If this person is employed by the school in another post, as is often the case, then they will need to be willing to take on these tasks in addition to their core role. In many situations, outsourcing this function may prove more efficient and cost-effective, especially in the case of schools in the same group of educational institutions that are entitled to jointly designate the same person as Data Protection Officer.
What should such a Data Protection Officer do? Based on the provisions of the GDPR, the main tasks are as follows:
- monitor compliance with GDPR and assist the controller or processor in monitoring compliance internally
- assisting and providing expert advice in the data protection impact assessment carried out by the school – we will come back to the data protection impact assessment procedure in more detail in a later episode
- cooperates with the ANSPDCP and assumes the role of point of contact
- takes due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
- compiles and updates the register of processing operations on the basis of information made available to them by the different departments within the School.
Frequently, when the school management is looking for a suitable person for this job, the first thought naturally turns to the legal adviser. They may be a good candidate, because the foundation of data protection is the web of legal grounds for processing, rights and obligations seen through the lens of fundamental principles imposed by the GDPR.
And sometimes the answer to some of the most common challenges is the result of checking an overlap of rules, principles and norms from several spheres of law. For example, one of the most frequently asked questions I receive is this: how do we deal with pupils whose parents have not agreed to the school photographing or filming their child, when the child attends events where the child is photographed or filmed? The emotion behind the question is all the stronger when the person asking it is an educator or a primary school teacher who has often had to use all his or her creativity to explain to a 5-6 year old that he or she cannot be in the photo with his or her classmates for reasons of… lack of legal basis…
The resolution in this case may be a standard procedure adopted by the school, after it decides on the basis of a proper characterization of the right claimed by the parent and the legal basis for the parent’s request. In the present case, the right to prohibit the reproduction of one’s own image exists in the Civil Code long predating the GDPR, so the management of this right should be determined in relation to all the legal provisions governing it, the GDPR being one of them, but not the only one. For example, a possible solution could be to obtain a separate, one-off consent for each individual event (e.g. by inserting an additional heading on photography or filming in the Parent/Legal Guardian Agreement form granted for the child’s participation in camps/trips/expeditions, if the images are processed solely for the purpose of informing the parent about the activities carried out during the one-off events and if they will not be used for any other purpose and will not be distributed to the public).
Therefore, like any process, in order to stand a chance of completion, the GDPR implementation process in the school must first be started. Regardless of whether the school chooses to carry out this process through an internal employee or outsource it, the first task of the person designated to carry out or manage this task is the audit task.
In the next episode we’ll discuss the initial audit or DPO audit mission that the responsible person in our story needs to perform so that the steps to take on the road to the ultimate goal, GDPR compliance, are easier to identify and follow.