This decalogue is dedicated to the teaching staff and management and administrative staff of the schools and institutes of Barcelona. Its main objective is to clearly present the requirements that the new data protection regulations impose on schools with regard to the processing of students’ personal data, as well as to propose specific measures and examples to help guarantee their protection and compliance. These proposals are based on the empirical study Entorns Segurs (Safe Environments) developed by Eticas, and which has had the support of Barcelona City Council.
It is necessary for the school to have a Proactive Responsibility attitude towards data protection, this means a conscious, diligent and systematic attitude towards all kind of processing of personal data that is carried out. The school must be able to demonstrate compliance to data subjects and to the Data Protection Authority. In order to achieve it, the following steps must be taken into practice:
Do a self-assesment exercise (or ask for help) of all student’s personal data that is being collected and processed by the school, with an emphasis on:
With the study “Safe Environments” Eticas identified four types of data systems in schools:
EdTech, that means technologies dedicated to education and pedagogy, e.g. personalised applications or learning management systems.
For instance: Moodle, Google Apps for Education (Google aula, Google Docs)
PERSONAL DEVICES used by students, such as smartphones, personal computers or tablets.
Make an assessment of the risk that the processing of these data may generate, taking into account the short-, medium- and long-term implications for children.
After assessing the risk, the concrete measures to be implemented should take into account the nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of individuals. It must be possible to demonstrate compliance to data subjects and to the Data Protection Authority.
An example of such measures is the limitation or removal of the use of personal information (students’ facial images, names, etc.) of school’s profiles on social media such Instagram, Twitter or Facebook
Integrate privacy into management systems
The Regulation introduces the concepts of privacy by design and privacy by default. This implies that the controller has to apply, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organisational measures designed to effectively implement the data protection principles (e.g. pseudo-anonymisation), and integrate the necessary safeguards in the processing to meet the requirements of the Regulation.
The controller should also implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.
Example: When designing an application for school use, the first thing to do is to assess how it affects students’ privacy and thus to design it with the highest level of protection. In other words, a high level of privacy protection for pupils must be guaranteed from the design stage and by default.
The creation of a secure environment for students’ personal data encompasses both technical and data management aspects.
In terms of administrative planning, the Safe Environments project found significant deficiencies in the definition of the retention period of data by schools and in terms of its proper disposal. Although the school is obliged to keep some data, in order to be able to communicate with pupils in the future, personal data should be deleted once they are no longer needed. The Education Department recommends that personal data should be kept as long as it is used for their initial purpose, which means that once their function has been carried out, the data should be deleted.
Be particularly rigorous in collecting and processing data that reveal:
The proportionality of collecting certain data, such as biometric information from students, should be assessed in relation to the risk it poses to their security given its ability to identify individuals. For example, in the case of collecting fingerprints, the functional necessity of these personal identifiers should be analysed and possible alternatives that could achieve the same functionality should be evaluated.
The principle of purpose limitation
Data should be collected for specified, explicit and legitimate purposes and should not be further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the initial purposes.
In this regard, the same Organic Law 2/2006, of 3 May, on Education (LOE) states that the information collected by schools in the exercise of their educational function must be strictly necessary for teaching and counselling purposes, and may not be processed for purposes other than education without express consent.
Use / Purpose: It is important to know the purpose of the information processing in order to be able to judge the legitimacy of the processing and the proportionality of the measures taken. The question of purpose should be seen in relation to Article 6 of the GDPR. As a fundamental criterion, the strictly educational use of the data to be collected and used must be taken into account.
Data minimisation principle
The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data to be collected should be carefully reviewed to ensure that only data that are necessary to achieve the intended purpose are collected in accordance with this principle.
The data must be accurate and, if necessary, updated; failure to update personal data may affect the academic management itself or may even lead to improper disclosure of data to third parties.
In cases where data need to be processed for purposes other than teaching and guidance, such as the publication of photographs on the school’s website, or the provision of data to holiday camps, museums or other establishments visited, the consent of the data subject, or his or her representative in the case of minors, is required. This expression of consent must be:
CHILDREN UNDER 14 YEARS OF AGE: Parental or guardian consent is required.
OVER 14 YEARS OLD: They will be able to consent for themselves.
As more and more technological tools are used by schools to collect, process and disseminate data, care must be taken with regard to the privacy conditions offered by each of them. A specific and complete consent form must therefore be provided for each tool used to process children’s data.
Public, private and charter schools are obliged to appoint a data protection officer. (DPO). The data protection officer may be a member of staff or act on a contractual basis. The data protection officer of a school may also be the data protection officer of other schools, or different schools may have the same data protection officer for all of them.
He/she has, inter alia, the tasks of informing and advising the school or the operator and the employees, monitoring compliance with the rules or being the school’s interlocutor with the Data Protection Authority. The DPO should be appointed on the basis of his or her professional qualifications and, in particular, knowledge of data protection law and practice. This does not mean that the DPO should have a specific qualification.
RECOMMENDATION: Defines and updates the strategy and data responsibility roles within a Plan TAC, in which a TAC Coordinator is appointed.
Involvement of third parties in data processing
Apart from data collection and processing tasks within the school context, schools may commission third parties or entities to process personal data or to carry out an activity involving the processing of data, such as canteen service or after-school activities.
In this sense, in the Safe Environments project we have found drawbacks for student privacy with the outsourcing / contracting of services. It is very important that school authorities define clear requirements and objectives in contracts they may agree with third parties, such as publishers or other companies/associations that are working for the school. These organisations, which usually act as information processors, should have limited powers to manage students’ personal data and will put in place security measures to ensure the safe use of this data. It is also recommended that the conditions of these services with regard to the administration of personal data (type of data to be processed and specific purposes) be part of the consent forms to be signed by the parents of the pupils.
It is necessary for the controller (the school) to ensure that the processor implements the necessary protection measures.
Natural or legal person, public authority, service or other body that alone or with others determines the purposes and means of the processing. In public schools, the Departament d’Ensenyament (Education Department of the Catalan Government) will establish who is responsible for the processing. In public schools, the school itself is the data controller.
Natural or legal person, public authority, service or other body processing personal data on behalf of the controller. The controller must choose a processor who provides sufficient guarantees regarding the implementation and maintenance of appropriate technical and organisational measures, in accordance with the GDPR, and who ensures the protection of the rights of the data subjects. Therefore, there is a duty of care when choosing the person in charge, which is managed through a contract.
Consult the guidelines for the drafting of contracts between controllers and processors drawn up by the Spanish Data Protection Agency.
Reflective practice exercise
Before collecting and processing data, a reflective practice exercise must be carried out and the risks involved in each treatment must be evaluated to determine whether the implemented measures are correct or new ones must be implemented. Steps to follow:
If a data security breach occurs, the controller must notify the supervisory authority without undue delay and, if possible, within 72 hours at the latest. In case of problems with sensitive data, school authorities should also notify the parents of the pupils.
The school should provide information on the rights pupils have over their personal data and ensure that they can be exercised:
The data subject has the right to know whether the controller processes his or her personal data and, if so, has the right to access and obtain such information.
Elaborades per l’Agència Catalana de Protecció de Dades