Safe environments

Digital rights at the high schools in Barcelona

The Study

The Eticas team developed the #EntornsSegurs [#SafeEnvironments] project requested by the Barcelona City Council with the aim of responding to the use and management of data in the city’s high schools.

The Eticas research team has been working on the #EntornsSegurs project. Requested by the Barcelona City Council, it seeks to respond to the use and handling of data in the city’s institutes. The development and application of technologies in the educational field, with an exponential growth in recent years, has implications in terms of privacy and forces to analyze the degree of knowledge and social acceptability of the parties involved – students, parents and the educational community. The Eticas methodology, focused on the social impact of technologies, is a key element in understanding and improving technologies to be effective both at a pedagogical level and in terms of children’s privacy.

Reports from countries such as the United States and Australia have begun to analyse these implications and point to the failure of laws to address the negligent use of personal data collected in educational institutions. In many cases schools also do not have the means or capacity to deal with it. But what is the situation in Barcelona?

The Entorns Segurs project aims to provide a response to raise awareness and inform the city’s educational community of the social consequences associated with this data management and data control. An effective mapping of the current situation, a greater knowledge of these issues and their transmission to society as a whole has led us to the practical objective pursued by the project: better privacy and data administration policies, and a contribution to the debate on the incorporation of new technologies in the educational field.

The possibilities offered by the increasing introduction of new technologies in schools also entail new challenges for the protection of student data.

Based on the work carried out since we began this study -exhaustive review of the literature, analysis of the legal framework, interviews with people involved in the problem-, we have observed which technologies are being implemented in the high schools of Barcelona, which are the actors and their relationship in the implementation of this technology, and problems or deficits in security, privacy and data protection that derive from this whole framework. Schools increasingly have technological solutions to deal with administrative, security, educational and communication processes between parents, students and teachers. In this sense, schools have the autonomy to define the use of these technologies and promote digital education tools (Catalan Education Act, 2009).


In relation to the processing of personal data, the high schools are generally subject to the Organic Law on Data Protection 15/1999, which is complemented by other more specific regional and sectoral laws. What is derived from these legal provisions is that the schools can only collect information that is useful for purposes that have been previously well defined (purpose principle) and with the consent of the person from whom information is collected (consent principle).



The school authorities have an important autonomy in establishing the technological systems to be implemented in their institutional framework and in determining the protocols of use. Therefore, although the law sets certain limits regarding the storage and processing of personal data, this autonomy has led to a wide variety of institutional systems, as well as various levels of security. The multiplicity of educational and information technologies available in the school context encourages the differential deployment of ICT-based communication and educational strategies, both formal/official and informal, depending on programmatic, cultural and socio-economic/territorial factors, among others.


As the graph shows, the actors that make up the educational community compose a complex network that shares all kinds of data generated in the school. Both the media established by the educational system itself and other channels, as well as private actors -family-, intervene in this process.


Preliminary results

Within this framework and in the case of the city of Barcelona, the preliminary results of the Entorns Segurs project reveal risks and problems that are common to different educational contexts at institutional, public-private and informal levels. Among them we highlight:

Institutional systems

Schools’ digital administrative systems for monitoring and recording student performance, in many cases, do not have the necessary trained staff or security monitoring. 


A protocol of the Consorci d’Educació exists to facilitate the capture, by school authorities, of parental consent for the transfer and use of personal information by students up to 14 years of age. However, such consent is not obtained in all cases and subsequent school protocols for data administration have various limitations.


Public-private use

Various companies such as Google (through Google Apps for Education), as well as different publishers (for example, McMillan) are an active part of the educational system and collect large amounts of data from students in ways that are not properly explained in the informed consent, or under proper control/monitoring.

Informal systems

Teachers use all kinds of technological systems and online platforms (such as Youtube videos involving students), which are not always under the radar of school authorities and do not respect specific protocols for their administration (access limitation, encryption, deletion, etc.). In addition, students share with a general public personal and school information collected in classes through mobile devices (for example, on social media) where other students and teachers are involved. 


In methodological terms, we began the study by reviewing the existing literature on the technologies used in educational contexts and experiences in other countries in relation to the problems identified in the generation, protection and privacy of data. In this first phase we find important keys for understanding this reality, among which two stood out: 


Although the implementation of the technological component in the educational and administrative processes is involved in a positive discourse about the usefulness and improvement that it implies for the entire educational community, from Eticas we observe how these technologies carry certain problems associated with them that have not yet been explored in sufficient depth. In many cases, these problems have to do with the fact that many of these technological systems generate and manage large amounts of personal data, alter social relationships or introduce commercial services into educational environments.


It could be argued that these are not new issues for schools, insofar as these have always been spaces where large amounts of data on children have been collected – age, academic grades, learning difficulties, etc. -; however, the novelty these days is that the digitalization of this information generated by new technologies, bursts in with a different nuance in terms of intensity and in terms of the amounts in which they are collected. Even who can become part of it can pose an added problem: at any time and regardless of the years that have passed, this data can be used and sold to third parties, becoming susceptible to being used for any purpose other than the improvement of educational processes.



They are the main mechanism to guarantee security in the use of new technologies. However, their existence is not always accompanied by their knowledge and implementation.


To guarantee proper use and management of data, you can compromise the responsible use of technological tools and the protection of the information they collect.

A subsequent analysis of the data protection laws in force in Spain and Catalonia shows that in Barcelona (our area of study), regulations have been the main response to ensure that technology is used responsibly and the privacy of minors is guaranteed. But how can we ensure that the actors in the educational community are aware of these legal procedures and that they are applied to all the technologies they use? 


This question involved knowing intermediate processes that we wanted to explore. We needed to know, first of all, what technologies are being used in the high schools, who are responsible for them and what are the resources (legal and procedural) for their use and implementation and which were, in this sense, the most susceptible to a misuse. Secondly, the aim was to discover how, through the technologies identified, students’ personal data and information are collected, processed, stored and disposed of by educational institutions, a process known as the data life cycle. Third, we add a third dimension of a more subjective nature or related to normative value judgments that include considerations of acceptability, understood as the degree to which members of the educational community have been informed, have accepted, and control the use of the technologies that they handle, the information that they generate, and the use that is subsequently made of it.


To carry out this analysis and answer these questions we designed a qualitative methodology that allowed us to know the opinions and perceptions of academic experts, as well as the usual practices and intervention of the government authorities of the Department of Education, the Consortium of Education and the Catalan Data Protection Authority, and of the members of the educational community: teachers, school management, school administration and, of course, students, by means of interviews and discussion groups in four secondary schools in the city (two public and two subsidised).




In secondary education environments in the city we can establish different types: i) administrative technologies (Clickedu, Esfer@), ii) institutional physical technologies for security purposes and/or control of the institutes (surveillance cameras, platforms for monitoring academic performance), iii) learning and knowledge technologies used as pedagogical tools (Google Apps for Education, Moodle) and iv) information and communication technologies (social networks, students’ mobile devices).


Many of the management and administrative staff and the teachers and students in Barcelona’s schools state that they are often unaware of the practices of the public administration and online service providers, as well as the technical aspects of data protection or the measures that can be applied to guarantee the security of the systems they use in their educational practice. In general, a chain of trust is created that goes from student to teacher, from teacher to school and from school to administration.


There has been a lack of knowledge about the risks that arise in the information society, where the omnipresence of data technologies leads to the unconscious transfer of personal information without demanding guarantees that safeguard the right to privacy. Thus, a conception of privacy reduced to the personal image and the potential threat of figures such as the hacker is observed. This makes it difficult to identify certain problematic situations related to digital identity and discrimination, the right to be forgotten, consent to the transfer of data, fulfillment of the purpose for which it was obtained, etc. Due to this lack of knowledge, we have been able to identify some practices that could be compromising the privacy and protection of student data, fundamentally linked to informed consent – the schools are failing to inform their students and families about the collection and transfer of their personal data – the limited security and data protection protocols implemented by the schools – a relevant issue is the lack of systematization in the erasure of information collected in the technological platforms -, etc.


This situation warns of the need to empower educational centers so that future contracts established with these companies contemplate ethical and responsible protection of the data that will be transferred through their products and services. Checking key aspects such as data protection measures and transparency on how data is collected and stored, as well as its deletion, must be established as key points of negotiation in the outsourcing processes  by educational centres. In short, this study lays on the table the need to inform and make the educational community aware of the implications that an imprudent use of the technologies with which they work on a daily basis may entail, to introduce these subjects in the educational plans, and, finally, to continue advancing in the research of the issues addressed in the study


Safe environments? Data intensive technologies in Barcelona’s high schools

A project in collaboration with the Barcelona City Council