Legislative developments in data protection in schools
Introduction. Regulatory changes
As is well known, the entry into force of both the General Data Protection Regulation (GDPR), as well as the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD in Spain), has led to a major change in the regulation of the protection of personal data of individuals by companies. This change, as it cannot be otherwise, has also affected schools located within the European Union
The main changes, which are developed throughout the article, are as follows:
- Obligation to appoint a Data Protection Officer.
- Drafting and implementation of information clauses suitable for stakeholders, as well as contracts to regulate access to data by suppliers.
- Record of processing activities.
- Risk analysis and impact assessment.
- Security of personal data.
Tasks to be carried out: Technical aspects
First of all, it should be noted that the LOPDGDD, in Article 34., extends the assumptions in which the appointment of a Data Protection Officer (DPO) is mandatory. In this sense, Article 34. 1. B), states that shall designate a DPD:
Teaching centres that offer teachings at any of the levels established in the legislation regulating the right to education, as well as public and private universities
Consequently, both the rules of teachers and universities must proceed with the designation of a DPD and with the respective notification of its appointment to the Spanish Data Protection Agency.
On the other hand, schools should carry out an analysis of the risks of the processing of personal data they carry out. To do this, the identification of such treatments must have been carried out in advance, a process for which the Registration of Educational Centre Treatment Activities, containing the information required by Article 30 GDPR, which must include, inter alia, the following issues:
- Purposes of data processing
- Description of the categories of data subjects and the categories of personal data being processed.
- Existence of international transfers.
- Expected conservation periods.
In carrying out the risk analysis, we will find that in one of the identified treatments, such as Students, both stakeholder categories (underage parent/guardian), as types of data (sensitive data such as allergies, intolerances or psychological evaluations, or academic data that includes grades obtained or school performance) that should be especially taken into account, as their treatment will imply greater criticality.
In addition, risk analysis should assess, among others, aspects such as the amount of data processed,the purpose of data processing, as well as the security measures applied in respect of the information containing personal data responsibility of the teaching center, either in digital format or in paper format.
In any case, these technical and organisational measures shall be appropriate so that the processing complies with existing regulatory requirements. To do this, it will be necessary to carry out a impact assessment on those processing of personal data that pose a high risk in the risk analysis carried out previously, based on the defined risk analysis methodology.
Among the technical and organizational measures of the educational centre, special emphasis will be placed on issues such as training professionals managing the processing of students’ personal data, managing access and privileges to information, or measures relating to the protection of electronic devices, such as backing up or counting an appropriate antivirus.
Tasks to be carried out: Legal aspects
As far as the legitimacy base is at issue treatment of students, a legitimacy basis should be defined for each purpose of treatment to be carried out. It should be noted that, as a general rule, schools do not need the consent of data subjects for the treatment of educational/school management, since with specific exceptions, it will be legitimized in the exercise of the educational function and in the contractual relationship generated with the enrolments of the students. On the other hand, the express consent of parents/legal guardians or over 14 years ofage where appropriate, will operate for other situations such as capturing and publishing images, or recording certain after-school activities.
It should be emphasized that it is essential to comply with the duty of information to data subjects, as set out in Article 13 GDPR, in an easily understandable and accessible way, transparent and using clear and simple language. The drafting and implementation of the relevant information clauses for stakeholders who are treated by the school, will be a key aspect, therefore.
Finally, and among other necessary issues, the relationship with providers who have access to data under a service delivery contract, in which the school formally appoints its provider as a processor, should be regulated. Such contract shall include aspects such as the instructions of the school regarding the treatment to be carried out, the security measures required, or the destination of the data after the completion of the provision of the service.
A project of adaptation to the current regulations on data protection for an educational center will involve at least the management of all the issues mentioned above, without prejudice to the other actions that must be carried out for adequate legal compliance.
Schools should carry out adequate management of the protection of personal data of data subjects, ensuring full transparency with them, which will have a positive impact on the functioning and reputation of the school. In this regard, it should be noted that a breach of data protection may, in addition to reputational damage considering the type of data to be affected, a substantial economic penalty.
Consequently, it is essential to hire the consulting service to ensure compliance with the above, as well as the management of the data protection system centrally through a GDPR software tool such as GlobalSuite®