Skip to main content
European Commission logo
maia merabishvili
Lela Tsagareishvili
nina devnozashvili
nana kiparoidze
AI for human rights
European School Education Platform
Tutorials

A brief guide to GDPR for schools and teachers

Data protection is essential: it means privacy and respect, and freedom from manipulation. Nonetheless, some anxiety has followed the European Union’s GDPR (General Data Protection Regulation). Do schools need to adjust their record-keeping? Which information is considered delicate? Can you still carry school data on a portable device? This tutorial will put you in a better position to safeguard your students’ data – and understand what happens with your own.

Know the difference: personal and sensitive data

Personal data comprises any information that can help identify a person or their family. In school records, this would be their name, their address, their contact details, their disciplinary records, as well as their marks and progress reports. This sort of data remains “personal” even if an individual chooses to publicise it.

A special category of data touches on more sensitive topics. Where schools are concerned, this includes students’ biometric data (e.g. fingerprints, photos), religious beliefs (e.g. a student’s opting out of religion class), health (e.g. allergies) or dietary requirements (which may hint at their religion or health). Data in this category may pose a risk to people and hence can only be processed under certain conditions. Schools likely won’t be able to use it without parental consent.

Know the difference: data controllers and data processors

The GDPR highlights the importance of two roles, which can be either individuals or entities: a data controller determines the means and purposes of processing data, while a data processor handles the data on behalf of the controller. Each of these parties has different legal responsibilities.

The school will typically be the “controller”, so it has to secure a clear contract with the “processor”. A processor can take various forms: from a photographer to a shredding company, an online learning platform, or a piece of software. Any operation these entities perform on data counts as processing, even if it’s automated: collecting it, storing it, retrieving it, destroying it, etc.

Good practices: monitor yourself

Under the new legislation, schools (like all public authorities) have to appoint a Data Protection Officer, a person dedicated to GDPR. Their job is to monitor the school’s policies, provide training, conduct audits, and more. But schools shouldn’t count on the Data Protection Officer to discover all flaws in their system. Here are some questions everyone should ask themselves:

  1. On what grounds are you processing data? There are six lawful bases for processing data under GDPR. Most relevant to schools is the lawful basis public task, which means they use the data to perform a task in the public interest. However, data collected for this purpose cannot be recycled for another purpose. For example, the school cannot share a parent’s email address with a third party that promotes school events by claiming it is a “public task”; to share that data, they must seek another lawful basis, consent. Schools should also seek consent if they set up a student account on a cloud-hosting service.

  2. What data is held where, and who has access to it? Schools should perform an audit on their data-processing practices. Once they have a full overview of the personal data at their disposal, they can consider the best way to protect it.

  3. What security measures do you have in place? Data breaches aren’t always the work of hackers and malicious software – they can also be the result of a laptop forgotten on a train, or a curious family member. For that reason, staff should only store personal data on school equipment, use strong passwords, and set their devices to auto-lock after five minutes. If personal data is downloaded to removable media, like a USB stick, it must be encrypted and password-protected, and kept away from other users. Staff should also undergo training on social engineering, phishing, cloud technologies, ransomware attacks and the like.

  4. What do parents know? Schools should issue a privacy notice to parents via the prospectus, a newsletter, a report or a letter/email: in it, they should state the data they collect, the reason they collect it, and the third parties that are privy to it. Keep in mind that, under GDPR, parents and students can request to see the data that is held about them free of charge.

Good practices: inform yourself

Not only adults, but also children should give some thought to data protection. For that reason, the Joint Research Centre has developed the mobile game Cyber Chronix, where players must tackle a series of GDPR-related obstacles on a futuristic planet.

If you wish to know more about GDPR, you can also contact your country’s Data Protection Authority.

You can also read these publications, which helped to create this tutorial:

Finally, take this 30-second quiz by 360data to evaluate your data protection policy!

Topics

Policy development