Privacy and Children's data

Personal data processing in schools

Published on January 29, 2019 by Taceo Limited

Daily processing

Think of the number of times you see a child walking home from school staring at their mobile device, or when Bob comes home with a picture of himself taking part in some play activity from nursery, or when you receive a school’s newsletters via email containing pictures and names of kids grinning proudly. Parents/ guardians may receive an email from the school asking for their child’s lunch account to be electronically topped up or a school may send you a text message to remind you of some pending activity that you have entirely forgotten about.

These are but a handful of examples of personal data processing that take place at schools on a daily basis. The significant amount of personal data including sensitive personal data (special categories of personal data) processed by the child's educational sector becomes evident. It’s not just the child’s personal data you need to think about, but also yours when you share your personal details as the parent/ guardian or emergency contact.

Privacy laws

The question: With ever limited budgets, how are schools (particularly those funded by local government) ensuring that processing children's personal data (and adults) is compliant with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018?

Public sectors as well as private sectors fall squarely within the grasp of the GDPR and there are simple steps for schools or educational sectors to be mindful of.

Practical Tips

1. Control who has access to children’s data and why

Know which teams/ departments have access to personal data and implement access controls to make sure that not everyone in the school office can access every child’s data. If children’s personal data is captured in the classroom, have a process for storing that data in accordance with your internal information security and privacy policies. If you don’t have one, write one up and implement it properly.

2. Storing personal data in a secure way

Remember the basic rules on using strong passwords and encryption where possible and how you share data. Don't email the masses if you are sharing personal data and don’t share Bob’s picture with all parents without Bob’s parental/ guardian consent. Obviously if Bob is of the age of being able to give consent then it is Bob’s consent that is needed.

3. Limit the sharing of personal data

Know who you share personal data with and ensure that there are limitations on how personal data is subsequently shared/ processed. If you use third party providers (e.g. cloud service providers, website hosting providers, third party educational websites/ apps etc.) be sure to understand what you are buying, the privacy statement that details how personal data is processed and what security there is to protect the information you store with them. Don't assume third parties are already compliant. Have personal data and security questionnaires ready to help you ask the right questions.

4. Data Subject Rights and Consent

Remember that data subjects have certain rights under the GDPR which they can exercise at will. Put in place a process for data subjects to exercise their rights. Your privacy statement (public facing) should display how data subjects can exercise their privacy rights. Create a privacy mailbox so you have a consolidated point of access. Data subject rights include consent, right to erasure, right to rectification, right to restriction of processing.

5. And when they leave school….?

Have in place a process that allows you to deal with data retention effectively. Don’t hold onto children’s personal data indefinitely and implement a process that allows you to validate the data you hold.

If you would like to discuss any of the above or interested in hearing more about GDPR, data protection and data privacy, contact us at [email protected].