Back to school and the use of student data

Back-to-school and the use of student data

Back to school is a good time to remind parents of their children’s rights as students and to remind schools of their obligations, which are becoming increasingly numerous and stem from different regulations, including those related to the protection of student and employee data.

Minors and adolescents are considered vulnerable groups and are subject to the highest standards of protection in our legal system, and data protection is no exception.

To provide context, in the education sector we identified the following actors that help to comply with student and employee data protection.

Existing figures in educational centers

The educational centers have identified the following figures that interact in data processing.

Students:

They are the owners of the personal data and to him/her it belongs.

Students may be under or over 14 years of age; in this case, when they are under 14 years of age, it will be the parents or guardians who will consent to the processing of the data, and not the minor.

The student is the interested party.

Teachers and other employees with access to personal data:

These groups are obliged to maintain the confidentiality of the data they access and not only to protect the students’ data, but also the data of their own co-workers.

These persons, each one of them, have the status of interested parties.

The educational center:

It is the legal entity represented in the educational center, and that determines the purposes of the processing of personal data, both of students and professionals and administrative body that integrates the center.

Therefore, it holds the figure of the person in charge of the treatment.

The data processor

It is usually external to the educational center, and processes the data provided by the data controller, following its instructions. A clear example of a data processor in an educational center is the company in charge of the canteen or extracurricular activities.

The Data Protection Officer (DPO):

All educational centers are required to appoint a DPD, according to the provisions of art. 34.1 b) of the LOPDGDD, whether appointed by the Public Administration in the Education Sector, if the center is public, or by the school management, if it is private or subsidized.

The functions of the DPD are those established in art. 39 of the RGPD, among which are those of advising in the area of data protection and monitoring compliance with legal obligations in this area, as well as addressing questions, complaints and claims that may arise from those affected, the school or the AEPD itself.

Student Welfare and Protection Coordinator

In addition to the above, there is another figure that we must keep on the radar and that is directly related to the protection and welfare of minors.

Although its purpose is not strictly speaking data protection, it is legally required to have a presence in educational centers; we are talking about the Coordinator for the welfare and protection of students, regulated by Organic Law 8/2021, of June 4, on the comprehensive protection of children and adolescents against violence.

Article 35 of this law states that all educational centers where minors study, regardless of their ownership, must have a Coordinator for the welfare and protection of students, who will act under the supervision of the person who is the director or owner of the center.

Developments in data protection in the education sector

Since it is mandatory to comply with European and Spanish data protection regulations(RGPD and LOPD-GDD), the education sector must comply with numerous obligations, such as carrying out a Register of Activities and a Risk Analysis of the processing of personal data of minors, as well as Impact Assessments(EIPD) and reflect all their treatments in the register of processing activities, as well as appointing a Data Protection Officer(DPD) and a Welfare Coordinator.

However, these are not the only changes that educational centers have had to face in terms of data protection; they have also had to adapt to the provisions of other regulations that directly affect the processing of personal data, including the processing of special category data.

Some of these obligations are detailed below:

Negative certificate of sexual offenses

All personnel who regularly deal with minors, whether their activity is paid or unpaid, will have to provide a negative certificate from the Central Registry of sex offenders (art. 57.1 Organic Law 8/2021, of June 4, on the comprehensive protection of children and adolescents against violence.

Activate a dedicated whistleblower channel

With the entry into force of Law 20/2023 on Whistleblower Protection, all educational centers that employ fifty or more employees must activate their own Whistleblower Channel, as well as develop all the policies and other obligations established in the aforementioned Law.

Training of employees

Teaching and administrative staff, including other employees who may have access to personal data, such as kitchen or cleaning services, must be trained in data protection (art. 39.1.b) of the GDPR).

Additionally, employees must be trained in digital rights, i.e. the right to digital disconnection and the right to privacy (according to art. 88.3 of the LOPD-GDD).

Active responsibility

Generate all the necessary documentation to be able to demonstrate that the school complies with its data protection obligations.

Individual consent from the age of 14

In compliance with the LOPD-GDD, minors may give their consent to the processing of their data, provided that they are over 14 years of age.

Specific security measures according to the risk of the processing

Implement all technical and organizational measures necessary to ensure the protection of personal data, both of students and all school staff.

Consent to publish images

Request the express consent of parents to use the images and voice of minors in school activities that could be publicized on the website or social networks of the school, press, school magazine, etc.

Business Adapter® at your service

If you need to adapt your educational center, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!