Personal Data in Educational Centers
Personal Data in Educational Centers
We analyze the impact of the European (RGPD 679/2016) and Spanish(LOPD-GDD 3/2018) personal data protection regulations on Educational Centers.
Legitimation of personal data processing
The starting point for the lawful processing of personal data is the consent of the data subject. Consent will therefore be what legitimizes the processing of personal data. processing of personal data by the data controller.
Although educational centers have legitimacy for the processing of student data, as provided by the Organic Law of Education(LOE 2/2006) for the processing of personal data in the exercise of their teaching and guidance functions, but with restrictions, as we will see below, which require express consent..
Information on the processing of personal data
The fact that educational centers do not require the consent of the data subjects to process their personal data, they are obliged to inform about certain aspects of the processing, such as, for example:
- Identification of the Educational Center
- Identification of the Data Protection Officer
- Purpose of treatment
- The recipients of the data transfers
- The consequences of not providing the required personal data
- Your rights and how to exercise them
Data Protection Officer
The LOPD-GDD in its article 34.1 letter b), establishes the case in which it requires an Educational Center to designate a Personal Data Protection Delegate (DPD-DPO):
“The teaching centers that offer education at any of the levels established in the legislation regulating the right to education, as well as public and private Universities”.
According to the GDPR, the Data Protection Officer shall be appointed on the basis of his/her professional qualifications and, in particular, his/her specialized knowledge of data protection law and practice and his/her ability to perform the duties set out in Article 39 of the GDPR.
This Data Protection Officer may be a natural or legal person and may be part of the staff or under a service contract.
Data protection audits
As provided for in Article 39 of the GDPR, the Data Protection Officer shall monitor compliance with the provisions of this Regulation, other Union or Member State data protection provisions and the policies of the controller or processor on the protection of personal data, including the allocation of responsibilities, awareness raising and training of staff involved in processing operations, and related audits;.
Processing of personal data in Educational Centers
We classify the personal data that schools must or may process in the performance of their duties:
General Personal Data
The educational centers will request the following personal data necessary to develop the teaching activity and the parents or legal guardians:
- Identifying data of students, legal guardians and employees
- Student and faculty curriculum information
- Financial data of teachers and legal guardians
- Photographs of students and teachers
- Images (videoconference sessions) of students with teachers and students with legal guardians.
Special Category Data
Schools will request data considered special category data, such as:
- Ethnicity, family situation, and/or family environment.
- Personal characteristics or aspects.
- Health-related data such as allergies and intolerances (canteen service) or other data necessary to receive medical attention.
- Physical disability data for both students and teachers
- Student psycho-pedagogical data
- Criminal certificate of sex offenders, requested from teachers
The processing of data concerning the religious orientation of students may also be considered necessary in certain centers.
Other processing of personal data
Data processing that is not necessary but is commonplace is quite common:
- Inclusion of parents in WhatsApp groups
- Advertising by email, Whatsapp or other means.
- Images collected in events promoted by the educational center.
- Posting images on websites, social networks and instant messaging applications
Prior consent from students and parents/guardians is required for all of them.
Consent to the processing of personal data
It should be noted that the last four points mentioned above require the express consent of students (over 14 years of age), parents and teachers, since the purpose is not related to the educational mission of the center.
The age established by the LOPD-GDD, to grant consent autonomously is 14 years, therefore, for children under 14 years, the center must have the consent of parents or legal guardians.
Access to students’ personal data
In general terms, the center and its teachers should only have access to the student’s information strictly necessary to carry out their educational functions and to guarantee the adequate care of the student. Putting into practice the principle of data minimization.
Training and other security measures
Training will be required for teaching staff and those involved in the process of processing personal data of students, parents, teachers, suppliers, etc. (administration staff, human resources, etc.), as established in Article 39.1 b) of the GDPR .
In reference to the security measures to be adopted by the educational centers, they will be those established in both the RGPD and the LOPD-GDD. Additionally, public educational centers must implement the National Security Scheme.
Specific situations
International data transfer
Schools may communicate student data to other foreign schools in cases of exchange.
Whenever personal data is sent outside the European Union, Norway, Iceland and Liechtenstein, it will be considered an international transfer of data and would require the consent of the student or guardians.
And it does not have to be a simple communication of data to third parties, it would be enough to hire a service to a provider that is in a country not included in the countries listed above, involving a cloud hosting of data.
Cyberbullying, grooming or sexting
In cases where there may be a violation of a person’s rights, the school may be able to access a student’s instant messaging services without the student’s consent.
In other cases, the content and passwords for access to instant messaging platforms (e.g. WhatsApp or Telegram) are considered personal data and access would require the prior consent of the student, if he/she is 14 years of age or older, or failing that, by the parents or legal guardians.
Delivery of Academic Grades
Grades will be released to parents and students only and if shared via educational platforms, access will be restricted with identifiers and passwords.
In cases where students are over 18 years of age, parents may request their children’s grades, provided that the parents pay for their children’s education or living expenses, since there is a legitimate interest in knowing their children’s academic progress.
Privacy of students in cases of gender violence
In cases in which the student requests the elimination of the publication of his or her data in the admission lists, the request will be granted, in order to preserve his or her security and privacy.
Publication of the list of admitted students
When a number of requirements must be met in order to be admitted as a student in an educational center, lists may be published.
However, it should be noted that this list will be published with certain limits or restrictions, so that the applicants are the ones who have access to it.
Publication of lists of scholarship recipients
According to current regulations, it is mandatory to publish information on subsidies and public aid granted by the Public Administrations.
However, it is important to point out that in no case may personal data be published that have nothing to do with the requirements established by the Administration for the granting of the corresponding aid in each case.
These lists should also be withdrawn when they are no longer considered necessary.
Academic Records
Teachers, in their relationship with students, will have free access to their academic records and health data. This access is considered necessary in order to properly carry out the work they perform.
The purpose: teachers must be aware of the physical, intellectual or mental limitations of their students. This is to ensure personalized attention to the student.
Separated or Divorced Parents
The relationship of schools with parents who are separated or divorced, regardless of who has custody, involves informing both of them about the academic situation of their children.
In case of conflict between the parents, the case must be brought before the competent judge in family matters for resolution.
But there are cases where a parent requests the center not to provide information to the other parent. In these cases the center must request the Regulatory Agreement or Court Judgment that determines the deprivation of parental rights or prohibition of communication with the children.
The AMPAs
With the prior consent of the students and/or parents, the Associations of Parents and Parents of Students (AMPA) may obtain information directly from the school.
Other treatments
Video surveillance, capture of images by third parties or family members, communication of data to health services, social services, city councils, etc., etc.
Expert advice
Business Adapter® is the Delegate of personal data protection of several Educational Centers, some of them of great prestige.
If you need a Data Protection Officer for your Educational Center, contact us or request a quote.
[su_button url=”https://businessadapter.es/servicios/proteccion-de-datos/presupuesto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]I want a free quote[/su_button]