From photos of pupils in class, to the school homepage, to exchanges in social networks – schools are also subject to the GDPR. We will explain how data protection in schools affects schools and what teachers, pupils and parents should take into account.
The GDPR affects many areas of schools. In the following, we will outline the most important regulations to ensure the correct protection of personal data within school systems.
The website
Since the introduction of the GDPR in May 2018, schools have not been able to avoid making necessary adjustments to their own websites. Every school homepage needs its own data protection declaration according to the GDPR. Fortunately, this will not be too costly, as the state school authorities provide suitable templates.
Schools need a data protection officer
In principle, every school needs an official data protection officer. This requirement is prescribed by Article 39 of the DSGVO. Here it is possible for several schools to join forces and commission a joint data protection expert.
Teachers must take this into account when taking pictures of pupils
Teachers are still allowed to photograph students. However, there are restrictions on publication. This is only permitted with the voluntary consent of the persons depicted. Teachers must inform pupils or parents in advance about the type of use and about the worldwide distribution on the net. Flat-rate consents to publications are not permitted. Individual consents are required for all photo and video publications.
Consent for photo publication at school events
What about photos of day trips, class photos in class and school proms? As soon as they are published on the school’s website, in newspapers or on any other medium, the parents or guardians must sign a consent that conforms to data protection regulations.
Parents also have the right to revoke their consent at any time and to have the images removed. The consent should include a reference to the educational purpose of the publication.
WhatsApp, Facebook & Co – Need for encrypted clouds
Today, teachers are increasingly interacting with students via WhatsApp, Facebook and other social networks. But what does that mean for privacy?
Teachers are currently taking a high risk because many of these networks work on servers in the US. This means that sensitive data of the persons concerned can automatically be retrieved and attacked.
The solution would be, for example, encrypted cloud systems that store personal data exclusively in Europe. (e.g. the end-to-end encrypted cloud solution from TeamDrive)
In addition, it makes sense to set up social media rules that all colleagues and students should adhere to.
Although the respective school management is obliged to deal with current data protection laws and to maintain a secure handling of data protection content, many schools are not yet up to date. There is therefore an urgent need for action here.
Communication via encrypted e-mails
Schools also have a data protection obligation with regard to e-mail traffic. Basically, all e-mails should be encrypted. Here it is necessary to integrate encryption services in every e-mail software.
Internal processes – technical and organizational data protection measures
With regard to the internal processes, there is a great deal of work to be done by schools. The complete IT systems must be designed in such a way that they comply with the GDPR. This includes, for example, the complete encryption of digital student files or the regular creation of a backup.
In addition, all processes in which personal or sensitive data is processed must be documented. The processing directory in accordance with Article 30 of the GDPR serves this purpose. Within the framework of the guidelines for processing directories, all personal data must be entered together with the purpose of the data processing.
Schools are also subject to the obligation to register and notify pursuant to Article 22 of the Data Protection Ordinance. If the educational institution notices that unauthorized persons are being granted access to personal data of pupils and teachers which could have a damaging effect, this must be reported to the competent supervisory authority.
A case could be, for example, where harmful content about a young person is disseminated over the Internet in the middle of his or her school years. Then those responsible should act immediately.
Save and minimize data
In the context of data protection, all persons concerned are required to minimize data and to handle information about persons sparingly. This applies in particular to schools that have kept stacks of student files and forms.
Schools are recommended to question the necessity. Beginning with information about the health status of pupils up to data about parents – only documents that are also relevant for the school time should be kept.
An example: Parents’ emergency telephone numbers should of course be stored. However, it is not urgently necessary to deposit further data material about the work and private information of the respective legal guardian.
Data protection warnings for schools?
As a rule, schools do not have to be afraid of data protection warnings, as they are not subject to competition regulations. However, warnings and penalties regarding copyright and personal rights are possible. The latter is the case when licensed content or unauthorized photos are used on the school’s own website.
Digital data security in the future
Schools should think about the future when they use new technologies. This includes social networks, digital teaching materials, analysis systems and big data tools.
The regulation exists in the framework of the “Data Protection Impact Assessment” according to Art. 35 of the EU Data Protection Basic Regulation. With every new data processing on the Internet or in digital media, school institutions are obliged to assess the consequences and risks of the measures. Here the protection and security of personal data must be covered. If this is not the case, the introduction of the new system is strongly discouraged.
