Business life
Processing personal data in schools and kindergartens
Processing of personal data in schools and kindergartens takes place on a regular basis. In addition, different types of processings take place. For example, attendance lists, grades and personal development plans.
Children are a group worthy of extra protection
Children are a group worthy of extra protection and therefore the rules of the GDPR are stricter when it comes to the processing of children’s personal data. Whether private or public schools, preschools or kindergartens within the EU/EEA area, they must comply with the GDPR (GDPR) when processing personal data.
Are the teachers at the school or kindergarten data controllers?
No, it is not the teachers, principal or other staff who are responsible for personal data, but instead it is the organisation itself that holds that role. In other words, it is the schools and kindergartens as organizations that are responsible for complying with the rules of the GDPR.
Teachers cannot therefore be personally liable if they process personal data incorrectly, unless there has been a criminal act. However, those working within the organisation must follow the instructions given by the controller.
Processing of personal data in schools and kindergartens
Schools and kindergartens that are data controllers must comply with the rules of the GDPR when processing personal data. Among other things, they need to comply with the basic data protection principles and have a legal basis for all individual processing operations. In addition, they need to take appropriate technical and organisational measures to protect personal data, comply with the rights of data subjects, etc.
What are common legal bases for a school or kindergarten to use for its processing of children's personal data?
These are some legal bases that schools and kindergartens usually use for different types of processings:
Task of public interest
In order to use this legal basis, the processing must be regulated by national or EU law. For example, a school may have a general interest in administering student attendance. The same applies to documenting students' knowledge prior to development discussions.
Exercise of public authority
The exercise of public authority means that the makes decisions concerning an individual in accordance with the law. In schools and kindergartens, this can happen when they grade students, or decide on special support for children in school or kindergarten.
Consent
Consent is in most cases not an appropriate legal basis to support processing of personal data conducted by schools or kindergartens. However, it may be appropriate in some cases. For example, it is advisable to request the consent of parents in order for their children to be included in school photography.
Legitimate interest
Public schools are not allowed to support their processing on the legal basis of legitimate interest in the performance of their tasks. However, private operators can do so, but they should avoid it.
Children are particularly worthy of protection under the GDPR
When processing children’s personal data, it is important to keep in mind that they are particularly worthy of protection. This is mainly because children may find it more difficult to understand what rights they have in relation to their personal data. In addition, they may not fully understand the risks involved in the processing of their personal data.
What rights do children have under the GDPR?
Children have the right to information on how their personal data will be processed, and the information shall be provided in an easily accessible manner and formulated in a way that children understand.
The language in which the information is drafted shall be the national language of the country where the children live. It must also not be worded in a complicated way, and the text must not be too long. It is important that the controller ensures that children understand the information about the processing of their personal data and their rights.
Can schools and kindergartens process sensitive personal data?
According to the general rule in Article 9 of the GDPR, sensitive personal data is prohibited from processing. However, there are exceptions that allow such processing. Please note that it is important to keep in mind that the rules are stricter when processing sensitive personal data.
For example, the school needs to take appropriate technical and organisational measures to protect the sensitive personal data. In addition, it must be necessary to process the data for the purpose in question.
These are two examples of when schools and kindergartens usually process sensitive personal data:
Data on sick leave from those who work at the school or kindergarten is a task that reveals information about a person's health, which is sensitive personal data according to GDPR. For example, it is important not to send a payslip unencrypted if it contains information about sick leave.
Students who attend an adapted class in a school or in an adapted school or kindergarten for example children suffering from any illness or disability, means that the school processes sensitive personal data about the students.
Digital teaching and distance learning
Digital teaching became more common after 2020 and places demands on the privacy interests of both students and teachers. Schools need to analyse what personal data is necessary to process in order to carry out digital education.
In addition, it is important to analyse which programmes the school uses for digital teaching, as some programmes may belong to companies in a third country. In such cases, special rules apply that are stricter, as it often also involves data sharing with third countries.
Images and video recordings of students in digital teaching
In some cases, it is not necessary for pupils to be visible in the context of distance learning, in which case they should not be visible. An image that makes it possible to identify a student is also personal data.
Does the school need to appoint a data protection officer?
Authorities must always appoint a data protection officer, and the same applies to municipal schools. Students, parents and teachers can contact the data protection officer for questions regarding the processing of personal data. Private schools may also have data protection officers, but this is not always a requirement.
Information about GDPR
Educating staff in data protection work
In order for the staff to be able to perform their tasks in accordance with the GDPR, it is important to educate them. In addition, staff should receive written instructions regarding the processing of personal data. For example, how they should act when a personal data breach occurs. Both teachers and students need instructions on how to use equipment and other things in digital teaching, to avoid personal data breaches.