The General Data Protection Regulation ("AVG") has been in effect since last year. This legislation affects almost all companies and sectors. This also applies to schools (primary and secondary education). In this blog, we discuss topics that are AVG-related and affect almost every school, such as the use of student records and the publication of images of students.
Duty to inform
Schools have a duty to inform under the AVG (art. 13 and 14 AVG). This means that they are obliged to inform pupils and/or their parents about the processing of personal data, including:
the purpose for which the personal data are processed (for example, registering a child as a student at the school and creating a student file);
The legal basis on which the processing is based (e.g., consent);
To whom personal data may be provided (for example, the Education Executive Agency, the Public Health Service/school doctor and the Education Inspectorate);
what the rights of students and/or their parents are (think, for example, the right to inspect); and
how long personal data is kept.
The information must be concise, simple, accessible and understandable (Art. 12 AVG). It must be clear to students and/or their parents what is meant by the processing of personal data. Schools should therefore provide the aforementioned information preferably via the website or by e-mail, for example in the form of a privacy statement.
Pupil records
Schools use pupil records to identify and track the development, behavior and learning achievements of their students.
What data are in student records?
Examples of (personal) data in student records are:
NAW data;
entry and exit data;
absence data;
Student health data needed for special counseling or special services;
Student achievement data; and
records of conversations with parents.
What rules from the AVG are relevant?
Pupil records contain personal data. The AVG is therefore applicable. When processing personal data in pupil records, the following are important, among other things:
Schools may only process data in the student file if it is necessary for the purpose (Art. 5 and 6 AVG).
Schools must take appropriate technical and organizational measures to secure and protect pupil data (arts. 5, 24 and 25 AVG). Consider, for example, access to student records based on the "need to know" principle.
Schools may be required to conduct a data protection impact assessment (DPIA) for the use of student records (Art. 35 AVG). A DPIA requires schools to identify the privacy risks of a data processing operation. Based on a DPIA, schools can take measures to reduce these risks. A DPIA is mandatory if a data processing operation is likely to pose a high privacy risk to, for example, the students whose personal data the school processes.
Schools must include data processing in student records in their register of processing activities (Art. 30 AVG).
How long may personal data be kept?
Under the AVG, personal data may not be kept longer than in view of the purpose for which they are processed (Art. 5 AVG). This means that schools must have a retention period policy. Having a retention period policy not only means that it must be clear which retention periods apply within the school, but also that the retention periods are actively implemented.
The AVG does not give concrete retention periods. In principle, the Personal Data Authority uses a retention period of 2 years for student files after the student leaves school. Legal retention periods apply to some data. In that case, schools (or other educational institutions) are obliged to comply with this period. An example is data on the preschool education program a child has attended. These data must be kept for 2 years after the child has left the child center or preschool (Art. 167 Primary Education Act).
Publish visual material
Schools can publish visual material of their students. For example, online or in a (paper) school newspaper. The AVG sets rules for the publication of visual material. The Personal Data Authority ('AP') has previously called on schools to handle visual material (read: photos and videos in which students can be recognized) with care. A few points of attention are mentioned below:
Permission
If a school wants to publish visual material of students, the school must seek permission. Pupils aged 16 and older must give permission themselves. For younger pupils, the school needs parental consent (Art. 5 UAVG). For consent to be valid, the following conditions must be met (Art. 7 UAVG):
Consent must be given freely and not under pressure. For example, the student or parents should/should not be disadvantaged if he or she does not give consent.
Consent must be unambiguous It must be absolutely clear that consent has been given. The school must not rely on the principle "he who is silent, consents.
The school must ask permission for specific processing and purpose. For example, posting photos and videos through the website to report to parents about a school camp.
It should be as easy for students and parents to withdraw consent as it is to give consent.
Consent can be arranged when the student is enrolled, for example through a consent form. However, when changes or adjustments are made to the data processing, the school must ask for consent again (and thus the above conditions for valid consent must again be met). Incidentally, the school must be able to prove it has valid consent from students or their parents. Therefore, record permission for publication of visual material in writing.
Security
The school must take appropriate technical and organizational measures to secure visual material against misuse, loss, etc. An example of an appropriate measure is restricting access to the visual material. Consider a portal on a website where only students and parents can log in to view the visual material.
Finally
With the advent of the AVG, we recommend that schools take a critical look (again) at their privacy policies. As explained above, the AVG plays a role in several areas. Moreover, students should be considered a vulnerable group. Therefore, schools should at all times handle the data processing of this group with care. This requires schools to instruct their employees on the AVG and its practical follow-up. Lack of privacy awareness within an organization is a compliance risk. As a result, there is a higher risk of sanctions when, for example, a data breach is not properly processed and possibly reported.
This article can also be found in the files AVG and Youth and Education
