Member Article

One of the latest and widely discussed GDPR fines in the amount of approximately EUR 20,000 was imposed in Sweden for face recognition in schools. The municipality tried using the new technology to make monitoring the attendance of schools easier. Nevertheless, it failed to ensure a legal basis and proper impact assessment for such data processing. This case is interesting not only because it was the local authority that was punished but because it goes beyond classical processing of children’s personal data.

This case is not the only one related to how educational institutions face challenges related to processing personal data of their students. For example, in France a school was asked to stop video surveillance of classrooms, rest areas and staff offices. As the school complied with the request of the French supervisory authority, no penalty followed.

However, the things were not so good in Norway when the local municipality informed about a fine in the amount of approximately EUR 201,000. The violation was related to an application used by schools, parents and students to exchange messages, which was not secure enough and permitted unauthorized parties to access the personal data processed within the application. Moreover, the application allowed to send sensitive data (such as information on the students’ health condition) without any restrictions.

All these cases show that schools (as many companies) started dealing with the challenges related to technologies. However, not in all cases they can afford a full GDPR compliance process, especially, if it is related to new technologies used for collecting students’ data. In some cases, the laws of Member States do not allow to impose penalties on schools or municipalities as public authorities, thus, there might be less pressure with regards to the compliance. While in other cases (also some cases referred above) this might be allowed.  

Sometimes in order to prevent any further violations supervisory authorities take proactive steps. One of the examples is German where the Hesse Office for Data Protection and Information Freedom banned the use of Office 365 in schools due to the risk of disclosure of personal data processed by schools through the corresponding tools. Another recent example is the statement of the Data Protection Office of Iceland indicating that educational institutions working with children should not share their personal data through Facebook.

Such activity of supervisory authorities was not related only to technological side of children’s personal data, technologies and schools. Very often the guidelines and recommendations cover general data processing questions and myths that prevents schools from choosing the right compliance options. For instance, Czech supervisory authority has recently published a material focused on over-collecting of consents by schools. This trend has been popular not only in educational institutions and many have seen consent as the only way to ensure that data is processed in a legitimate way. But the truth is that in many cases schools do not need consent especially for performing such routine tasks as keeping educational and attendance records. Another thing is photos taken at public events. For such cases the guidelines of a Latvian supervisory authority recommend that a consent would be the most appropriate legal basis for taking photos and making them public.

With the beginning of a new school year there are also many other things to think about both for schools and parents. Schools shall deal with new data protection aspects related to technology but also not to forget about the old basic rules that shall be in place (such as ensuring legal basis, providing privacy notices, minimizing data disclosure). Meanwhile, parents are also recommended to take into consideration which tools they and their children use. One of the important points to pay attention to is how different applications and location tracking devices protect the data and how they share it. Because, as some of them were already accused for security flaws and unclear data sharing practices.