The introduction of Act 18/2018 Coll. on personal data protection and amending certain laws and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "Regulation", is not revolutionary in nature, but there are obligations that educational institutions must comply with:
- Information obligation towards data subjects,
- Processing operations,
- Obligation to designate a data protection officer,
- Notification obligation to the Data Protection Authority in the event of a personal data breach,
- Extension of the rights of data subjects,
- Assessment of the impact of personal data processing in the case of special processing of personal data.
In general, schools and educational institutions must take into account the best interests of the child when processing personal data. Children must not be subjected to any unlawful interference with their privacy and family life. Of course, there may be situations where the right to privacy must take a back seat to the best interests of the child (e.g., in cases of child neglect).
When processing personal data, the principles of personal data processing must be observed:
Transparency - since educational records contain not only the personal data of children and students, but also that of their legal guardians and employees, it is necessary to inform all data subjects about the scope and processing of personal data. The information obligation should be easily accessible and understandable to the legal guardian, but should also be understandable to the child itself.
Lawfulness - personal data must be processed lawfully and for a specific purpose. The school operator processes personal data as part of the maintenance of educational documentation on the basis of the relevant Act No. 245/2008 Coll. on Education and Training (School Act) and on amendments to certain acts. However, pupils' personal data are also processed for purposes not arising from a legal obligation, e.g. CCTV or promotion (photos, performances, participation in competitions), which are subject to other legal processing requirements. Such processing (outside the legal obligation) must always be based on a proper legal basis. In the case of a camera system, for example, this may be the legitimate interest of the operator, which is subject to a proportionality test. A camera system must not interfere with the privacy and rights of children under any circumstances, so its use in schools must be properly discussed with personal data protection experts who will help you set up the right technical and organizational measures for operating the camera system.
Accuracy and minimization rule – the controller is responsible for the accuracy and up-to-date nature of the personal data of all data subjects and is obliged to comply with the minimization rule when processing such data. The minimization rule must be applied to every single processing of personal data, which means that the controller must precisely determine the scope of personal data processing that is minimized for the purposes of keeping records. A great example of this is the scope of personal data defined by the Education Act. In order to comply with the minimization rule, the school will only process personal data defined in Section 11 of the Education Act for the purposes of keeping educational records.
The controller is obliged to protect the personal data it processes, in particular:
- Secure the premises where personal data is processed by means of mechanical barriers (lockable doors, windows, grilles, electronic security system),
- Store personal data in places or systems to which only the director and authorized persons have access,
- take into account the nature of the personal data being processed,
- store educational documentation in lockable cabinets in a secure area of the school (office). Teachers are only allowed to borrow them for the purpose of making entries.
- All authorized persons of the controller are obliged to maintain confidentiality regarding facts learned in the course of their work and not to disclose data about pupils and children of the school.
- Personal data in electronic form, for example on the EduPage platform, shall be stored in a secure system. Individual teachers have access to it via a password and only to the extent necessary for processing as assigned by the operator. Passwords must not be shared. Legal guardians of students and students themselves have access to EduPage based on a password assigned by their class teacher. Access is only possible to their own personal data,
- increase protection against threats from publicly accessible computer networks (hacker attacks) and unsolicited mail, and make mandatory backups.
- Define the specific purposes of processing and the scope of personal data processed, authorize authorized persons to process data, instruct them and regularly train them, set up password management, handling of company mobile phones, laptops and their protection, and set up the use of e-mail for work purposes only. Regular monitoring by the controller to ensure compliance with the security measures adopted is a matter of course.
Comprehensive guidelines and methodological instructions for teaching staff processing personal data in schools can be found here.
Pitfalls in personal data processing.
Schools and school facilities are governed by Act No. 245/2008 on Education and Training (School Act) and on amendments to certain acts, which precisely defines the scope of data processing and the relevant decrees of the Ministry of Education of the Slovak Republic.
However, in the school environment, children and pupils also participate in various activities, performances and competitions, which are recorded and published in connection with the positive promotion of the school. However, such processing is subject to the consent of the data subject or their legal representative. Consent must be voluntary, which means that if the child's legal representative does not want a photograph or video recording depicting the child to be published, the controller must accept and ensure this.
When processing personal data on the basis of consent, the rights of the data subjects must be taken into account, in particular:
- the right to rectify personal data,
- the right to erase personal data,
- the right to restrict the processing of personal data,
- the right to data portability,
- the right to object to the processing of personal data
and to know how to secure them. This brings us to the issue of posting photos of children and employees on social networks. Facebook and Instagram are becoming increasingly popular these days, but it is important to realize that in the context of such personal data processing, the controller is not able to ensure all the rights of the data subjects. Furthermore, in the event of misuse of photos on Facebook, the school becomes a co-operator of Facebook, which means that it will be equally responsible. A more appropriate solution is to use social networks as an information channel and publish photos on your website, where you can ensure the security of personal data and all the rights of the data subjects.
Processing of personal data during a state of emergency declared by the Slovak government
During the state of emergency declared by the Slovak government and the pandemic situation due to COVID-19, measures had to be taken to extend the scope of personal data processed in schools, which many data subjects did not like. During the state of emergency, school operators were required to collect sensitive personal data as part of affidavits in which the legal representatives of children/students and employees stated their health status (including the results of COVID-19 tests or exemptions from testing). It is important to protect the life and health of children, pupils and staff in schools. The legal basis for such processing of personal data is Article 6(1)(d), with the exception of the processing of sensitive personal data pursuant to Article 9(2)(i) of the GDPR, provided that the controller only inspects the test result and does not process it in any other way.
It is advisable to communicate each and every operation involving the personal data of data subjects to the person responsible for personal data protection and to set this up in accordance with Act No. 18/2018 Coll. on personal data protection and on amendments to certain acts and the GDPR.
Act No. 245/2008 Coll. on Education and Training (School Act) and on Amendments to Certain Acts
