The enactment of Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “Regulation,” is not revolutionary in nature; however, there are obligations that educational institutions must fulfill:
- The duty to inform data subjects,
- Processing operations,
- The obligation to designate a data protection officer,
- The obligation to notify the Office for Personal Data Protection in the event of a personal data breach,
- Expansion of data subjects’ rights,
- Impact assessment of personal data processing in the case of specific processing of personal data.
In general, schools and educational institutions must take into account the best interests of the child when processing personal data. A child must not be subjected to any unlawful interference with their privacy or family life. Of course, there may be situations where the right to privacy must take a back seat to the best interests of the child (e.g., in cases of child neglect).
When processing personal data, it is necessary to adhere to the principles of personal data processing:
Transparency - since educational records involve the processing of personal data not only of children and students but also of their legal guardians and employees, it is necessary to inform all data subjects about the scope and processing of personal data. The information notice should be easily accessible and understandable to the legal guardian, but it should also be comprehensible to the child themselves.
Lawfulness - personal data must be processed lawfully and for a specific purpose. The operator of the school facility processes personal data as part of maintaining educational records pursuant to Act No. 245/2008 Coll. on Education and Training (the School Act) and on amendments to certain laws. However, students’ personal data is also processed for purposes not arising from a legal obligation, e.g., CCTV systems or promotional activities (photos, performances, participation in competitions), which are subject to different legal grounds for processing. Such processing (beyond a legal obligation) must always be supported by a valid legal basis. For example, in the case of a CCTV system, this may be the legitimate interest of the controller, which is subject to a proportionality test. Under no circumstances may a CCTV system infringe upon a child’s privacy or rights; therefore, its use in schools must be properly discussed with data protection experts, who will help you properly establish the technical and organizational measures for operating the CCTV system.
Accuracy and the principle of data minimization – the controller is responsible for the accuracy and up-to-date nature of the personal data of all data subjects and is obligated to adhere to the principle of data minimization when processing such data. We must apply the principle of data minimization to every instance of personal data processing; this means that the controller must precisely determine the scope of personal data processing, which is minimized to the extent necessary for administrative purposes. A great example of this is the scope of personal data defined by the School Act. To comply with the principle of data minimization, the school will process only the personal data defined in Section 11 of the Education Act for the purposes of maintaining educational records.
The controller is obligated to protect the personal data it processes, in particular by:
- Secure the premises where personal data is processed using physical security measures (lockable doors, windows, bars, electronic security system),
- store personal data in locations or systems accessible only to the principal and authorized persons designated by the principal,
- take into account the nature of the personal data being processed,
- store educational records in lockable cabinets in a secure area of the school (office). These are loaned to teachers solely for the purpose of making entries.
- All authorized persons of the controller are required to maintain confidentiality regarding facts learned in the course of their work and not to disclose data about students and children of the school,
- personal data in electronic form, for example in the case of the EduPage platform, is stored in a secure system. Individual teachers have access to it via a password and only to the extent of processing assigned by the operator. Passwords must not be shared. Legal guardians of students and the students themselves have access to EduPage via a password assigned by the homeroom teacher. Access is limited to their own personal data,
- enhance protection against threats originating from publicly accessible computer networks (hacker attacks) and against unsolicited email, and ensure mandatory backups.
- Define the specific purposes of processing and the scope of personal data being processed; authorize authorized persons to process data, instruct them, and provide regular training; establish password management policies; define the handling and protection of work-issued mobile phones and laptops; and restrict email use to work-related purposes only. Regular monitoring by the controller, focused on compliance with the adopted security measures, is a matter of course.
A comprehensive guideline and methodological instructions for teaching staff processing personal data in school environments can be found here.
Pitfalls in the processing of personal data.
Schools and educational institutions are governed by Act No. 245/2008 on Education and Training (the School Act) and on amendments to certain laws, which precisely defines the scope of processed data, as well as the relevant decrees of the Ministry of Education of the Slovak Republic.
However, in the school environment, children and students also participate in various activities, performances, and competitions that are recorded and published for the purpose of positively promoting the school. Such processing, however, is subject to the consent of the data subject or their legal guardian. Consent must be voluntary; this means that if a child’s legal guardian does not wish for a photograph or video recording featuring the child to be published, the controller must accept this and ensure compliance.
When processing personal data based on consent, it is important to be aware of the rights of data subjects, in particular:
- the right to rectification of personal data,
- the right to erasure of personal data,
- the right to restriction of processing of personal data,
- the right to data portability,
- the right to object to the processing of personal data
and to know how to ensure them. This brings us to the issue of publishing photos of children and staff on social media. Facebook and Instagram are becoming increasingly popular these days, but it is important to realize that, within the context of such personal data processing, the controller is unable to ensure all the rights of data subjects. Furthermore, in the event of misuse of photos on Facebook, the school becomes a joint controller with Facebook, meaning it will be equally liable. A more appropriate solution is to use social media as an informational channel and publish photos on its own website, where it can ensure the security of personal data as well as all the rights of data subjects.
Processing of Personal Data During the State of Emergency Declared by the Slovak Government
During the state of emergency declared by the Slovak government and the pandemic situation caused by COVID-19, measures had to be adopted that expanded the scope of personal data processed in the school environment, which many data subjects did not approve of. Under the state of emergency, school facility operators were required to collect sensitive personal data as part of affidavits in which the legal guardians of children/students and employees reported their health status (specifically, the result of a COVID-19 test or, where applicable, the definition of an exemption from testing) . It is important to protect the lives and health of children, students, and school staff. The legal basis for such processing of personal data is Article 6(1)(d), while the exception to the processing of sensitive personal data under Article 9(2)(i) of the GDPR applies if the controller merely reviews the test result and does not process it in any other way.
It is advisable to communicate every single operation involving the personal data of data subjects to the person responsible for data protection oversight and to configure this in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts and the GDPR.
Act No. 245/2008 Coll. Act on Education and Training (School Act) and on Amendments to Certain Acts
