Every organisation already had to handle personal data responsibly . But since the introduction of the GDPR, five years ago now, responsibilities have increased considerably. Every legal entity in the Netherlands and the rest of Europe is now bound by strict rules on the processing of personal data, such as its retrieval, storage and sharing.
Educational institutions have picked up the GDPR gauntlet very energetically, according to Nicole Niessen, a partner at Boels Zanders specialising in education law, and Sharinne Ibrahim, a specialist in privacy law within Boels Zanders. The institutions were supported by legal specialists and the sector councils. Nicole: “Education is rapidly maturing in terms of privacy. Not only because of the GDPR, but also, for example, because of the coronavirus crisis. This saw the rapid rise of digital and online education and things like proctoring (the online monitoring of exams, ed.).”
But the sector is also spooked by what is involved in privacy. “Institutions have sometimes even become too cautious.” Because of this caution, organisations sometimes make it more complicated than necessary for their employees, Sharinne believes. She therefore advises educational organisations to always keep their rights, duties and position clearly in mind, with or without specialist legal assistance. Nicole and Sharinne boil this down into the following four pieces of advice:
“Educational institutions generally like to seek consent to collect, store and share personal data. This is understandable as they work on the basis of mutual trust with pupils, students, parents and other stakeholders. But don’t lose sight of the fact that consent is the last resort. Because if it is not given or is withdrawn again, there is nothing left to fall back on.”
Therefore, at the outset, take a good look at why you, as an educational institution, need this data. Do you have to collect it? Also check whether the law requires you to collect the data. Because, if so, you don’t need to seek consent. So try and move away from the basic attitude that consent is always required. But always explain clearly what you are doing and why.
“Parties can sometimes be fairly coercive in the way they demand that educational institutions should share or not share information. Take parents who are in a contested divorce. In such a situation, it’s important to be even-handed when providing information and to carefully check the legal position of those involved. Because if both parents have custody, they should be kept equally informed of their child’s progress in school.”
Even an authority like the police can adopt a coercive tone when requesting personal data. When doing so, they have to submit a specific and legally valid request. As an educational institution, it can be difficult to stay in control here, as you don’t deal with this kind of thing on a daily basis. But you are usually in a stronger position than you think. If possible, try to keep calm during the process and take time to find out what your rights and duties are.
“Educational institutions often collaborate with chain partners. When doing so, they are quick to take upon themselves the responsibility for processing personal data. We regularly see them entering into a processing agreement with the partner, when in fact it’s a cooperation agreement that should be made. In the latter, partners have much more of a joint responsibility to ensure privacy.” So even in collaborations, stay focused on your own role and position and the rights and duties they entail.
Educational institutions have gone through “a huge car wash” since the introduction of the GDPR, as Sharinne puts it. “The flood of new rules and processes, information and discussions about privacy was enormous. And it still is.” Privacy and data protection, she says, are an ongoing process that you need to monitor continuously.
“Especially with developments like online exams and proctoring, hybrid learning and immersive technologies based on virtual reality. And don’t forget the use of tools like Zoom and products from Microsoft, which have recently come under fire. It’s essential to be alert and to stay alert, as privacy continues to be a hot topic in education as well.”
