1. Seeking consent is far from always necessary
“Educational institutions generally like to seek consent to collect, store and share personal data. This is understandable as they work on the basis of mutual trust with pupils, students, parents and other stakeholders. But don’t lose sight of the fact that consent is the last resort. Because if it is not given or is withdrawn again, there is nothing left to fall back on.”
Therefore, at the outset, take a good look at why you, as an educational institution, need this data. Do you have to collect it? Also check whether the law requires you to collect the data. Because, if so, you don’t need to seek consent. So try and move away from the basic attitude that consent is always required. But always explain clearly what you are doing and why.
2. Tricky situation? Know what your rights – and duties – are
“Parties can sometimes be fairly coercive in the way they demand that educational institutions should share or not share information. Take parents who are in a contested divorce. In such a situation, it’s important to be even-handed when providing information and to carefully check the legal position of those involved. Because if both parents have custody, they should be kept equally informed of their child’s progress in school.”
Even an authority like the police can adopt a coercive tone when requesting personal data. When doing so, they have to submit a specific and legally valid request. As an educational institution, it can be difficult to stay in control here, as you don’t deal with this kind of thing on a daily basis. But you are usually in a stronger position than you think. If possible, try to keep calm during the process and take time to find out what your rights and duties are.
3. Don’t take on too many responsibilities
“Educational institutions often collaborate with chain partners. When doing so, they are quick to take upon themselves the responsibility for processing personal data. We regularly see them entering into a processing agreement with the partner, when in fact it’s a cooperation agreement that should be made. In the latter, partners have much more of a joint responsibility to ensure privacy.” So even in collaborations, stay focused on your own role and position and the rights and duties they entail.
4. Continuous process
Educational institutions have gone through “a huge car wash” since the introduction of the GDPR, as Sharinne puts it. “The flood of new rules and processes, information and discussions about privacy was enormous. And it still is.” Privacy and data protection, she says, are an ongoing process that you need to monitor continuously.
“Especially with developments like online exams and proctoring, hybrid learning and immersive technologies based on virtual reality. And don’t forget the use of tools like Zoom and products from Microsoft, which have recently come under fire. It’s essential to be alert and to stay alert, as privacy continues to be a hot topic in education as well.”