Articles / Privacy in education: how to keep it workable

Privacy in education: how to keep it workable

Every organisation already had to handle personal data responsibly . But since the introduction of the GDPR, five years ago now, responsibilities have increased considerably. Every legal entity in the Netherlands and the rest of Europe is now bound by strict rules on the processing of personal data, such as its retrieval, storage and sharing.

Too cautious

Educational institutions have picked up the GDPR gauntlet very energetically, according to Nicole Niessen, a partner at Boels Zanders specialising in education law, and Sharinne Ibrahim, a specialist in privacy law within Boels Zanders. The institutions were supported by legal specialists and the sector councils. Nicole: “Education is rapidly maturing in terms of privacy. Not only because of the GDPR, but also, for example, because of the coronavirus crisis. This saw the rapid rise of digital and online education and things like proctoring (the online monitoring of exams, ed.).”

But the sector is also spooked by what is involved in privacy. “Institutions have sometimes even become too cautious.” Because of this caution, organisations sometimes make it more complicated than necessary for their employees, Sharinne believes. She therefore advises educational organisations to always keep their rights, duties and position clearly in mind, with or without specialist legal assistance. Nicole and Sharinne boil this down into the following four pieces of advice:

1. Seeking consent is far from always necessary

“Educational institutions generally like to seek consent to collect, store and share personal data. This is understandable as they work on the basis of mutual trust with pupils, students, parents and other stakeholders. But don’t lose sight of the fact that consent is the last resort. Because if it is not given or is withdrawn again, there is nothing left to fall back on.”

Therefore, at the outset, take a good look at why you, as an educational institution, need this data. Do you have to collect it? Also check whether the law requires you to collect the data. Because, if so, you don’t need to seek consent. So try and move away from the basic attitude that consent is always required. But always explain clearly what you are doing and why.

2. Tricky situation? Know what your rights – and duties – are

“Parties can sometimes be fairly coercive in the way they demand that educational institutions should share or not share information. Take parents who are in a contested divorce. In such a situation, it’s important to be even-handed when providing information and to carefully check the legal position of those involved. Because if both parents have custody, they should be kept equally informed of their child’s progress in school.”

Even an authority like the police can adopt a coercive tone when requesting personal data. When doing so, they have to submit a specific and legally valid request. As an educational institution, it can be difficult to stay in control here, as you don’t deal with this kind of thing on a daily basis. But you are usually in a stronger position than you think. If possible, try to keep calm during the process and take time to find out what your rights and duties are.

3. Don’t take on too many responsibilities

“Educational institutions often collaborate with chain partners. When doing so, they are quick to take upon themselves the responsibility for processing personal data. We regularly see them entering into a processing agreement with the partner, when in fact it’s a cooperation agreement that should be made. In the latter, partners have much more of a joint responsibility to ensure privacy.” So even in collaborations, stay focused on your own role and position and the rights and duties they entail.

4. Continuous process

Educational institutions have gone through “a huge car wash” since the introduction of the GDPR, as Sharinne puts it. “The flood of new rules and processes, information and discussions about privacy was enormous. And it still is.” Privacy and data protection, she says, are an ongoing process that you need to monitor continuously.

“Especially with developments like online exams and proctoring, hybrid learning and immersive technologies based on virtual reality. And don’t forget the use of tools like Zoom and products from Microsoft, which have recently come under fire. It’s essential to be alert and to stay alert, as privacy continues to be a hot topic in education as well.”

Manage my cookies

To ensure that the website functions properly, Boels Zanders NV uses techniques involving the processing of personal data, such as placing cookies. On the website, we distinguish between functional and non-functional cookies.

Functional cookies (necessary)

We always install functional cookies. Functional cookies are necessary to ensure the website works properly. These cookies do not process personal data.

(Always active)

Analytical cookies (optional)

These non-functional cookies process personal data outside your field of vision. That is why we always ask for your consent before using these cookies. Analytical cookies may serve many different purposes, but above all enable us to improve our services.

If you agree to this, you can simply continue. You can read more about cookies in our cookie statement and adjust your cookie settings if you wish.

Save my choice