Home » Blog » GDPR Educational establishments » National education: what you need to know to ensure your school is GDPR and ePrivacy compliant

National education: what you need to know to ensure your school is GDPR and ePrivacy compliant

Publié le

National education: ensuring GDPR and EPrivacy compliance for your school website

At a time when digital tools are proliferating in the education system, more and more personal data is being handled. As a result, GDPR and ePrivacy compliance is of paramount importance for schools.

But what are the practical implications for the day-to-day lives of pupils and teachers in the French education system? How can we ensure effective protection of personal data as a school? That’s what we explore in this article.

What do the GDPR and ePrivacy Directive mean for schools?

A reminder of how the GDPR and ePrivacy Directive apply to schools

Whether they are primary schools, collèges, lycées or universities, schools are increasingly processing personal data from pupils, parents, teachers and administrative staff.

“Personal data” includes any information that directly or indirectly identifies a natural person. For example: name, address, telephone number, school results, photos, etc. Schools also handle what are known as “special categories of data”, such as health data or data linked to a person’s ethnic origin.

This personal data is very often collected and/or generated through :

  • contact forms
  • online school enrolment ;
  • digital work environments (ENT)
  • distance learning courses ;
  • online exams, etc.

De facto, schools are subject to the application of the GDPR and the ePrivacy directive, aimed at ensuring that personal data is processed lawfully, transparently and securely.

The importance of GDPR and ePrivacy compliance for schools

It is because of the increasing scale of personal data processing carried out by schools, but also because of the increase in cyber attacks against public institutions, that GDPR and ePrivacy compliance is becoming a crucial issue.

As independent public bodies, schools are responsible for their own GDPR compliance, often with budgetary constraints and a feeling of being on their own.

To simplify the GDPR and ePrivacy compliance process for your websites, Admeet offers customised and affordable solutions to generate all your mandatory GDPR documents in Legal Design on websites.

Potential penalties for non-compliance

The challenges of GDPR and ePrivacy compliance are not to be taken lightly, as the consequences of non-compliance can be severe:

  • Data protection authorities (such as the CNIL in France) can impose heavy fines, which can severely impact the already limited budgets of schools, parents and teachers. For example, the CNIL fined a university €10,000 for failing to comply with the principle of purpose limitation;
  • Non-compliance can have a considerable impact on the people concerned, particularly pupils and their families. In the event of a data breach, their privacy may be compromised, with potentially serious personal and emotional consequences: harassment, depression, identity theft, etc.

Pupils and their parents therefore expect their personal data to be adequately protected by schools.
But how can you ensure effective protection of personal data in your school?

The guide to effective protection of personal data in schools

The GDPR responsibility of schools

Under the GDPR, the notion of responsibility is very important. And in the educational context, schools are considered to be the data controllers of the personal data of their pupils, teachers and administrative staff.
As data controllers, schools therefore have a duty to comply with the GDPR and ePrivacy. They must therefore put in place practices that respect the privacy of data subjects and document them in the data processing register.

Appointing a Data Protection Officer

The DPO (or data protection officer) is a key player in GDPR compliance: he or she ensures compliance with the applicable rules, advises the organisation on data protection issues and acts as a point of contact for the supervisory authorities and data subjects.
According to Article 37 of the GDPR, public institutions are obliged to appoint a DPO. Consequently, schools are required to appoint a DPO. However, it is possible to pool the DPO at academic level.

Informing students and respecting their rights regarding personal data

Transparency is one of the fundamental pillars of personal data protection within schools.

To achieve this, it is essential to put in place clear and understandable policies and information notices. This means explaining why you collect data, what data is collected, for what purpose, and what rights data subjects have over their data.

In particular, data subjects have rights of access, rectification, deletion and objection. In the event of a request, you must be prepared to respond within one month.

Obtaining the consent of data subjects

In principle, the processing carried out by schools falls within the scope of their public interest mission. However, if certain processing operations do not fall within this scope, you must obtain the consent of the data subject (or his or her parents if the data subject is a minor under the age of 15 in France).

For example, if:

  • if you are collecting a person’s image;
  • if you wish to use the data to send out newsletters as part of certain research projects carried out by the school;
  • if you place non-essential cookies requiring consent on your website.

When collecting consent, make sure that people understand why their data is being collected and how it will be used.

As a reminder, to obtain valid consent, it must be:

  • Free: the student, parents or teachers must have a real choice as to whether or not to give their consent, without any impact on the service provided;
  • Specific: consent can only be given for a single, well-defined purpose. You should therefore ensure that you obtain separate consent for each data processing operation concerned;
  • Informed: students, parents and teachers must clearly know what they are consenting to and how the data will be processed. Make sure that your disclosures and your privacy and cookies policy include the mandatory information;
  • Unambiguous: consent must be a clear positive act on the part of the student, parents or teachers, such as a tick box (not checked by default), a signature, etc. To ensure that consent is unambiguous, make sure you do not use any dark patterns.

GDPR and ePrivacy compliance of the tools used

In the course of your day-to-day activities, you will almost certainly use a number of tools and software: registration, videoconferencing, online exams, etc. These tools access a great deal of personal data, both on students and on teachers: marks obtained, absences, timetable, lateness, contact details, parents, etc.
As a data controller, look at the digital tools you use, check how they manage personal data, what security measures are in place and make sure they are GDPR and ePrivacy compliant.
To check the compliance of the tools you use, consider checking in particular that:

  • The privacy policies and conditions of use are clear and accessible;
  • Data is processed and stored securely;
  • Data subjects can exercise their rights effectively;
  • Data is not transferred outside the EU without appropriate safeguards (CCT, BCR, etc.).

Furthermore, if the companies offering these tools are subcontractors under the GDPR, the school must ensure that it has data processing agreements in good standing with these organisations.

Implementing compliant security measures and contracts

To ensure that the privacy of data subjects is protected, it is imperative that schools implement custom security measures:

  • Physical, to prevent unauthorised access by unauthorised persons;
  • Organisational and cyber-security, to protect data against breaches;
  • Contractual, to govern relations with your subcontractors and any data transfers outside the EU.

GDPR and ePrivacy compliance of the school’s website

Much more than just a shop window, school websites and online portals (often used by schools for parents to access their children’s files, teachers to access their timetables, etc.) are an essential interface between the school, pupils and parents. While GDPR compliance for your websites is a legal obligation, it is also a guarantee of trust for the people concerned.

To ensure GDPR and ePrivacy compliance for the website of your school and the online portals you use to run your school, there are several key elements to consider:

  • Generate a detailed, clear and easily understandable privacy policy: this policy must clearly explain what personal data is collected, for what purpose, how it is processed, who has access to it and how users can exercise their rights ;
  • Generate a cookie policy that explains how cookies are used on your site (types of cookies, purposes of each cookie, management of preferences by the user, consequences of accepting or refusing cookies);
  • A cookie banner to inform visitors to your website about the use of cookies and to obtain users’ consent to the placement of non-essential cookies on their terminal. This banner must be clear, concise and easily visible at all times on the site and must include a link to the cookie policy for more information;
  • A CMP (consent management platform) to manage cookie preferences: the CMP makes it possible to manage and store proof of cookie consents by category.

Thanks to the Admeet GDPR tool for schools, simplify your website’s compliance: we have pre-encoded for you the data processing purposes specific to the educational industry.

The key role of the administration in protecting the personal data of pupils and teachers

Administrations play a key role in meeting the challenges of personal data protection. In fact, you are responsible for putting in place the policies, procedures and practices that guarantee the GDPR compliance of your data processing, the data processing register, but also for the ongoing GDPR training of teachers who handle pupils’ personal data on a daily basis.

Tools made available by the authorities to help schools comply with the GDPR

To help schools comply with the GDPR and ePrivacy, the authorities have taken a number of custom measures:

  • In France, the CNIL provides guidelines specific to the educational industry as well as practical sheets to protect children’ data. In addition, GDPR training courses are regularly organised to help schools better understand their GDPR obligations;
  • In Belgium, the Data Protection Authority (DPA) has also produced a guide to data protection in schools, as well as model documents specifically adapted to educational environments.

The Admeet solution for GDPR and ePrivacy compliance of your school website

While GDPR compliance for websites is a legal obligation, it is also a guarantee of confidence for pupils and their parents, as well as for your teachers.

To support you, Admeet offers customised solutions for GDPR compliance for schools, enabling you to generate an adapted privacy and cookie policy and manage cookie consent with ease.

All Admeet GDPR documents are designed using Legal Design principles to make them easy to read and accessible to all visitors to your website.

And if you manage several websites, you can access a single dashboard to manage them all in just a few clicks from a single location!