Close-up on data collected by schools
Schools collect personal data that may be sensitive. The main challenge is ensuring only essential data is collected and determining the purposes and retention times.
Data collected by the educational system concerns minors, so prior consent of the legal guardians must be obtained. The data is also considered sensitive data.
For statistical purposes, schools may request information on the profession and socioeconomic category of the legal guardians. However, there is nothing legitimate about collecting the marital status of a legal guardian, for example, or their social security number.
Sensitive data may also be collected. This data must be carefully managed. Proof that a child has had mandatory vaccines must register in a school. Furthermore, additional information may be collected in certain cases, for instance, if the child has disabilities, a special diet for health reasons or special needs. This data must be processed as sensitive data, which means special processing.
In a subsequent phase, colleges and universities transmit data for university exchange programs or campus activities such as social or athletic activities. The data exchanged between schools as part of university exchange programs is subject to cross-border flow regulations if sent outside the EU and to the GDPR if exchanged within the EU.
For institutions of higher learning to operate correctly, they must also collect and process data from all their personnel: faculty, subcontractors, special speakers, etc.
The purposes of the processing must therefore be established, and retention times must be determined.
Fact: In 2021, Bocconi University was fined €200,000 for failing to provide a suitable legal basis, lack of loyalty and transparency, and failing to conduct impact assessments.
