Close-up on data collected by schools
Schools collect personal data that may be sensitive data The main challenge is to make sure only essential data is collected, and to determine the purposes and retention times.
Data collected by the educational system concerns minors, so prior consent of the legal guardians must be obtained. The data is also considered sensitive data.
For statistical purposes, schools may request information on the profession and socioeconomic category of the legal guardians. However, there is nothing legitimate about collecting the marital status of a legal guardian, for example, or their social security number.
Sensitive data may also be collected: obviously, this data must be carefully managed. Proof that a child has had their mandatory vaccines is required to register in a school. Furthermore, additional information may be collected in certain cases, for instance if the child has disabilities, a special diet for health reasons, or special needs. This data must be processed as sensitive data, which means special processing.
In a subsequent phase, colleges and universities transmit data for university exchange programs or for campus activities such as social or athletic activities. The data exchanged between schools as part of university exchange programs is subject to cross-border flow regulations if sent outside the EU, and to the GDPR if exchanged within the EU.
For institutions of higher learning to operate properly, they must also collect and process data from all their personnel: faculty, subcontractors, special speakers, etc.
The purposes of the processing must therefore be clearly established, and retention times must be determined.
Fact: In 2021, Bocconi University was fined €200,000 for failing to provide a suitable legal basis, lack of loyalty and transparency, and failing to conduct impact assessments.