Vast amounts of personal, behavioural and academic data about children are being collected, processed and used by schools, local authorities, and the government every year.
But a recent review by the Information Commissioner’s Office (ICO) in the UK of 50 websites and apps used by children found that only a third had “effective controls in place to limit the collection of personal information from children”.
There is a real risk to children that their activities online may be monitored and their personal and behavioural traits the subject of profiling by third parties. Children and their parents may have little or no knowledge of these activities or the fact that a wide range of their personal information is being stored in databases for an indefinite period.
Breaches of data protection rules and unauthorised processing and sharing of sensitive personal information expose children to privacy harms which may go unnoticed.
Schools need to up their game. On December 17, the European Union agreed on the final text of the European General Data Protection Regulation (GDPR), which includes rules that all organisations will be expected to take into account the rights of children to have their personal data protected. The regulation has to be formally approved by EU institutions in 2016 and will come into force in a little over two years time.
Information and communication technology is now pervasive in primary, secondary and special schools. Many now integrate tablets and smartphones into lessons and have taken full advantage of the booming market for educational software packages, mobile apps, cloud computing services, intranets and games platforms. New biometric technology, such as security scanners that use fingerprints, is also being tried by some schools.
Yet, it is becoming apparent that parents and schools need to be more proactive to ensure that children’s data protection rights are not overlooked. For example, it is often assumed that schools need only obtain consent of the child or parent on a yearly basis to process their personal information. This cannot be right, since a wide range of personal information covering a child’s activities will be regularly collected, used and shared widely. Digital information can also be stored indefinitely.
New information relating to a child’s weekly performances or activities may form the basis of observations and inferences made by the teachers or other third parties. Schools should reconsider whether the processing of such information is covered by getting prior consent or whether it is sufficiently different to require additional consent from parents.
Information is useful
The collection of the personal information of children has a number of positive aspects. As well as grades and performance indicators, schools collect information including age, gender, language, ethnicity and health. Information relating to a child’s health and their family’s financial circumstances can help schools provide appropriate support and services, such as the pupil premium for disadvantaged children.
Much of this data is necessary for a school to undertake its administrative duties and deliver appropriate education services. For example, processing information relating to attendance, discipline, or performances in class and tests can help inform the delivery of lessons and study support.
Local authorities and the government may also collect personal data from children to ensure that educational benchmarks are met, and also use information collected from schools to identify educational priorities and needs.
What the law says
Data protection law recognises scope for legitimate and fair processing of children’s personal data. Schools are regarded as “data controllers” – in other words, they must comply with data protection laws for personal information held by them as well as processing that is undertaken on their behalf by third parties.
Section 2 of the Data Protection Act 1998 on “sensitive personal data” imposes an obligation on schools to take particular care when dealing with information relating to a child’s “physical or mental health, their racial or ethnic origin, sexual life or commission or alleged commission of any offence, and related proceedings”.
The key point here is that while it is important that schools should have access to children’s relevant personal data, it is imperative that access, collection and processing of their information is not seen as opening the way to make use of their data for purposes without their knowledge.
Schools must ensure that children’s personal data is processed in accordance with all the ICO’s data protection principles and best practice guidelines. These include requirements that personal data be fairly and lawfully processed, kept secure, processed for a limited purpose and not kept longer than necessary.
Schools need to produce privacy policies which are accessible to children and their parents. The time is ripe for all schools to demonstrate that children and parents are provided with privacy policies that are comprehensible and not written by lawyers for lawyers. Schools must demonstrate that good information governance is an ongoing priority. Children and their parents must know precisely how their personal information is being used, for what purposes and by whom.