Data protection and privacy have been a hot topic at our school for the last two years. Being an international school in the heart of Germany, the European Union’s General Data Protection Regulations (GDPR) have been a significant cause of stress for tech coordinators, administrators, and teachers alike. Here is a good article from last year in TES that outlines a bit about how GDPR impacts schools, and for the really bold here are the official documents from the EU. I found it interesting reading through the US Department of Education’s Student Privacy site and comparing some of the main points of FERPA with GDPR. To be fair, this is like comparing apples to oranges but it does raise some major differences in how the two organizations handle privacy issues. Here are a few of the things that stood out:
Scope: FERPA is an education-specific act that is designed to provide protection for student data in educational institutions. The guidelines are written specifically for school and therefore consideration has been given to the fact that educational institutions are unique places. GDPR is a general regulation that applies to all businesses, organizations and institutions across Europe. This means that in some cases, the regulations can be difficult to follow or put into practice in a school environment.
Individual’s Rights: In FERPA, schools must declare what they will make available as “directory information”, and it is the responsibility of the parent or student to opt out if they do not wish for their information to be shared. In GDPR, rather than opting out, all individuals must opt-in to any sharing of data.
Online Educational Services: “The general rule under FERPA is that a school or district cannot disclose [personally identifiable information] from education records to a provider unless the school or district has first obtained written consent from the parents,” however there are two exceptions to this. The first is the “directory information” exemption mentioned above, and if that does not meet the needs the “school official exemption” allows the release of the information if certain criteria are met such as identifying a “legitimate educational interest” and maintaining “direct control” by restricting the provider to share any of the PII. Under GDPR, there are no such loopholes and parents must give written consent for information to be used for each online educational service.
So how does that impact our school and what we do?
GDPR focuses heavily on documentation and compliance. We have to justify every piece of data that we collect from our students, and have permission for every piece of data that we share outside the school. We have two data protection officers who ensure that our staff are familiar with rules and guidelines, provide guidance for our administration, and are responsible for reporting and cases where we have not complied with the regulations (this results in a fine, which increases if you don’t report the problem soon enough!) They have also worked with our technology team to create our list of GDPR compliant web applications that are approved for use in classes.
The list currently has fifty-one different apps that our school uses ranging from ManagBac to Kahoot. Any app that requires a student log-in or student information must be approved by the DPO and placed on this list before it can be used in a classroom. Each year parents must sign a permission form so that their children can use the apps. One of the biggest difficulties has been when teachers want to add new apps to the list in the middle of the year. This requires a new permission form to be sent to all students that might use the app, and all parents must return the form before the app can be used. This is a time-consuming process and we avoid it whenever possible.
While mostly a huge pain, the bureaucracy of GDPR compliance has come with a silver lining of making data privacy something that is being talked about, thought about, and acted on by all members of our staff. It is also making its way into classroom discussion as we have conversations with students about what information they are able to share online. It is always difficult to tell a student that they are not able to use a particular app that they want at school to extend their learning because we don’t have the correct permissions, but it is an opportunity to talk to them about why we need to be more protective of the information that we share in a society where user data has become a powerful commodity.
We are now almost a year into our efforts to be GDPR compliant, it is still an ongoing process. There always seem to be more questions than answers and with each new tool or technology, another question is raised. What regulations do you have in your region? How has your school been managing?