Teachers and students’ data protection and privacy in the upcoming EU General Data Protection Regulation


The EU General Data Protection Regulation (GDPR) was approved on April 2016 and will enter into force in late-May 2018, after the transposition period into the national laws.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. This will have an impact on students’ and teachers’ data protection as mentioned in the ETUCE EU Digital Education Action Plan 2020 statement.

In particular, the new GDPR will entail a number of legal issues:

  • The GDPR will ensure data is protected and will give individuals more control over their data, however this means schools will have more accountability for the data, including unnecessary costs;
  • Consent must be explicitly given to anything that is not within the normal management of the school, especially if it involves a third party managing the data. Parents (or the pupil themselves depending on their age and the case) must express consent for their child’s data to be used outside of the normal management of the school.
  • Schools should appoint a Data Protection Officer (DPO) and be able to prove that they are GDPR compliant.
  • Schools must ensure that their third party suppliers who may process any of their data is GDPR compliant and must have legally binding contracts with any company that processes any personal data.
  • Teachers have the so-called “right to ask for their data to be forgotten”.

While the aim of the new GDPR is to effectively protect teachers and students’ information, it should not lead to additional workload for teachers in applying and implementing compliant data protection policies. Employers in education and school leaders are responsible for ensuring that education institutions comply with the GDPR and are  covered by the necessary public funding, in particular, in terms of purchase, adaptation and implementation of software for information transferability Compliance with the GDPR will require above all public funding and guidance support from governments and authorities. Indeed, while the new GDPR regulations will mean more accountability, this should not lead to tougher penalties and cumbersome requirements to prove evidence.

To minimise the risks associated to data protection handling and management, ETUCE considers essential to ensure school leaders and teachers understand GDPR and its potential impact, to help schools document and review all of the personal data they hold, including data for pupils, staff, teachers and educational staff in an organised and stored way for potential audit by the relevant authorities; and to pay special attention to sensitive and confidential data and ensure everyone understands how it is collected, where it came from, what it is used for and what risks are posed by its use.

In addition, teaching innovative and complex digital skills should respect national data protection standards. In this context, ETUCE alerts that the handling of data protection can imply certain risks associated to cyber-security.

What teachers could do in their schools?

Protect data safely when communicating with other people; to ensure it is password protected and adequately encrypted when using your own technology (phones, laptops, PCs etc.); to ensure laptops and PCs have adequate encryption, antivirus, malware and other protections. Digital experts in education also advise teachers not rely on using USB sticks for teaching or documents’ storage purposes.

ETUCE European Director Susan Flocken said: “Online security in schools is fundamental. The new DGPR can help implement better security measures to protect teachers and students from cybercrime. Schools should regard the introduction of the GDPR regulation as a way of further enhancing the way they deal with personal data. New GDPR rules should respect existing and successful data protection systems and only complement them for a more effective protection when required. Indeed the adaption to the GDPR entails an administrative and technical burden; teachers and their unions should be involved in the implementation of the GDPR in their country and region, in particular, to ensure it does not put additional demands on teachers or shift the responsibility to them”.