Schools and data protection: the challenges of the new Personal Data Act

This week thousands of students returned to school and with it also came the reactivation of multiple media, both physical and digital, that store and process personal data, such as student portfolios, class and attendance books, academic platforms and intranets, payment systems, institutional emails, and casino and food systems.

In addition, there are security cameras, the use of shared spreadsheets via iCloud services, virtual class recordings, and the many documents that constantly contain information on students, alumni, parents, teachers, staff, or other categories of holders. Due to the actual activities that take place within schools, it is quite common that high volumes of data are handled, some of which can be highly sensitive, such as, for example, those related to health conditions, socio-economic status, religious beliefs or even sexual orientation.

Thus, the return of students to school not only marks the beginning of a new educational cycle, but also implies a massive and multiple processing of personal data, which in many cases are of a sensitive nature and refer to minors. In this context, it is necessary to implement technical and organisational measures appropriate to the nature, purpose and risks associated with the processing carried out, as well as to establish reinforced controls, traceability mechanisms and effective safeguards to ensure regulatory compliance.

In consideration of the various issues recently mentioned, the following are the main challenges that we believe schools will face in view of the amendments made by Law No. 21.719 to Law No. 19.628 (the "Law"):

• Avoid excessive collection of personal data: It is very common for schools to request more data than is strictly necessary to provide educational services, thus violating the principles of purpose and proportionality determined in article 3 of the Law. Examples of the above are those cases in which medical certificates are required to justify absences or documents relating to the employment information of parents.
• Retention and deletion of personal data: In line with the above, the Law does not establish specific retention periods, so it is necessary for schools to have a guideline regarding data retention times that is aligned with the principles of purpose and proportionality. In addition, they should distinguish between information that needs to be retained in order to comply with an obligation and information that needs to be stored using security techniques and measures. Where there is no legitimate basis for retention, secure disposal procedures should be implemented.
• Having a sufficient legitimate basis for data processing: In accordance with the modifications determined by the Law, it is necessary for schools to have a legitimate basis for processing the data of the different data subjects, with special consideration for sensitive data of children under 16 years of age, as the Law considers that they can only be processed with the consent of both parents or legal representatives or by the person in charge of the personal care of the child, unless expressly authorised or mandated by a regulation.
• Protection of personal information: As mentioned in Article 16 quater, the Law determines that educational institutions that process or manage personal data of children and adolescents ("NNA") must ensure the lawful use and protection of personal information concerning them. As such, and in its capacity as data controller, it is necessary to implement technical and organisational measures that are aligned with both children's data and other data collected.
• Contracting with external providers and platforms: Finally, schools, acting as data controllers, will have an important challenge with regard to contracting with third parties. Firstly, it will be necessary to enter into an engagement contract in accordance with Article 15 bis, which clearly sets out the services to be provided by the processor. In this way, the schools must ensure that they comply with their duties of responsibility towards the data subjects, even when the processing is carried out by third parties. Secondly, they should carry out an analysis and evaluation of the internal policies of the different platforms that use personal data under their responsibility, in order to avoid both legal and reputational risks. This review will also make it possible to supervise the functioning of the third parties' systems and to learn more about their protocols in the event of possible information leaks or security breaches.

In the year in which the Law will come into force and in a context in which privacy is becoming increasingly relevant, schools must be the driving force that will enable the creation of a true culture of data protection from now on. To this end, it is necessary for those responsible to comply with the regulatory framework Protecting student data is not only a legal obligation. It is an essential part of the duty of care that every educational community assumes.

Ultimately, the challenge for schools this year is not only to comply "on paper", but also to integrate data protection into their daily management and activities, thereby creating a culture that will endure over time. The volume of personal data that schools store, especially of a sensitive nature, motivates them to have governance with clear rules, effective controls and constant supervision. In this way, compliance is not only about avoiding sanctions, but also about strengthening the trust of stakeholders and assuming, with consistency, the duty of responsibility that this area implies.