GDPR in Schools — Student Data, the E-Register and Monitoring in Education

Educational institutions process enormous amounts of personal data — and particularly sensitive data, because it concerns children. Names, grades, attendance, health information and diagnoses, images, e-register login data — all of it requires GDPR-compliant protection. At the same time, the GDPR grants children special protection, and the Polish supervisory authority (UODO) consistently scrutinises abuses in the education sector.

Schools operate in a distinctive legal environment: most processing follows directly from education law, some requires consent, and certain practices — such as biometrics or ill-considered monitoring — may be outright impermissible. As the data controller, the head teacher is responsible for ensuring that every process has a proper legal basis and appropriate safeguards.

This article covers what data a school processes, on which legal bases, how to keep an e-register correctly, how to use monitoring and publish students’ images, and which mistakes to avoid.

What Data a School Processes

An educational institution processes diverse categories of data:

Identification data of students and parents — name, national identification number, address, contact details of parents/legal guardians.

Data on the course of education — grades, attendance, remarks, exam results, certificates.

Health and needs data — diagnoses and opinions from psychological-pedagogical counselling centres, information on disabilities, allergies, chronic conditions. This is special-category data (Article 9 GDPR) requiring enhanced protection.

Images — photos from events, the school website, the school’s social media.

E-register data — logins, passwords, activity logs of parents and students.

Staff data — teachers and other employees (a separate area, based among other things on labour law).

Each of these categories requires a separate analysis of purpose, legal basis and retention period.

Legal Bases for Processing in Education

The education sector follows a different logic from business. A public school, as a body performing public tasks, bases most of its processing on legislation rather than consent.

Legal obligation (Article 6(1)(c) GDPR) — processing arising from education legislation and implementing provisions (including those on the documentation of the course of education). This is the primary basis for student data.

Task carried out in the public interest (Article 6(1)(e) GDPR) — processing in the performance of the school’s educational tasks.

Consent (Article 6(1)(a) GDPR) — only outside the scope of statutory duties: publishing images, participation in extracurricular activities, group insurance, competitions.

Special-category data (Article 9 GDPR) — students’ health data is processed on the basis of a separate condition under Article 9(2) (most often in connection with obligations under law or substantial public interest), never “incidentally”.

Importantly, a public school as a body performing public tasks generally cannot base its processing on legitimate interest (point (f) of Article 6(1) is excluded for it in the performance of its tasks). This is a fundamental difference from private entities.

Special Protection of Children’s Data

The GDPR expressly emphasises that children merit special protection, as they may be less aware of the risks and of their rights (Recital 38). In practice this means, among other things, that privacy notices addressed to students should be written in plain, comprehensible language, and that every risk assessment and proportionality test must take the child’s status into account.

For information society services offered directly to a child, consent may be given by a child who is at least 16 years old (the threshold adopted in Polish law); for younger children, consent is given or authorised by a parent or legal guardian (Article 8 GDPR). In everyday school practice, where the basis is most often a legal provision, consent concerns primarily images and extracurricular activities.

The E-Register and Documentation of the Course of Education

The electronic register is now standard. From a GDPR perspective, three issues are key.

Legal basis. Keeping documentation of the course of education (including the register) follows from education law — the basis is a legal obligation, not consent. A parent does not “consent” to the e-register to the extent required by law.

The e-register provider as a processor. The company supplying the e-register system processes student data on the school’s behalf and is therefore a processor — a data processing agreement compliant with Article 28 GDPR is required. Check that the agreement covers all required elements, including sub-processing and data location.

Security. The system must ensure access control (separate accounts for parents, students and teachers), secure authentication, transmission encryption and storage of passwords in hashed form. The scope of data visible to each role should be limited to the necessary minimum.

Students’ Images — Photos, the Website and Social Media

Publishing students’ images (on the school website, social media, newsletters) is a frequent source of problems. Here consent is generally required — and doubly so: as a basis for processing personal data (Article 6(1)(a) GDPR) and as consent to disseminate the image (under copyright law). For minor students, consent is given by a parent or legal guardian.

Image consent should be separate, specific (identifying the publication channels), voluntary and revocable at any time. Participation in school life must not be made conditional on consent to publish images. It is also worth remembering that photos from group events require thought — particularly when published online.

CCTV Monitoring in Schools

Monitoring in educational institutions is governed by Article 108a of the Education Law (added in 2018). The rules are strictly defined:

Purpose. Monitoring may be introduced where it is necessary to ensure the safety of students and staff or to protect property. It must not be used to supervise the quality of teachers’ work.

Excluded rooms. Monitoring does not cover classrooms, rooms where psychological-pedagogical help is provided, the health prophylaxis room, cloakrooms, changing rooms and sanitary facilities — unless this is exceptionally necessary due to a genuine threat and using techniques that prevent the identification of individuals.

No audio. Monitoring covers images only; audio recording is impermissible.

Procedure. Introducing monitoring requires agreement with the governing body and consultation with the teaching council, the parents’ council and the student council. The head teacher informs students and staff no later than 14 days before launch and marks the monitored area visibly.

Retention. Recordings are kept, as a rule, for a maximum of 3 months from the date of recording, after which they must be deleted (unless they constitute evidence in proceedings).

Students’ Biometric Data — Particular Caution

The temptation to use biometrics (for example, a fingerprint for the canteen or attendance records) can be strong — but this is a high-risk area. Biometric data used for unique identification is special-category data (Article 9 GDPR), and in the case of children it demands exceptional care: it is immutable, and the consequences of any leak are irreversible.

In a widely reported case, the President of UODO challenged the collection of students’ fingerprints for the school canteen (decision of 18 February 2020 concerning a school in Gdańsk), finding the processing of children’s biometric data disproportionate to the purpose and questioning the voluntariness of parental consent — all the more so as students without biometric identification were treated worse in the lunch queue. Although that decision was subsequently set aside by the administrative court, the case illustrates the authority’s approach well: for simple purposes (such as verifying payment for a meal), one should choose the least intrusive means — a card, an identifier or identification by name — rather than biometric data.

The Cloud in Education — Google Workspace, Microsoft 365

More and more schools use cloud platforms for remote learning, email and document work. From a GDPR perspective, the school remains the data controller and the service provider is a processor. This entails three obligations: concluding a data processing agreement (Article 28), verifying the transfer of data outside the EEA (many services transfer data to the US — a transfer mechanism is required, e.g. the Data Privacy Framework or standard contractual clauses) and assessing the risk. Where children’s data is processed on a large scale, a Data Protection Impact Assessment (DPIA) is often required.

The Educational Information System (SIO)

Schools transmit certain data to the Educational Information System — a central database maintained under a dedicated act. The basis for this processing is a legal obligation; the scope of the data transmitted is set by legislation, and the school may not expand or narrow it at will.

The Data Protection Officer in a School

A public school, as a public authority or body, is obliged to designate a Data Protection Officer (Article 37(1)(a) GDPR). The DPO supports the head teacher in overseeing GDPR compliance, monitors adherence to the rules, conducts training and is the point of contact for students, parents and the supervisory authority.

Rights of Students and Parents

Students and parents have rights under the GDPR — in particular the right of access and rectification. Some rights are, however, limited by education law: one cannot, for example, demand the erasure of grades or documentation that the law requires to be kept and retained. The school should clearly explain which data it processes as a legal obligation and which on the basis of consent (and delete the latter once consent is withdrawn).

Common Mistakes

Basing everything on consent — most student data is processed on the basis of law, not consent.

Publishing images without a proper, separate consent from a parent/guardian.

Monitoring that breaches Article 108a — in classrooms, with audio, without consultation or without notice.

Using biometrics for trivial purposes instead of less intrusive means.

No data processing agreement with the e-register or cloud platform provider.

Overlooking transfers of data outside the EEA with cloud services.

No designated DPO or a merely nominal role.

Checklist — GDPR in an Educational Institution

1. Establish the legal basis for each category of data (statute, public task, consent).
2. Prepare privacy notices in plain language — separate for students and parents.
3. Conclude data processing agreements with the e-register and cloud platform providers.
4. Verify transfers of data outside the EEA and their mechanisms.
5. Collect proper, separate consents for images — with the ability to withdraw.
6. Deploy monitoring in line with Article 108a — purpose, exclusions, consultation, notice, 3-month retention.
7. Avoid children’s biometrics; use less intrusive means.
8. Protect students’ health data as special-category data.
9. Designate a Data Protection Officer and give them a genuine role.
10. Assess the need for a DPIA when processing children’s data on a large scale.
11. Define documentation retention periods and enforce them.
12. Train teachers and administrative staff on GDPR rules.

Need Support with GDPR in Your Educational Institution?

Education is a higher-risk area — children’s data, health data, monitoring, the e-register and cloud platforms. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we support schools and educational institutions in selecting legal bases, preparing privacy notices and consents, data processing agreements, and implementing monitoring and platforms in compliance with the GDPR.