The GDPR, our children and our schools

By Jeff Bullwinkel, Associate General Counsel and Director of Corporate, External & Legal Affairs, Microsoft Europe

BETT London – one of the largest education-focused events and conferences in the world – has inspired us all once again this past week. The show provides an excellent opportunity to explore the future of education and the role of technology and innovation in helping all educators and learners. We’re proud to be a part of this conference and continue the dialogue with many European educators about the role technology can play in helping the students of today and in the future.

This year will be special for both European students and educators that use technology in the classroom, thanks to a new European regulation that will help better protect the personal data of all European online users – including children.

The EU General Data Protection Regulation (GDPR) brings new rights for European residents to have control over their online personal data. In addition, online data controllers and processors must also take new steps for ensuring personal data is secured. In the event of a data breach, new steps must be taken to notify data protection authorities and, in many cases, end users.

This new regulation was passed in 2016, but it goes into effect across the EU in May of this year. It builds on existing protections in the EU Directive 95/46/EC which were enshrined in regional or national data protection laws such as the Data Protection Act 1998 in the UK and the German Bundesdatenschutzgesetz (BDSG).

The GDPR brings together the best of these individual laws and creates a single pan-European regulation that creates consistency for individuals in the protection and control of their data and can be more-easily implemented across the EU by online providers.

Our children are perhaps the most important community for which this new regulation helps to provide new protections. As children increasingly use online apps, and as our schools are using new innovative online technologies in the classroom, these new protections are well-timed.

This is especially important as children mature into a world that is increasingly being impacted by digital transformation and where data has become the life blood that will help companies, organizations and societies transform. However, the handling of data – especially personal data and most especially the personal data of our children – must be done in a way that can be trusted. For Europeans, the foundation of this trust is built around the principles of the GDPR.

Any educational entity that wants to collect and use student data must provide a clear legal basis for that action. If consent is used as the legal basis for processing a child or student’s data, then the consent must be provided by a person holding “parental responsibility” if, in most cases, the child is under the age of 16. This consent and privacy notice must be written in plain language that can be understood by both children and their parents.

For schools that use online services in the classroom – including email services, social media, document collaboration and online courseware – special attention will be needed to ensure the services used fully comply with the GDPR.

Importantly, the entities operating these services, for example Microsoft with its Office 365 service, will typically be considered a data processor under the GDPR, and the school that collects the data is usually considered the data controller – although these roles may vary depending on how data is collected and controlled. Regardless – both the data controller and the data processor must abide by the GDPR and work together to fully protect the rights and information provided by its data subjects i.e., the students.

At Microsoft, we have been actively engaged with the development of European privacy regulations for years and have committed that our services will fully comply with the GDPR and include capabilities that enable our customers to simplify their own GDPR compliance. Under GDPR, schools will need to ensure that any services they use spell out how children’s data will be used and ensure those uses are clearly described for the school, the students and their parents. We are very clear that we use Office 365 for Education customer data only to provide and improve the service. If the school is using Office 365 for Education email, for example, the data is never used for marketing or advertising.

It’s critical that schools, school districts and other educational institutions understand that even if they use a GDPR-compliant online service, there are still specific new responsibilities that fall on the educational entity as the data controller. In addition, the online service provider and the school have joint responsibilities that need to be spelled out in the contractual terms that the parties have agreed to.

Microsoft has already taken steps to ensure that GDPR-applicable terms have been added to its online service agreements to support our customers’ compliance needs. There are, however, specific actions educational entities need to take themselves. For example, this recently published article “GDPR for schools – steps to prepare” provides some high level guidance. Microsoft also provides detailed information, guidance and tools to assist customers with GDPR compliance at our GDPR Trust Centre site.

For entities handling children’s data in the UK, the Information Commissioner’s Office (ICO) recently published a new draft paper that offers interested parties guidance and the ability to provide comments relevant to children and the GDPR. While this guidance is provided by the UK’s ICO, the information will be of interest in all countries in the EU since the GDPR is a pan-European regulation that applies uniformly across the EU. When in doubt, the best advice is to seek specific guidance from a data protection legal professional in your local jurisdiction.

Microsoft is committed to working with all customers – including educational institutions – to ensure that the personal information of our children and all users is protected to the best of our ability, and to providing a platform where together we can create great solutions for students that fully comply with this new regulation.

Our mission is to empower every person and every organization on the planet to achieve more. The starting point for this mission is ensuring that our students and the dedicated educators who guide them have the tools they need to be safe and productive in our digitally transforming world.

Related Posts