Miguel Martínez Hernando
Admissions Coordinator & Data Protection Officer (Benjamin Franklin International School)
For the past 4 months I have been attending a course on data protection compliance in light of the new General Data Protection Regulation (GDPR) that came into force on May 25th, 2018. The course took place at the Barcelona Bar Association and was aimed at Lawyers that wanted to update their expertise on data protection and better understand the GDPR.
My double role, as Admissions Coordinator at Benjamin Franklin International School and Lawyer allowed me to grasp how GDPR affects schools and, in particular, Admissions professionals. My goal with this article is to provide a practical approach on GDPR compliance in the Admissions Office.
Needless to say that when it comes to GDPR compliance it is ultimately the school’s responsibility, as Controller, to make sure that it complies with GDPR in all of its activities (HR, Academics, Marketing and Communication, Admissions, etc.). It is also true that it’s in Admissions where data processing from families and their children begins, so it’s always a good start if all the processes involved in Admissions are GDPR compliant.
Data processing must be bound by the principles contained in article 5. While all are equally important, the following have special relevance in Admissions:
Controllers must inform what the legal basis of the data processing is and be able to provide solid arguments as to why that is the legal basis applied and not another (to this end, national Supervisory Authorities like ICO in the UK, or the Agencia Española de Proteccion de Datos in Spain, etc. may issue statements/guides determining the legal basis for different data processing).
SPECIAL CATEGORY DATA
This is data that the GDPR says is more sensitive and therefore needs more protection. Health data, race, religion, ethnic origin, sexual orientation, etc. are all considered special category data. If you want to process this data, you should identify a lawful basis under Article 6 but also a special condition under Article 9 (there’s ten). The first of these conditions is when the data subject gives explicit consent for said processing. Health related infor-mation about a student (and this would include psychological evaluations, etc.) is considered special category bound by these additional conditions and safeguards.
RIGHT TO BE INFORMED and RIGHT OF ACCESS
Individuals have the right to be informed about the collection and use of their personal data. Controllers must provide individuals with information like their purposes for processing, retention periods for that personal data, and who it will be shared with. If the school gets personal data from the subject and from other sources, the individual has the right to know that you are collecting this data. The right to be informed is very broad and the GDPR has very specific requirements that must be met to ensure this right is guaranteed.
The Right of Access basically refers to the individual’s right to access his/her personal data.
If you think of both rights, their application to the Admissions Office might be interesting when we request teacher recommendations from candidates. We are clearly collecting personal data that under GDPR the individual has the right to access, so in the future we might see ourselves having to provide this information to candidates that request it.
All Controllers that use Processors (i.e. those that process personal data on behalf of the Controller) need to have written Contracts in place and these Contracts have to be GDPR compliant. Make sure you have correctly identified all of the School’s Processors and remember that if the Admissions Office uses a third party to manage the whole application process, this third party is considered a Processor.
There are restrictions on personal data being transferred outside of the EU. We need to pay special attention to where Processors are located, where servers from Processors are located, etc. because all of these will determine whether you are under the scope
of the regulation for international transfers.
DATA PROTECTION OFFICER
School’s aren’t required by the GDPR to appoint a Data Protection Officer, but it may be a good option to ensure accountability and help demonstrate compliance. Also, national laws may have additional requirements. Spain, for example, is expected to approve a Data Protection Law that will complement the GDPR, that does require schools to appoint a Data Protection Officer. It is in the school’s interest that the DPO not only has expertise in GDPR and Data Protection but is also knowledgeable on how a school works.
I hope this article has helped clarify some of the most important aspects of GDPR in relation to Admissions Offices at schools. Please feel free to contact me if you have additional questions.