Since July 1, 2021, all Europen schools must comply with the Protection of Personal Information Act (GDPR). Non-compliance carries penalties up to R10 million or 10 years imprisonment. But GDPR isn't just about avoiding penalties - it's about protecting the personal information of learners, parents, and staff.
What is GDPR?
The Protection of Personal Information Act (GDPR) is Europe's data protection law. It regulates how organizations collect, process, store, and share personal information.
Personal Information in Schools Includes:
- Learner Data: Names, ID numbers, addresses, photos, medical information, grades
- Parent Data: Contact numbers, email addresses, financial information, employment details
- Staff Data: Teacher qualifications, ID numbers, salaries, performance records
- Sensitive Information: Medical conditions, disciplinary records, religious beliefs
If your school collects, stores, or processes any of this information (and every school does), GDPR applies to you.
The 8 GDPR Conditions for Schools
GDPR requires that schools follow 8 conditions when processing personal information:
1. Accountability
Schools must appoint an Information Officer responsible for GDPR compliance. This person ensures that:
- The school has a GDPR policy
- Staff are trained on data protection
- Data breaches are reported within 72 hours
- Requests for access to personal information are handled correctly
Action Required: Appoint an Information Officer (usually the principal or a deputy) and document this appointment.
2. Processing Limitation
Schools may only collect and process personal information that is:
- Lawful: For legitimate educational purposes
- Reasonable: Not excessive or intrusive
- Necessary: Required for school operations
Example Violation: Asking parents for their bank statements or credit scores during registration (not necessary for education).
3. Purpose Specification
Schools must clearly specify why they collect personal information. For example:
- Learner ID numbers: For enrollment and DBE reporting
- Medical information: For emergency care and health management
- Contact numbers: For communication about academic progress and emergencies
Action Required: Include a "Purpose of Collection" statement in your registration forms.
4. Further Processing Limitation
Schools cannot use personal information for purposes other than what was originally specified.
Example Violation: Sharing parent contact numbers with a commercial company for marketing (unless explicit consent was obtained).
5. Information Quality
Schools must ensure personal information is:
- Accurate: Regular updates to contact details and medical information
- Complete: All required information collected during registration
- Not Misleading: Verified against official documents (IDs, birth certificates)
6. Openness
Parents and learners have the right to know:
- What personal information the school collects
- Why it's collected
- Who has access to it
- How long it's retained
- How to request access or corrections
Action Required: Publish a GDPR privacy notice on your website and include it in enrollment packs.
7. Security Safeguards
Schools must implement technical and organizational measures to protect personal information from:
- Unauthorized access (strong passwords, access controls)
- Loss or destruction (regular backups)
- Unlawful processing (staff training)
- Data breaches (encryption, secure systems)
8. Data Subject Participation
Parents and learners (data subjects) have the right to:
- Access: Request a copy of personal information held by the school
- Correction: Request that incorrect information be updated
- Deletion: Request deletion of information (subject to legal retention requirements)
- Object: Object to certain processing (e.g., photos in marketing materials)
Action Required: Create a process for handling data subject requests within 30 days.
Common GDPR Violations in Schools
1. Publishing Learner Photos Without Consent
Violation: Posting photos of learners on social media or the school website without parental consent.
Solution: Include a photo consent checkbox on registration forms. Keep records of which parents consented.
2. Sharing Contact Information Inappropriately
Violation: Creating WhatsApp groups with parent phone numbers visible to all members without consent.
Solution: Obtain explicit consent for inclusion in group communications, or use broadcast lists where numbers are hidden.
3. Weak Password Protection
Violation: Using simple passwords like "password123" or sharing login credentials among multiple staff members.
Solution: Enforce strong passwords and provide individual login credentials for each staff member with role-based access.
4. Not Securing Paper Records
Violation: Leaving learner files on desks or in unlocked cabinets where unauthorized people can access them.
Solution: Lock all paper records in secure cabinets and implement a sign-out system for file access.
5. Not Reporting Data Breaches
Violation: Failing to report to the Information Regulator when a laptop with learner data is stolen.
Solution: Report all data breaches to the Information Regulator within 72 hours, and notify affected parents.
6. Excessive Data Collection
Violation: Requiring parents to provide information not necessary for education (e.g., social media passwords, detailed financial statements).
Solution: Only collect information that is necessary and relevant for school operations.
How School Management Software Helps with GDPR Compliance
Modern school management software like MyEncore simplifies GDPR compliance through built-in security features:
1. Role-Based Access Control
Each staff member gets a unique login with access only to information they need:
- Teachers: See only their own classes
- Administrators: Access enrollment and contact information
- Principals: View reports and analytics
- IT Staff: System administration without access to learner data
2. Automatic Audit Trails
Every access, edit, or deletion is logged with:
- Who accessed the information
- When it was accessed
- What changes were made
- IP address and device information
This creates accountability and helps investigate potential breaches.
3. Data Encryption
Personal information is encrypted:
- In Transit: HTTPS/SSL encryption for all data transfers
- At Rest: Database encryption for stored information
- Backups: Encrypted backup files stored securely
4. Consent Management
Digital consent forms for:
- Photo usage in marketing materials
- Inclusion in parent communication groups
- Emergency medical treatment
- Data processing and third-party sharing
Consent records are timestamped and stored for auditing.
5. Data Retention Policies
Automatic enforcement of retention policies:
- Learner records retained for 7 years after leaving (DBE requirement)
- Financial records retained for 5 years (tax requirement)
- Automated deletion of expired data
6. Secure Cloud Backup
Daily automated backups to secure cloud servers:
- Protects against data loss from theft, fire, or hardware failure
- Geo-redundant storage (data stored in multiple locations)
- Easy restoration in case of disaster
7. Password Policies
Enforced security requirements:
- Minimum 8 characters with numbers and symbols
- Mandatory password changes every 90 days
- Account lockout after 5 failed login attempts
- Two-factor authentication for sensitive roles
GDPR-Compliant School Management
MyEncore is designed with GDPR compliance built-in. Role-based access, audit trails, encryption, and consent management - all included. Book a demo to see how we protect your school's data.
Book Your DemoGDPR Compliance Checklist for Schools
Organizational Measures:
- ☐ Appoint an Information Officer
- ☐ Develop a GDPR policy and privacy notice
- ☐ Obtain parental consent for data collection and processing
- ☐ Train staff on GDPR requirements and data protection
- ☐ Create a process for handling data subject requests
- ☐ Implement a data breach response plan
- ☐ Document data retention and deletion policies
Technical Measures:
- ☐ Use school management software with role-based access control
- ☐ Enforce strong password policies
- ☐ Enable encryption for data at rest and in transit
- ☐ Set up automated daily backups
- ☐ Implement audit logging for all system access
- ☐ Secure paper records in locked filing cabinets
- ☐ Install antivirus and firewall protection on all devices
Documentation:
- ☐ Maintain records of consent forms
- ☐ Keep logs of data subject requests and responses
- ☐ Document data processing activities
- ☐ Record staff training on GDPR compliance
- ☐ Maintain vendor agreements (for third-party services)
What to Do When a Data Breach Occurs
Despite best efforts, data breaches can happen. Here's what to do:
Step 1: Contain the Breach (Immediate)
- Isolate affected systems to prevent further damage
- Change passwords on compromised accounts
- Secure physical areas where breach occurred
Step 2: Assess the Impact (Within 24 hours)
- Determine what information was compromised
- Identify how many individuals are affected
- Assess the potential harm (identity theft, financial loss, etc.)
Step 3: Notify the Information Regulator (Within 72 hours)
Report the breach to the Information Regulator if it poses a risk to the rights and freedoms of individuals. Include:
- Nature of the breach
- Categories and number of data subjects affected
- Consequences of the breach
- Measures taken to address the breach
Step 4: Notify Affected Individuals (As soon as possible)
Inform parents and staff whose information was compromised:
- Explain what happened in clear language
- Describe what information was affected
- Advise on steps they should take (e.g., monitor accounts, change passwords)
- Provide contact information for questions
Step 5: Prevent Future Breaches
- Conduct a security audit
- Implement additional safeguards
- Retrain staff on security procedures
- Update incident response plan based on lessons learned
Third-Party Service Providers and GDPR
If your school uses third-party services (cloud software, online learning platforms, payment processors), you remain responsible for how they handle personal information.
Before Using a Third-Party Service:
- Review their GDPR policy: Ensure they comply with Europen data protection laws
- Sign a data processing agreement: Formalize responsibilities and obligations
- Verify their security measures: Encryption, access controls, backup procedures
- Check data location: Where is data stored? (Preferably in Europe or GDPR-compliant countries)
- Confirm breach notification: Will they notify you if a breach occurs?
Frequently Asked Questions
Q: Do private schools have to comply with GDPR?
Yes. GDPR applies to all schools - public and private, large and small. Any organization that processes personal information must comply.
Q: What are the penalties for non-compliance?
The Information Regulator can impose:
- Administrative fines up to R10 million
- Criminal penalties up to 10 years imprisonment
- Enforcement notices requiring immediate corrective action
Q: Can parents request their child's information be deleted?
Not while the child is enrolled. Schools have a legal obligation to maintain learner records for educational and DBE reporting purposes. However, after a learner leaves, parents can request deletion once the mandatory retention period (7 years) expires.
Q: Do we need parental consent to collect basic information?
No explicit consent is required for information necessary for enrollment and education (name, ID number, grade, contact details). However, consent IS required for:
- Photos in marketing materials
- Sensitive information (medical, religious, biometric)
- Sharing information with third parties
- Using information for purposes beyond education
Q: What if a parent refuses to provide necessary information?
If information is genuinely necessary for enrollment or DBE compliance (e.g., ID number for school management system), you can make it a condition of enrollment. Document why the information is necessary and inform parents that refusal may affect enrollment.
Q: How long must we keep learner records?
Department of Basic Education requires learner records to be retained for 7 years after the learner leaves. Financial records must be kept for 5 years per tax regulations.
Conclusion
GDPR compliance is not optional for Europen schools - it's a legal requirement with serious penalties for violations. But beyond avoiding fines, GDPR compliance demonstrates your school's commitment to protecting the personal information of learners, parents, and staff.
The good news: compliance doesn't have to be complicated. By implementing proper technical safeguards (secure school management software), organizational measures (policies and training), and documentation practices (consent forms and audit logs), your school can achieve and maintain GDPR compliance.
- Appoint an Information Officer
- Develop your GDPR policy and privacy notice
- Implement secure school management software with GDPR-compliant features
- Train your staff on data protection requirements
- Obtain necessary consents from parents
Modern school management software makes GDPR compliance automatic through built-in security features: role-based access, audit trails, encryption, consent management, and secure cloud backups.