The impact of the new Data Protection Regulation on the Schools

The impact of the new General Data Protection Regulation (GDPR) on the school level has been widely discussed.

More precisely, and referring to recent facts, it has been reported that Schools have omitted student names at the time of the posting of grades, replacing them with the student’s process or number. This decision has been taken by the school principals, given the fear of non-compliance with the GDPR.

It is true that the GDPR lays down a set of rules for the protection of individuals with regard to the processing of their personal data and its free movement. As provided for in Article 29 of Opinion 2/2009 of the Working Party, the processing of children’s data must naturally follow a number of principles such as proportionality and relevance, legitimacy and security.

However, it is also true that the posting of grades within an educational establishment must respect the principle of publicity laid down in the administrative regulatory rules, thus ensuring full transparency in the control of evaluation and equality between students.

Therefore, it is necessary to understand if, together with the two parameters mentioned above, the omission of the students’ names from the respective grades listing is justified.

In this regard, the National Data Protection Commission (“CNPD”) has already commented on Deliberation 1495/2016 of 6 September and Directive 1/2018 of 2 October.

Therefore, in accordance with the understanding set out in those documents, and bearing in mind the principle of minimization of personal data provided for in Article 5 (1) (c) of the GDPR, the grades should be posted, provided that these include the personal data strictly necessary for the purpose of publicizing the evaluation.

However, in order to fulfil the purpose of publicizing the evaluation in accordance with the provisions of the GDPR, schools should only identify the student’s name, number, year (perhaps the class) and the respective evaluation.

Any additional data (such as absences, the number of class participation or the granting of social support) is disproportionate. These elements should only be publicized in situations where it is ensured that only the student concerned will have access to the above data so as not to conflict with their right to privacy.

The specific situation of higher education institutions should be pointed out. In this case, and since entry into their premises is not restricted, the CNPD has defined that it is more convenient to post grades electronically.

Regardless of the way the grades are published, no one may disseminate grades, otherwise the GDPR may be violated.

A different issue is that concerning the posting of grades on the Internet, which generates a global availability of that content. In this case, it was decided by the CNPD (Deliberation 1495/2016, of September 6) that schools should not publish student grades on the Internet, where there is free access.

Within the scope of Directive 1/2018, it was also established by the CNPD that it would seem appropriate, in compliance with the provisions of Article 25 (2) of the GDPR, for information systems to at first limit the access of each student to its own grade and only at a later time allow access to the remaining grades, in order to safeguard the objectives mentioned above.


Beatriz Correia Mendes, Trainee lawyer at BAS

More in Communication