How to choose a DPO in a School?
In Spain, since the publication of the National Data Protection Law in December 2018, the need for schools to appoint a Data Protection Officer (DPO) is a legal obligation.
The challenges of the DPO position, which will be analyzed later, have increased considerably, with the COVID19 crisis that has launched many Schools to explore multiple technological tools to continue with their “normal” activity with their students at home: Video calls platforms, applications or extensions for roll call, online exams through facial recognition or publication of student work online, etc.
As I say, this has meant that the School’s DPO, should act quickly in the face of increasing needs of each School. In front any new technology, it is necessary to carry out a thorough evaluation of its privacy and security policies: what data do they collect? For what purpose? Where do they host them? Do they subcontract any of their services? In addition to the usual challenges of using a new technology, it is added in Schools that the data subjects are minors, so the challenge is double.
All this leads me to write a few lines about the position or role of the DPO in Schools. As I said, in addition of being a legal obligation, the sector itself has special characteristics: data processing of minors, sometimes special categories of data, a high use of information technologies, progressive expansion of the type of contractors of the School with access to data, cloud services, etc … for all this in the search for a DPO, especially if this or this is external, the Schools should ask themselves four key questions regarding the great offer available:
- Do you have any kind of certification? Currently, there are multiple certifications to prove knowledge on privacy and data protection. In my opinion, they do not have to mean anything per se in relation to who presents them, but it can be an initial clue of knowledge, which must be confirmed afterwards.
- Do you have creditable experience in the education sector? It is a very special sector and an inexperienced DPO can be a problem until he or she is been “trained,” just as a DPO with only experience in the education sector would be for other sectors.
- Is it really independent? The autonomy of the DPO is another legal obligation since in its functions it should not fall into possible conflicts of interest. Sometimes DPO services are offered, directly or indirectly, by other School’s vendors who in turn offer products or services that involve extensive data processing. In these cases, DPO’s independence is at least, questionable, as it will be difficult to reveal any shortcomings in these other services or products contracted by the Center.
- What commitments does the DPO assumes? Schools day to day is dynamic and changing. A DPO, especially when it is external, must have the organizational capacity to be present on this day-to-day and it should not be the Schools that “reminds” that it has a DPO. A correct development of DPO’s function implies establishing a formal structure, in which DPO is fully aware of any action of the School involving data processing, as well as implementing a reporting system to the Management Team so that they can, knowing the opinion of the DPO, make the decisions. The use of technologies should undoubtedly be a tool to provide this service, but DPO must have a “presence” at the School and not just give general and depersonalized instructions.
The decision to hire a DPO in a School is fundamental in the sector, and not only because it is a legal obligation. The correct function of the DPO and its active participation in Schools decision making process, must send a “message” to the educational community that is none other than privacy is a value of that School, as it should be of any democratic society.
I hope that the answer to these four key questions can serve to make a correct decision.
This work is under a license from Attribution-NonCommercial-NoDerivatives 4.0 International of Creative Commons.