Regulatory action

UK ICO action

To view education audits, advisory visits and overview reports from the UK regulator, visit the web page of the Office of the Information Commissioner (ICO). [Go to ICO page] Selection should include audits. Advisory reports are not published but show where these visits were carried out. Select all time.

Schools

In December 2019, we summarised those 12 done to that date.

The Department for Education

In October 2020 the ICO published a summary and highlights of its audit of the DfE.

Enforcement actions in schools outside the UK since May 2018

Sweden

Facial recognition

August 2019. The Swedish DPA fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school. Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a position of dependency and therefore significant imbalance of power, between families and the high school board. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR. (EDPB news link EN) Download decision in full. [SE] [EN]. pdf.

France

Facial recognition

October 2019. The French data protection authority, the CNIL, announced it has ordered high schools in Nice and Marseille to end their facial-recognition programs. (CNIL link) [EN news story]

February 2020, court action found it unlawful, unnecessary and disproportionate.

Norway

Article 32 GDPR (Fine: €203,000)
Oslo Municipal Education Department fined by the Norwegian Supervisory Authority. Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app “Skolemelding” was used by the schools in Oslo , for parents and teachers to communicate about the children’s daily life in school. Unauthorised users were able to log in. [DPA Ruling Link ] [News in EN] April 2019.

Article 32 (1) (b) and (d) of the Regulation, Article 24 and Article 35, cf. Article 5. (Fine DKK 800,000)

The Data Inspectorate has sent notice to the Municipality of Rælingen of a violation fee of DKK 800,000. The warning comes after health information about children with physical and mental disabilities was processed in the digital learning platform Showbie. [DPA decsion link https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-til-ralingen-kommune/] March 2020

Article 35 GDPR (Fine DKK 500,000)

The Norwegian data protection authority announced it has imposed a fine on Rælingen municipality processing personal data in a digital learning platform, Showbie.The necessary risk assessments, privacy impact assessments and testing have not been carried out in advance before the application was taken into use. Inadequate security when logging in to the application has, among other things, made it possible to gain access to other students in the group.

[Link to the NO press release: https://datatilsynet.no/contentassets/] July 2020.

Poland

School survey (2020)

GDPR penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined the personal lives of students. [September 2020] link

Fine for loss of personal data kept (and lost) after the retention period (2020)

GDPR breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000. The theft of a portable private computer of the university employee, who used this device also for business purposes, included the recruitment candidates. [link] September 2020

Fine for processing students’ fingerprints imposed on a school (2020)

GDPR Fine: PLN 20,000

A fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen. The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification. [EDPS]