The Privacy Guarantor has provided precise indications to ensure the correct use of remote teaching tools in this period of health emergency in compliance with the legislation dictated by the GDPR and the Code Privacy.
With Covid-19 and the impossibility of regularly carrying out lessons both in school structures and in universities, it became necessary to use other teaching models, which in many realities, especially in specialist areas, are already widely used.
Distance learning, which allows a right alternative to the traditional one, can only be done using platforms.
Many institutes are improvising their approach to distance learning by embracing solutions such as Meet, Teams and Zoom, while others have adopted proprietary or less popular solutions.
In all cases, however, the issue of protection of personal data. First of all, as regards the consent to the processing of personal data, the Guarantor clarified that schools and universities are authorized to process the data of teaching staff, pupils and parents, as it falls within the functions institutionally assigned to schools and universities and therefore is not no specific consent required.
What is certain is that the rules must apply to everyone, and that the Guarantor intends to impose as a substantial requirement respect for privacy.
The data must therefore be processed and used for the sole purpose of teaching online.
Precisely for this reason it is necessary to respect the principle of limitation of the purposes of the processing, for which the institutes must ensure that the data processed on their behalf are used for the sole purpose of teaching. online, also by providing adequate instructions on processing, including them within the appointment of the manager, such as those on data retention, on the procedures for managing any personal data breaches.
It is therefore the same schools and universities that must choose the careful selection and adequate configuration of the tools for online teaching, as data controllers. The Guarantor therefore signals that i principles of privacy by design and by default of the GDPR, taking into account the teaching context and teaching purposes related to the use of data and the related risks for the subjects involved, often minors.
It therefore becomes very important to choose the platform carefully which can then be used in relation to security of sensitive data protection. The choice should fall on an instrument that minimizes the processing of personal data with the provision also of a cancellation deadline at the end of the educational project.
Therefore, the tool used for the didactic programming for each school does not have the obligation to evaluate the privacy impact, ex art. 35 of the GDPR, provided that there is no systematic monitoring of those who use it or the use of invasive technological solutions, such as geolocation.
It is essential that teachers, students and parents are made aware of the characteristics of the treatment and the safeguard measures, as well as their rights in relation to the treatment. It therefore becomes necessary to raise awareness and inform on the use of the tools and on the privacy information.
In this sense a valid support can derive from the adoption of adequate information solutions keeping in mind the target, calibrating both the formal and substantive aspects, taking into account the reference subjects, whether they are students or professors.
We thank for the contribution