In June 2020 the Belgian data protection authority (“Belgian DPA”) found that a Belgian school board had violated the GDPR principles of data minimisation and transparency, and unlawful processing of personal data relating to under 13 year old students as it had failed to seek parental consent for a ‘well-being’ survey it circulated.
The survey was sent to first-year students (12 years of age) through the Smartschool communication system. Shortly after, a complaint was made to the Belgian DPA that the survey had been carried out without parental consent. The complainant also raised the issue that the survey lacked sufficient information to meet the GDPR standard for a Privacy Notice. A further issue was that data minimisation had not been properly applied as students were asked about their classmates and bullying without having their identities anonymised. The complaint also alleged that the school board should have carried out a data protection impact assessment (DPIA), but had not done so.
The school board rejected the complaint that parental consent was required. It argued that another legal basis applied, namely processing necessary for compliance with legal obligations. It also said that sufficient information had been provided to meet fair processing standards and it pointed out that no special category personal data was being processed. It did however admit that future surveys would based on well-being questionnaires approved by the Flemish Education Inspectorate, in order to respect the principle of data minimisation.
The Belgian DPA considered the following data protection issues:
- Did the lawful basis for the processing remove the need for parental consent?
- Had the school board complied with the principles of data minimisation and transparency?
- Should the school board have carried out a DPIA?
It is clear that the lawful basis of the processing should have been consent as GDPR specifically states that parental consent is required to process personal data relating to children under the age of 13 years.
The Belgian DPA also found that the school board had failed to meet its obligations under the data minimisation principle by failing to anonymise student data. It had also failed to meet the transparency principle by failing to demonstrate that pupils were adequately informed.
The decision of the regulator was that no Data Protection Impact Assessment was required as there were relatively few data subjects and the risk to their rights and freedoms was low. We would always advise clients to carry out a DPIA risk assessment before carrying out any new processing activity. It need not be a long, drawn out process, just an assessment of the potential risks of the activity. Even a short DPIA would have considered how the data protection principles are being met and should have identified the issue around needing parental consent.
In a strange ruling the Belgian DPA did not agree with the complainant that the school board should have provided fair processing information to parents of the students asked to take part in the survey. Rather it decided that parental consent does not require the same standard of transparency as would be required when providing fair processing information to data subjects via a Privacy Notice. This calls into question the validity of the consent obtained as GDPR provides for consent to be informed and specific. Certainly details of the purposes of the processing would be required and information about the personal data sought and whether the provision of personal data was mandatory or voluntary. Information that would have bearing on the decision to provide the personal data would also surely include details of restricted transfers (outside the EEA) and any proposed data sharing. Starting with a Privacy Notice template would seem to make sense when obtaining consent to processing in all situations.
Mandy Webster, Data Protection Consultant