GDPR Compliance in the Admissions Process

For the past 4 months I have been attending a course on data protection compliance in light of the new General Data Protection Regulation (GDPR) that came into force on May 25th, 2018. The course took place at the Barcelona Bar Association and was aimed at Lawyers that wanted to update their expertise on data protection and better understand the GDPR.

My double role, as Admissions Coordinator at Benjamin Franklin International School and Lawyer allowed me to grasp how GDPR affects schools and, in particular, Admissions professionals. My goal with this article is to provide a practical approach on GDPR compliance in the Admissions Office.

Needless to say that when it comes to GDPR compliance it is ultimately the school’s responsibility, as Controller, to make sure that it complies with GDPR in all of its activities (HR, Academics, Marketing and Communication, Admissions, etc.). It is also true that it’s in Admissions where data processing from families and their children begins, so it’s always a good start if all the processes involved in Admissions are GDPR compliant.

PRINCIPLES

Data processing must be bound by the principles contained in article 5. While all are equally important, the following have special relevance in Admissions:

1. LAWFULNESS: All personal data processing must be lawful, meaning that you must identify valid grounds under the GDPR legal basis  for collecting and using personal data. There’s six legal bases described in the GDPR; but in my opinion, the legal basis that makes data processing in Admissions lawful is art. 6.1.c: data processing that needs to take place before entering into a contract (i.e. the school its Admissions Office/Team – must process personal data of a student and his family to decide whether or not to admit and sign an enrollment contract).To get a better idea on how lawfulness works, you simply have to think of the data processing in Admissions (that takes place BEFORE the student is enrolled) and the data processing that takes place AFTER he/she is admitted. Once the student is enrolled and the family has signed an Enrollment Contract, the school will process data with different purposes and thus the legal basis may vary:

    

   • the Enrollment Contract would make lawful the data processing needed to perform the contract (provide educational services)
   • a Law can also be the legal basis if the school is processing data to comply with obligations set forth in said Law
   • and Consent may be the school’s legal basis if for example the school plans to publish a Directory (if you do use Consent, be sure to meet all GDPR requirements for consent).

   Controllers must inform what the legal basis of the data processing is and be able to provide solid arguments as to why that is the legal basis applied and not another (to this end, national Supervisory Authorities like ICO in the UK, or the Agencia Española de Proteccion de Datos in Spain, etc. may issue statements/guides determining the legal basis for different data processing).

2. PURPOSE LIMITATION: All personal data collected needs to be done so with a purpose, that needs to be specific, explicit and legitimate. The purpose of data processing in the Admissions Office being whether or not a student should be admitted into the school. Your purpose(s) need to be recorded as part of the School’s (Controller) documentation obligations.
3. DATA MINIMIZATION: Personal data shall be adequate (sufficient to properly fulfill your stated purpose), relevant (has a rational link to that purpose) and limited to what is necessary in relation to the purpose (you don’t ask for more than you need for that purpose). Are we collecting the personal data we need to satisfy our purpose?Can that purpose be met collecting less personal data? These are the sort of questions we should ask ourselves in order to understand if we comply with this principle.
4. TORAGE LIMITATION: Personal data should not be kept longer than needed in relation to the purpose you are collecting it for and you must be able to justify, document and inform on retention periods. National laws might be a guide here, but in absence of specific laws, Controllers should make a decision and be able to provide solid arguments as to why they have decided for a specific period. In Spain for example, a national law requires that schools store academic information indefinitely, but what happens with personal data that is not academic?What happens with personal data collected by the Admissions Office of students that have not been admitted
5. Accountability: In terms of principles, the last one to mention is Accountability, which requires all Controllers and Processors not only to comply with the GDPR but also be able to prove that they are complying. This involves Controllers having to document all decisions made in relation to GDPR compliance, and having appropriate measures and records in place to be able to demonstrate compliance.

SPECIAL CATEGORY DATA

This is data that the GDPR says is more sensitive and therefore needs more protection. Health data, race, religion, ethnic origin, sexual orientation, etc. are all considered special category data. If you want to process this data, you should identify a lawful basis under Article 6 but also a special condition under Article 9 (there’s ten). The first of these conditions is when the data subject gives explicit consent for said processing. Health related infor-mation about a student (and this would include psychological evaluations, etc.) is considered special category bound by these additional conditions and safeguards.

RIGHT TO BE INFORMED and RIGHT OF ACCESS

Individuals have the right to be informed about the collection and use of their personal data. Controllers must provide individuals with information like their purposes for processing, retention periods for that personal data, and who it will be shared with. If the school gets personal data from the subject and from other sources, the individual has the right to know that you are collecting this data. The right to be informed is very broad and the GDPR has very specific requirements that must be met to ensure this right is guaranteed.

The Right of Access basically refers to the individual’s right to access his/her personal data.

If you think of both rights, their application to the Admissions Office might be interesting when we request teacher recommendations from candidates. We are clearly collecting personal data that under GDPR the individual has the right to access, so in the future we might see ourselves having to provide this information to candidates that request it.

CONTRACTS

All Controllers that use Processors (i.e. those that process personal data on behalf of the Controller) need to have written Contracts in place and these Contracts have to be GDPR compliant. Make sure you have correctly identified all of the School’s Processors and remember that if the Admissions Office uses a third party to manage the whole application process, this third party is considered a Processor.

INTERNATIONAL TRANSFERS

There are restrictions on personal data being transferred outside of the EU. We need to pay special attention to where Processors are located, where servers from Processors are located, etc. because all of these will determine whether you are under the scope
of the regulation for international transfers.

DATA PROTECTION OFFICER

School’s aren’t required by the GDPR to appoint a Data Protection Officer, but it may be a good option to ensure accountability and help demonstrate compliance. Also, national laws may have additional requirements. Spain, for example, is expected to approve a Data Protection Law that will complement the GDPR, that does require schools to appoint a Data Protection Officer. It is in the school’s interest that the DPO not only has expertise in GDPR and Data Protection but is also knowledgeable on how a school works.

I hope this article has helped clarify some of the most important aspects of GDPR in relation to Admissions Offices at schools. Please feel free to contact me if you have additional questions.