GDPR: Can children prevent schools from disclosing grades to parents?
Stuart Ritchie
15.03.2018
"Can I sue my school for telling my grades to my parents via a website, with the European GDPR law?"
This is a question asked of me on Quora some time ago by an "interested" data-subject! Normally I pass on such questions, but this hits a nerve. If you just take out the text "via a website", we have a more general question I get asked by school and university controllers. It’s therefore also one I sometimes work through in appropriate software workshops. A recent Court of Justice ruling covers similar ground: while that overlaps it doesn’t seem central to the key GDPR analysis, so I won’t distract you (or myself!).
For the more general question the summarized answer is: "probably not, unless if the school has been really foolish, by say choosing the legal basis of consent, or say contract with the parents, under the mistaken impression that the sole relevant data subjects are the parents". Yes, the parents (which I use as shorthand for "those with parental responsibility in law") are data subjects for certain school processes; but the vast majority of school processes (all of which must be analyzed separately) that engage students actually will not engage the parents at all.
Here’s the key point: in the "advice as to student grades" process the parents are not the sole data subject: we’re grappling with at least two data subject categories simultaneously. Let’s ignore teaching staff and pretend this process engages just two categories: parents and students.
Sure if child consent is used the material age of consent will vary from 13 to 16 depending on precisely which jurisdiction you’re in, or (if you’re not in the EU) probably the jurisdiction of the school. And certainly up until that age the parents can give consent on the child’s behalf. But for various mostly obvious reasons consent is a very poor choice for the school.
Contract is easier for age of consent issues because in respect of age the GDPR does not disturb the general contract jurisdictional rules well known to all (for example in English contract law we’re all infants until age 18 and, while we can enter contracts, they’re generally not binding on us if formed prior to adulthood). However the contract legal basis likely will be utterly unusable, in logic and in law, for processes engaging multiple data subject categories.
The most appropriate legal basis justifying disclosure to parents seems likely to be either legitimate interests (for a privately funded school) or public interest (for a publicly funded school). Of course these are the weakest legal bases of all and require the most compliance work, as well as the ones most easily challenged.
Key point: whatever basis is chosen the legal basis analysis must be performed at the process mapping stage, and it really ought to include legal input from an EU-qualified lawyer or DPO (publicly funded schools likely can get assistance from LEA DPOs etc, while most privately funded schools likely will need their own internal or external DPO but also likely can get pooled advice from their trade associations).
In practice DPOs might find it useful to treat such processes dealing with two categories as two sub-processes – one for advising the students of their grades, one for advising parents of grades. Why? Because then the analysis is much simpler: for example in the case of advising parents of students at privately funded schools, it’s arguably a legitimate interest to discharge your contractual obligations with third parties, i.e. with the parents. When I say "arguably" here, certainly I’d be happier arguing for it than against it.
Likewise the distinct Notifications for this process that the school communicates separately to parents and to students (though arguably both types of Notification might go to parents where the students are still children) must be logically consistent with each other, internally consistent, and obviously they otherwise may not breach the Notification rules.
That’s the answer to the general question.
Now, if the school as controller hasn’t messed up so far, we revert back to the specific question: "via a website".
For a change, the Article 32 cyber-security and information security issues become material here: the context of the web site, (crucially) who is intended and permitted to see the page, and the choice and effectiveness of the security and other measures to prevent others from seeing it. (If anyone else does, then obviously that’s just a data breach and we go to the Article 33/34 processes).
More interestingly, unfortunately the web site delivery also is dangerous in respect of the necessity test (unless the basis is consent in which case we’re in trouble anyway!), the burden of proof being on the school, documented in advance.
I’ll just throw out some quick educated guesses as to GDPR classifications. By trivial construction the activity includes special categories data, it’s profiling, it’s monitoring, it also may be automated decision-making depending on the context of its placement into the web site as well as assessment techniques etc. So arguably a DPIA must be performed (see WP29’s recent very helpful finalized Opinion WP248), and, if my view of the legal basis is right, balancing tests must be performed and documented in advance. As always, last but not least the data subject rights implementation for the process must align to the specific legal basis and factual circumstances of the process.
Or the controller could be toast anyway, when any of the Supervisory Authorities investigates and fines the controller. Which they can remarkably quickly on what I call their "30 seconds fine and forget" basis, if the Notifications aren’t up to snuff and they’re available on the internet. Outcome? Well, if we don’t like the fine, we may like the "Daley Male" headlines a whole lot less.
Regrettably there will be a lot of this kind of stuff around – because data subjects will trigger it by complaining, and the Supervisors are obliged by law quickly to deal with such complaints and impose penalties in, don’t forget, an "effective, proportionate, and dissuasive" way.
As to direct Court actions in injunctive relief, controllers as always will have to take the rough with the smooth. As to actions for compensation, from July 1 (a critical date) I hope to try a few technology tricks to sabotage the commercial viability of the loathsome CMC market, but that’ll do nothing to stop Max Schrems’ or others’ Article 80 actions.
Finally, apropos of any UK educationalists reading this: don’t forget that the GDPR potentially blows away all prior child safeguarding statute law intersecting with it as well as, regrettably, common law such as Gillick consent, with non-obvious consequences which also will end up in the Daley Male whenever anything goes wrong. For more, see my learned friend Ian Beeby’s paper here.
Disclaimers: I sometimes work with Ian Beeby and I communicate infrequently with Max Schrems.
- All facts and opinions set out above, including but not limited to
spoken content and attachments/links, are provided for informational
purposes
only as a non-legal service to the public, and do not constitute legal
advice
or a substitute for legal counsel, and do not create any lawyer-client
relationship, nor do they constitute advertising or provision of a legal
service, nor are they the opinion of this web site or of its owner. The
author is a co-founder of GDPR360 but does not speak in that capacity or
in the capacity of a lawyer.