First of all, we need to understand that for any activity, educational and non-educational, that it is not covered by the agreement between the legal representatives of our students and the school, we need to obtain the consent. For example, when students want to participated in an activity outside their school programme like a museum tour. Or when we organize a chess competition and some of our students want to join us. The consent should cover not only the participation in such an activity, but also things like photos taken during that activity and posted on a website or via social platforms, or sending commercial correspondence from the sponsors.
From a different perspective, it should be noted that most of our students are under 18 years old, and due to this aspect, the consent has to be given by their parents or legal guardians, not by students. Even so, we recommend distributing comprehensive information to parents about the nature of the activities that require the consent.
In some particular situations, there is no need of consent because there is a legal basis for requesting the personal data of the students or their legal representatives. For example, when local authorities request detailed information about those who are parte of a vulnerable group and are qualified for a specific type of public assistance (financial or otherwise).
Here are six basic things any teacher or educator should do in order to protect the personal data of our students.
(1) Never send the personal data of our students, including photos of them, via file transfer platforms and instant messaging apps.
Although might seem easier for you to get some personal data (e.g. filled in forms or copies of official documents) via Whatsapp or Telegram, these apps are well known for filtering your information and keeping track of what you send. The best way is to use an encrypted format (encrypted and password-protected archives, for example) via your official email address.
(2) Do not use dodgy platforms to ask your students and their legal representatives to fill their personal data in unsecured forms.
If you have a Microsoft or Google official email account attributed by your institution, then it is better to use the available tools in Office 365 Education or Google Drive. And as soon as you are done with the form, just close it (stop sharing it).
(3) Do not store personal data in unencrypted and password-protected documents. Even on your personal computer.
If you backup your documents (which is a good practice!), make sure the backup is never connected to other devices or shared online or on a local network.
(4) Do not use USBs to transfer personal data.
By jumping from one computer to another with a USB, you may end up either with an infected device or stolen data. Always use the official email, which is also a trackable system in case of data breach. Another problem is that USB and all types of flash memory is that they can be easily lost.
(5) Learn more about cybersecurity and how to protect yourself and your devices.
Avoid opening any unsolicited emails, especially when they contain attachments. Make sure your computer and all the other devices (including mobile phones) are protected by a good/functional antivirus (with all virus definitions updated) and firewall.
(6) Do not share the personal data of your students and their legal representatives with anyone.
If your class decides to visit a museum or a touristic location, do not share the contact details of your students or their parents or legal guardians with the representative of the museum or of the touristic location.