Review of the ODPC Guidance Note for the Education Sector: Data Protection in Kenya Series 4

The office of the Data Protection Commissioner (ODPC) in December 2023 issued the Data Protection Guidance Note for the Education Sector as a result of the increase in privacy concerns when processing personal data within the sector. It has been reported that as a result of the increase in the use of technology within the Education sector, the sector has been exposed to risks including frequent cyberattacks, data breaches, phishing and ransomware attacks, account takeovers, potential misuse of personal data, lack of transparency around data collection and processing, unauthorized access and disclosure among others.

It has further been reported that because the education system provides services to over 16 million children and youth, with close to 500,000 teachers distributed across approximately 90,000 schools, there is a need for the education sector to take steps to ensure that personal data is collected and processed fairly and transparently and with appropriate data protection measures so as to safeguard personal data against unauthorized access, disclosure or loss.

The ODPC has identified the following privacy concerns in the Education Sector which has called for its intervention to ensure protection of personal data: displaying examination results of pupils/students on school notice boards, disproportionate data disclosures of academic records or sensitive data to larger groups via students’ or parents’ WhatsApp groups or during parent-teacher meetings and publishing photos of top performers of exam results on newspapers, posting/using photos or video in the school prospectus and on the website without valid consent, accuracy of exam results and other data, collection of excessive data, retention of data for an extended period than necessary and use of CCTV cameras in boarding schools among others.

These privacy concerns have led to infringement of the right to privacy and potentially resulted in bullying, discrimination, and exclusion. As a result, the educational institutions are now being called upon to understand that students and children do not lose their human rights by passing through the school gates, and education must be provided in a way that respects their inherent dignity and right to privacy.

The scope of the guidance note is to provide educational institutions with a clear understanding of their obligations under data protection law. Additionally, the guidance note aims to cover various aspects of data protection, including the collection, use, retention, disclosure, and disposal of personal data in the education sector and applies to all education institutions operating in Kenya including kindergartens, primary and secondary schools, and higher education institutions.

Obligations of Education Institutions as Data Controllers and/or Data Processors.

The guidance note sets the following obligations for education institutions:

  • Education Institutions must register as a data controller or data processor regardless of their size and/or their annual turnover/ revenue.
  • At the time of collection of personal data, education institutions must notify data subjects of their rights including informing them that personal data is being collected, state the purpose of the collection; disclose third parties who may receive the data and the safeguards adopted; provide the contacts of the data controller or data processor and disclose whether any other entity may receive the data; describe the technical and organizational security measures taken to ensure data confidentiality and integrity; state if the data is being collected pursuant to the law and if it is voluntary or mandatory; and outline the consequences if data subjects fail to provide all or part of the requested data.
  • Before processing sensitive personal data, educational institutions should obtain explicit consent from data subjects. This means that the data subject must give clear, unambiguous, and specific consent for their data to be processed.
  • Educational institutions must take appropriate technical and organizational measures to ensure the security of sensitive personal data.
  • Educational institutions should only retain sensitive personal data for the period necessary to achieve the purpose of the processing. Sensitive personal data should be deleted or anonymized once it is no longer necessary for the processing.
  • Education institutions must ensure that sensitive personal data is processed lawfully, securely, and for a legitimate purpose.
  • Parental/guardian consent is required before collecting or processing data about minors.
  • Examination results are personal data, and their unauthorized disclosure can lead to embarrassment, stigma, or other negative consequences for the child. Education institutions must handle such data with utmost confidentiality and ensure that it’s shared only with authorized individuals.
  • A child’s image is considered personal data, and its unauthorized use or distribution can infringe on the child’s right to privacy. Education institutions must obtain explicit consent from parents or guardians before publishing or sharing any photographs of children, especially in public domains.
  • Education institutions have to report personal data breaches to the ODPC without delay within 72 hours of becoming aware of the breach.
  • Educational institutions are required to process personal data lawfully, fairly, and transparently.
  • Educational institutions to limit the collection and storage of personal data to only what is necessary for a specific purpose that has been communicated to the individual.
  • Education Institutions must take reasonable steps to ensure that personal data is accurate and that any inaccuracies are corrected as soon as possible. Further, all institutions in the Education Sector must ensure that they make provision for internal controls to allow for verification of the information provided, allow for the updating of the personal data by data subjects and have regular periodic reviews. It is recommended that the reviews take place yearly.
  • All institutions in the Education sector must have appropriate internal policies and procedures in place to ensure that personal data is securely stored and only kept for as long as necessary. The said internal policies should have a specified retention period in accordance with the laws governing the relevant educational institution or prevailing education policy or otherwise provide for reasonable and justifiable retention periods based on the processing activity and the identified purpose for processing.
  • All education institutions are responsible for complying with data protection principles (the Act and the Regulations). All institutions in the education sector must have appropriate policies and procedures in place to ensure compliance with data protection laws and must be able to demonstrate compliance.
  • Minors cannot validly give consent, and such consent must be provided by their parent or legal guardian. Educational institutions must therefore ensure that they obtain valid consent and that the consent is specific, informed, and freely given.
  • Education institutions must provide individuals with information about the purpose and legal basis of the processing. This means explaining why the institution is collecting and processing personal data, and what legal basis it relies on.
  • All stakeholders have the right to access their personal data. This implies that students, parents and guardians have the right to request access to their personal data such as disciplinary records, health information and academic records. In relation to a child, a person with parental authority or guardian has the right to access any personal data held by the school. In accordance with the regulations, an institution in the education sector has seven (7) days following the receipt of a data access request within which to provide access to the information to the said data subject.
  • a data subject or the guardian of a data subject can object to the processing of the data subject’s personal data. Generally, schools must have written permission from the parent or eligible student to release any information from a student’s education record. Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honours and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school does not disclose directory information about them.
  • Students and parents have a right not to be subject to automated decision-making.
  • if a student’s personal information in the education system is incorrect, they have the right to request that it be updated or corrected.

At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya including registration, tailored advice and conducting Data Protection Impact Assessment.

All rights reserved for A.O.WANGA ADVOCATES

Share your thoughts