Schools, colleges and universities have a greater responsibility than most when it comes to data privacy and compliance with the Protection of Personal Information Act, 2013 ("POPIA"), since they process the personal information of children (any person under the age of 18 in South Africa) and as such have an obligation to ensure that the privacy of children is secured.

POPIA provides that the personal information of children may only be processed in limited circumstances and even then, should never be processed unless sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child.

Other than information of children, education institutions process large amounts of personal information of students, parents or legal guardians, teachers, support staff, donors and service providers. The categories of personal information include all manner of sensitive information, including special personal information. As such, POPIA compliance becomes that much more important.

In conducting your POPIA compliance, educational institutions should consider some of the following issues:

  • Exam results: What are students’ rights in terms of accessing their exam results? Can exam results be published? Can a child make a subject access request?
  • Photos: Does POPIA prohibit photos of children being taken? How will they be used and will such use be lawful?
  • Fingerprints: Can we process fingerprints or other biometric information of children? What additional measures do I need to comply with?
  • Transborder transfers: Do we intend to transfer (even through use of cloud services) personal information of children to a third party in a foreign country that does not provide an adequate level of protection? Will prior authorisation of the Information Regulator be required?
  • Information officer: Who is the Information Officer and does such role need to be authorised to another person?
  • Schools, colleges and universities are not immune from being penalised for data breaches. In Poland, a school was been fined EUR4 600 (approximately ZAR80 000) for breaching Europe’s General Data Protection Regulation ("GDPR") after it was found to be processing students’ fingerprint data to verify whether they had paid for school lunch. The school was also ordered to erase all personal data it had gathered through its program and cease collecting all such data. Similarly, a Swedish school was fined EUR20 000 (approximately ZAR340 000) under GDPR for conducting a facial recognition pilot program that tracked students’ attendance which the authority found to be invasive.