The Spanish Data Protection Agency and several autonomous bodies have approved a decalogue to regulate the contracting and use of educational cloud platforms, with special attention to the processing of minors' data in schools and institutes. The document sets compliance criteria for educational administrations and for companies that provide these services, and extends its scope to public, subsidized, and private centers.
A common framework for the use of digital platforms in education
The text has been jointly drafted by the AEPD, the Catalan Data Protection Authority, the Basque Data Protection Authority and the Council of Transparency and Data Protection of Andalusia. Its purpose is to systematically gather the basic principles of data protection that must be applied in the contracting and use of these digital tools in the educational field.
The authorities maintain that these platforms allow students, teachers, and families to interact and collaborate for educational purposes. They also facilitate the teaching function and the development of digital competencies. Even so, they warn that their implementation entails a massive processing of personal data, with an especially sensitive weight of information related to minors.
Special protection for the data of minors
The decalogue focuses on the fact that student data requires enhanced protection. Not only because of the age of those affected, but also because the use of these platforms is not voluntary for students and families, since it is the institutional tool enabled for the development of educational activity.
The authorities consider that the use of digital educational platforms poses specific risks and challenges regarding privacy. That is why they have identified 10 key points that must be taken into account both in the contracting phase and in the daily use of these environments.
Preventive approach and legal security
With this publication, the control bodies opt for a preventive approach. The objective is that educational administrations, teaching centers, and technology companies are clear about what role corresponds to them and what their obligations are regarding data protection.
Among the goals of the document is to promote proactive compliance with regulations and reinforce the protection of those who use these services. The authorities understand that this work should serve to generate a space of trust and legal certainty in an area increasingly present in school life.
The pronouncements collected in this framework are addressed both to educational administrations and to teaching centers, within their respective competencies, with the intention of unifying criteria in an environment where the digitalization of teaching already forms part of ordinary activity.