As another academic year takes place, schools, educators, and staff must understand how the Protection of Personal Information Act, 2013 ("POPIA") applies to them and what their obligations are under POPIA. POPIA, which came into full force and effect in July 2021, aims to protect personal information against unlawful processing and applies across all sectors, including the education sector. Where a school plans to process personal information, it qualifies as a responsible party and must comply with the provisions of POPIA.
Below are some POPIA do's and don'ts for schools to consider:
Do's:
- Obtain consent from parents or legal guardians:
POPIA requires that consent be obtained from a parent or legal guardian (competent person) prior to collecting, processing, or sharing any personal information relating to children. Consent must be explicit, informed, and voluntary, and data subjects have the right to withdraw consent at any time. If it is not possible to obtain consent, the school will need to rely on one of the other exceptions listed in section 35 of POPIA. Additionally, schools must communicate the purpose for which the personal information is collected, how it will be used, and with whom it may be shared. It is recommended that schools review their enrolment process and include the relevant consent provisions.
- Implement a privacy policy:
Schools need to have an adequate privacy policy in place which documents the categories of personal information that may be processed, who is responsible for handling such personal information and the processing thereof, whether the personal information will be shared with third parties, and if so, to whom and why it will be shared, as well as whether such personal information will be transferred beyond the borders of South Africa (noting that more stringent requirements are imposed for cross-border transfers of personal information, especially when the personal information relates to minors).
- Develop and maintain a PAIA Manual:
In terms of the Promotion of Access to Information Act 2, 2000 ("PAIA"), Schools are required to have a PAIA manual readily available to the public. This manual outlines procedures for accessing information and serves as a guide for handling requests for access to personal information. Schools are responsible for ensuring that the PAIA manual is regularly updated and easily accessible to staff, parents, and other stakeholders.
- Implement technical and organisational safeguards:
Schools are required to take proactive steps to protect the personal information of children from unauthorised access, disclosure, alteration, or deletion. This includes technical safeguards such as access controls, encryption, password protection, firewalls, and regular security audits. Schools should implement organisational safeguards such as raising POPIA awareness, and training staff members on personal information and data security best practices and cyber-hygiene. Schools must implement and enforce stringent processes for the handling of personal or sensitive information to ensure that the confidentiality and security of such information are not compromised.
- POPIA awareness training:
Conduct training for school governing bodies, teachers, administrators, and support staff on their obligations in terms of, and general compliance with, POPIA. Schools must offer regular training sessions on POPIA compliance, data protection, and the importance of protecting personal information against unauthorised access or disclosure.
- Create processes for enforcement of data subject rights:
Schools are encouraged to establish procedures for handling data subject requests promptly and transparently and to establish organisational processes to respond to data subject inquiries and complaints in a timely manner.
- Appointment of an Information Officer:
An Information Officer is responsible for ensuring that the organisation is and remains compliant with POPIA. In the absence of an express appointment, the head of the school, being the principal, will automatically qualify as the Information Officer.
- Conduct personal information impact assessments:
A personal information impact assessment will assist the school in determining the processing activities conducted by the school at large, as well as at a departmental level, the categories of personal information being processed, where such personal information is being stored, the purpose for which the personal information is being processed, and detect any transfers of personal information to third parties or beyond the borders of South Africa.
- Data subject access request policy:
Develop and implement internal measures and adequate systems that can assist with processing any requests received from parents or interested parties to access such personal information.
- Data retention policy:
Develop a data retention policy to govern the retention, destruction, and/or deletion of personal information. In terms of POPIA, schools are not permitted to store personal information indefinitely and can only retain such personal information for as long as may be required to fulfil the purpose for which it was collected unless a longer retention period is required by law or regulatory bodies.
- Review agreements with operators:
Include certain mandatory provisions in its agreements with operators, i.e. third parties who process personal information on behalf of the school.
- Implement a formal policy dealing with online bullying:
This policy should address, inter alia, the following issues: (i) what qualifies as online bullying and how to recognise it; (ii) steps that students may take when they are victims of online bullying; and (iii) processes the school may follow if any students are found to be perpetrators or victims of online bullying, for example, discussion with parents, etc.
- Educating children:
Schools should develop an internal programme to educate school pupils on their rights in respect of data, the sharing of data, and the risks with respect to online activities, sharing of photographs, messaging platforms such as WhatsApp, social media, screen addiction, and online bullying.
Don'ts:
- Don't share children's personal information without explicit consent:
Schools should not disclose any personal information relating to minor students without obtaining parental or guardian consent. Schools must exercise caution when sharing such personal information with third parties, such as service providers or educational partners, and must ensure that such third parties adhere to the same level of data protection standards. If personal information will be shared with third parties, the purpose for such disclosure and ideally the details of the third party to whom such personal information will be disclosed should be brought to the attention of parents or legal guardians at the time of obtaining consent for the processing of such personal information.
- Don't retain personal information longer than necessary (or for indefinite periods):
Schools are not permitted to retain personal information for longer than is necessary in light of the purpose for which it was collected. Once the personal information is no longer needed, it should be securely deleted destroyed, or alternatively anonymised to the extent that it cannot be traced to the data subject(s).
- Don't use personal information for any purpose other than the purpose specified and communicated to parents or legal guardians:
Schools should refrain from using personal information collected for a specific purpose or any other unrelated purpose without obtaining additional consent for such further processing.
- Don't neglect data security measures:
Schools must ensure that appropriate security measures are in place to protect personal information from unauthorised access, disclosure, alteration, or destruction of personal information. This includes implementing access controls, strong password policies, data encryption, and regular security audits.
- Don't transfer personal information outside of South Africa without adequate protection:
Schools should not transfer personal information outside of South Africa without ensuring that the recipient country offers an adequate level of protection for personal information, or without the data subject's express consent. In respect of personal information relating to children, prior authorisation from the Information Regulator may be required for cross-border transfers of such information.
- Don't neglect data subject rights:
Schools must respect the rights of data subjects, including the right to access their personal information and the right to the correction or deletion of personal information.
- Don't neglect staff training on data protection:
Schools should provide regular training to staff members on data protection principles, including their responsibilities under POPIA and how to handle personal information securely.
- Don't neglect data breaches:
Schools must have procedures in place to detect, investigate, and report on data breaches and to notify affected data subjects and the Information Regulator promptly. Data breaches can take many forms and can range from large data breaches where an external third party hacks into the school's database, or smaller data breaches where, for example, an email containing a student's report card is emailed to the wrong parent.
- Don't collect excessive personal information:
POPIA requires the processing of personal information to be as minimal as possible. Schools should only collect personal information that is necessary for their purposes and should avoid collecting excessive or irrelevant personal information.
- Don't neglect ongoing compliance and monitoring:
POPIA compliance is an ongoing process that requires regular monitoring, evaluation, and adjustment. Schools must conduct periodic personal information impact assessments to ensure that its processing activities in respect of personal information are properly recorded and aligned with the requirements set out in POPIA. Schools should stay informed on any changes to the regulatory landscape for data privacy and data protection and adapt their practices accordingly to prevent non-compliance.
Non-compliance with POPIA
It is important to note that any person may lodge a complaint with the Information Regulator who may secure a settlement, initiate an investigation, and issue an enforcement notice. The failure of a school to comply with the requirements of an enforcement notice may result in imprisonment, a fine, or both. The imprisonment sentence may vary from 12 months to 10 years, and a fine of up to ZAR10 million may be issued, depending on the nature and severity of the non-compliance. It is also worth noting that data subjects and the Information Regulator may sue responsible parties, in this case, schools, for damages. Here, the amount awarded will be determined by the court and may include: (i) damages for patrimonial and non-patrimonial harm; (ii) aggravated damages; (iii) interest; and (iv) legal fees.
As schools process personal information relating to children, it is important that schools remain aware of their obligations under POPIA and take practical steps to prevent non-compliance. The dos and don'ts highlighted in this article create a practical checklist for guiding schools towards overall compliance with POPIA. As it is still early in the school year, there is no better time for schools to implement a comprehensive POPIA compliance programme. ENS' Technology, Media, and Telecommunications team can assist schools in their POPIA compliance journey. Our TMT team also offers practical training to school pupils on data privacy and the risks in online activities, including social media, messaging, and online bullying.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.