Opinion request about some data processing in educational establishment

Hello fellow colleagues,

I’m currently advising belgian schools on GDPR matters, and i’m actually confronted with a small set of minor, but still questionnable situations :

  1. Some of these schools have kept and displayed physical pictures of groups of their past students on every corridors and walls since a century. These pictured are organized by year and classes. They don’t have consent of these people, old and news, and are wondering if this displaying is GDPR compliant. I actually advised them that they can argue their legitimate interest and public interest (school memory, motivation of students with regard to their school heritage,…) ; but I’m not a 100% sure of that, as we can’t inform every person of the use of their image. I must precise that these school are not exactly public school, but subsidized schools (in regard of the public interest).
  2. Some of these schools are keeping archives of students and teachers longer than what legal dispositions states, without public autorization and for the purposes of “School memory”, “archiving purposes of historical research (but without sufficient means of security)” and “in case of an ancient teacher or student need a document for their retirement or certification”. Once more, I advised to make use of their legitimate interest and public interest (and consent or contracts for the news ones).

What are your thoughts on these matters ? Can these schools pursue these data process on these legal basis ? Should we take others actions ? Should we remove/destroy these data ? For additionnal information, GDPR is basically the main and only source of general data privacy laws in Belgium.

Thanks by advance for your insights. :slight_smile:

Welcome!


The first question to ask regarding question nr. 1 is whether GDPR applies. In other words, is the display of physical pictures of groups (classes?) of school’s past students on corridors and walls covered by the material scope of the GDPR?

GDPR applies by virtue of its material scope (Art. 2 GDPR) where processing of personal data is taking place fully or partly by automated means, or when the processing is part of a filing system (or is intended to be).


The physical pictures displayed on the corridors and walls are not processed by automated means, so it boils down to the following question: Is it part of a filing system?

The definition of a filing system is defined in Art. 4(6) GDPR:

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Meaning that any structured set of personal data which is accessible according to specific criteria is a filing system, and thus subject to the GDPR. The question then arises as to whether the pictures displayed on the corridors and walls are structured & personal data.

Photos of groups of past students obviously fit in the definition of personal data (Art. 4(1) GDPR). They are likely either identified or identifiable, if only even because some schools keep records longer than needed.

The question which then needs to be asked is whether the personal data (pictures of groups of students) are displayed in a structured manner. In the judgement of Case C‑25/17 the CJEU addressed this and considered as follows:

    1. […] the content of a filing system must be structured in order to allow easy access to personal data. Furthermore, although Article 2(c) of that directive does not set out the criteria according to which that filing system must be structured, it is clear from those recitals that those criteria must be ‘relat[ed] to individuals’. Therefore, it appears that the requirement that the set of personal data must be ‘structured according to specific criteria’ is simply intended to enable personal data to be easily retrieved.
    1. Apart from that requirement, Article 2(c) of Directive 95/46 does not lay down the practical means by which a filing system is be structured or the form in which it is to be presented. In particular, it does not follow from that provision, or from any other provision of that directive, that the personal data at issue must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system within the meaning of that directive.
    1. Therefore, the answer to Question 2 is that Article 2(c) of Directive 95/46 must be interpreted as meaning that the concept of a ‘filing system’, referred to by that provision, covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

In summary, the form and criteria of the data collected is irrelevant and the retrievability of the information is the important factor.

You have mentioned elsewhere that pictures are systematically displayed by year and class, and that one of the schools are displaying the names as well, while the others one only show the year and the picture.

Taking that into account, in my opinion, the displaying of those pictures meets all criteria for being a filing system. Pictures of groups (classes?) of students are systematically displayed and ordered by year and class, the information (personal data) is easily retrievable, an individual can search by year and class and subsequently access information related to individuals easily. No one would have difficulty finding individuals in the picture: e.g. John Doe graduated in 2010 from the School, he can then both be found by year, and be found even faster by year. Additionally the displaying of names makes it even easier to retrieve personal data of individuals.

The pictures on the wall are thus subject to GDPR and the principles laid out in Article 5 GDPR should be applied, such as but not limited to, basing the processing (display) of those pictures on a lawful ground.


Regarding the lawfulness of processing (displaying) these pictures and legitimate and public interest.

Public interest requires that it is necessary for some public interest. That interest must be set out in EU or national law. It is obvious to me that there is no public interest in displaying those pictures.

There may be a legitimate interest in displaying those pictures, ideally the way to go about this is informing students in advance (from now on) that if they are on the class picture of this year their picture will be hung on the wall, allowing them the opportunity to opt-out by not going on the picture.

The legitimate interest would be something like what you mentioned, I would recommend that you do a balancing test of your interest and the interest of the students and put everything on paper.


Regarding your second question ‘keeping archives of students and teachers longer than legal retention periods.’

This is absolutely a no-go. You as a controller should define retention periods for keeping student and teacher records, such retention periods should already be set-out in your records of processing activities, keeping records after that is absolutely, without a doubt, illegal.

There may of course be legitimate reasons to keep records longer than the legal obligation to keep certain records, such as your own legitimate interest. But before records are retained there should be an actual legitimate interest, on paper, with a proper balancing test addressing all aspects of the LI.

Keeping records for something like ‘school memory’ or ‘archiving purposes for historical research’ is a big red flag and not in compliance with Data Protection legislation and principles. There’s no such thing as school memory, imagine companies keeping your data forever because of ‘company memory’ or ‘well, we would like to just know everything about you forever’, you get where I am going with here.

Keeping records of historical research may be legitimate provided that you for example anonymize (and actually anonymize) sets of data on which historical research can be preformed. Not keeping the exact records for ever just in case some researches want to look at it a hundred years from now, it probably won’t ever happen, and I doubt the school has done any such research yet as of to date.

Where I am you can request certificates such as your school diploma from the Government and the schools don’t keep such records after a certain period of time. If this is really a thing in Belgium I would just go off on consent and making it the choice of the student. When they leave school ask can we retain this information for 100 years in case you need it or not, if not or if consent is later withdrawn just delete the records. (and if consent is given, only keep records that are relevant for that purpose, not some teacher notes from 20 years ago…)

Very interesting question and as always I’m not disappointed by Hugo’s reply.
I would like to that add that, regardless of what legal ground is used for this, opt-out should definitely possible. If a former student no longer wishes their photo to be used for this purpose, then I personally think this is very important to listen to, even if you find ways to circumvent the need for consent. Then just use photo’s of other people (or stock photo’s ;p)

Thank you very much for that so well detailed answer, and your development seems right.

The only element I have to underline is about certificates and diploma request. I can say that Belgium is a… complicated country (we have 7 governments, 3 for the regions, 4 for the communities). Certificates, diploma, carreer informations are seriously centralized in our branch of government for only a decade now; and most of our citizens still rely on their former school for such documents. That’s the complicated thing. Our laws and public services are not up to date on data retention, and we must apply GDPR neverthless.

But still, your analysis is totally coherent, and we will have to balance the GDPR guidelines with our reality, as deleting some of these data could harm some of our citizens.

One funny thing is, concerning the group / classes pictures. If the school randomize the location of the pictures, it may fall out of the scope of the GDPR (maybe not totally, as we can still re-identify the people on the picture, but it can be an additionnal mean to implement).

You’re welcome! :smiley:

I think the best way to go about student records is keeping only the records that may be needed by former students at a later date. Keep certificates, grade lists, but don’t keep every teachers remark that was ever made in the student’s record.

Since certificates, diploma and career information are now centralized and kept by the government. I would from now on, ask consent for storing it when the student needs to access it at a later date. If consent isn’t given, pass the stuff you’re required to pass on (e.g. to the government) and delete everything you don’t need to keep.

You’re right. If you would totally randomize the location of the pictures it would by no means be structured and thus fall outside of the definition of ‘filing system’ and by extension outside of GDPR’s scope. Keep in mind that although outside of the scope of the GDPR, Art. 7 of the Charter still grants some protections and it isn’t totally unrestricted, albeit much less restricted.

FAQ | Privacy Policy |  ToS