INTRODUCTION
Schools collect various types of data from students, teachers, parents, administrators, and other educational stakeholders to inform their decision-making. This data includes:
a) Demographic information: This covers a student’s background details, e.g. a student’s name, address, age, gender, race, ethnicity, health information, socio-economic status, and family background.
b) Academic performance data: This refers to assessments that demonstrate a student’s academic achievement and progress across different skills and subjects, e.g. grades, test scores, attendance rates, course completion rates and graduation rates.
c) Behavioural records: This includes information that documents a student’s behaviour in and out of the classroom, e.g. disciplinary incidents, suspensions, and expulsions.
d) Engagement indicators: This measures a student’s interest in their learning, e.g. class participation, homework completion, and extracurricular involvement.
Schools may be considered data controllers since they determine the purposes and means of processing personal data of students. However, children often lack the knowledge and capacity to fully understand how their data is collected, used, or shared.
Consequently, schools have a legal obligation to protect children’s personal data from the privacy risks of data misuse, unauthorized access, loss, or theft in the digital world. Failure to comply with data protection laws may attract penalties from the Office of the Data Protection Commissioner, as demonstrated by Roma School, which was fined Kshs. 4,550,000/- on 26th September 2023 for posting the images of minors without obtaining prior parental consent.
In light of the above, this article explores the legal framework governing data protection, examines the challenges schools face in protecting student data, and outlines best practices for these schools to effectively protect children’s data.
LEGAL FRAMEWORK FOR DATA PROTECTION
i) Constitution of Kenya, 2010
Article 31 of the Constitution recognizes that every person has the right to privacy, which includes the right not to have –
a) their person, home or property searched;
b) their possessions seized;
c) information relating to their family or private affairs unnecessarily required or revealed; or
d) the privacy of their communications infringed.
Article 53 of the Constitution further provides for the principle of the best interest of the child, which requires that in all actions involving children, including the processing of their data, their well-being and best interests must be given top priority. Children warrant special data privacy protection due to their inherent vulnerability and maturity levels, which may prevent them from fully understanding the implications of their personal data being collected and used.
ii) Data Protection Act, No. 4 of 2019
The Data Protection Act, No. 4 of 2019, gives effect to Article 31(c) and (d) of the Constitution by establishing specific guidelines for the processing of personal data. Section 25 of the Data Protection Act lays out the principles of data protection as:
a) Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently, including obtaining proper consent and providing clear information about how data will be used.
b) Purpose limitation: Data must be collected and processed for a specified, explicit and legitimate purpose.
c) Data minimisation: Personal data should be relevant and limited to what is necessary in relation to the purposes for which it is processed.
d) Accuracy: Personal data must be accurate and kept up-to-date. Inaccurate data should be corrected or erased without delay.
e) Storage limitation: Personal data should be kept for no longer than is necessary for the purpose for which it is processed.
f) Integrity and confidentiality: Personal data must be processed in a manner that ensures its security, confidentiality and integrity, protecting it against unauthorized access, loss or damage.
g) Accountability: The data controller is responsible for ensuring compliance with these principles and ensuring that there are appropriate measures in place to achieve compliance.
Section 28 of the Data Protection Act provides that personal data may be collected directly or indirectly from the data subject. However, this data cannot be processed unless the data subject gives their consent or the processing is justified under one of the eight grounds highlighted by Section 30 of the Data Protection Act.
Although the Data Protection Act does not explicitly define the age of data protection consent, it makes reference to a “child” which is constitutionally defined as an individual who has not attained the age of eighteen (18) years.
Section 33 of the Data Protection Act provides detailed requirements for processing personal data of children:
- a) There must be explicit consent from the child’s parent or guardian and;
- b) The processing must be done in a manner that protects and advances the child’s rights and best interests.
Therefore, it may be presumed that students below the age of 18 years are considered incapable of giving consent and require parental consent for their data to be processed in Kenya.
However, in cases where a data controller or processor exclusively provides counselling or child protection services, the data controller or processor is not required to obtain parental consent. This exemption is justified because counselling and child protection services are crucial for a child’s wellbeing; therefore, they should be accessible without unnecessary obstacles to ensure that children receive vital support when needed.
iii) General Data Protection Regulation, 2016
The European Union (EU)’s General Data Protection Regulation (GDPR) applies to Kenyan organizations that process the personal data of EU residents, including children. In the context of education, for example, this may arise in instances where Kenyan schools collect and process personal data of children from EU countries to offer them admission.
The GDPR provides specific safeguards for the processing of children’s data that slightly differ from Kenya’s Data Protection Act. Recital 38 provides that:
“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parent responsibility should not be necessary in the context of prevent or counselling services offered directly to a child”.
Article 8 of the GDPR sets out the conditions applicable to a child’s consent in relation to information society services. Generally, children must be at least sixteen (16) years old to give valid consent, but Member States can lower this age to a minimum of thirteen (13) years through their national laws.
For children under the age of consent, the processing of their personal data is only lawful if their parent or guardian provides consent or authorization. Data controllers must make reasonable efforts to verify such parental or guardian consent using the available technology.
CHALLENGES IN PROTECTING STUDENT DATA
Despite existing legal safeguards designed to protect children’s privacy, schools face significant challenges in protecting children’s data:
i) Inadequate data encryption: Many schools do not encrypt student data stored on servers, desktops or mobile devices or data being transmitted over networks. This may make the data vulnerable to unauthorized access, breaches, data theft, and malicious attacks if intercepted.
ii) Weak access controls: Schools often lack strong access controls, such as role-based access control (RBAC) or multi-factor authentication (MFA). Inadequate access controls may facilitate unauthorized access by malicious actors, allowing them to manipulate or misuse student data.
iii) Lack of regular security audits, gap analysis, or Data Protection Impact Assessments (DPIA): Many schools do not conduct regular audits, gap analysis or DPIAs to detect weaknesses in security systems or processes such as outdated software, weak passwords, insufficient encryption protocols or incomplete processes. This may lead to delayed responses which may exacerbate the impact of a data breach.
iv) Lack of training and awareness: There is a general lack of understanding among students, parents, teachers and other educational stakeholders about the extent of data collection and its potential implications. In addition, many schools do not provide adequate training for staff on data protection policies, practices, and procedures, which can increase the likelihood of human errors that could compromise security.
v) Lack of student data policies: Several schools do not have adequate policies of student data privacy, which are crucial for establishing clear guidelines on how student data is collected, stored, shared and protected. Without these policies, staff members may not understand their roles and responsibilities in protecting student data, leading to inconsistent practices.
vi) Limited resources: Schools may lack the necessary resources (such as funding and expertise) to implement robust data protection measures.
BEST PRACTICES TO OVERCOME CHALLENGES IN PROTECTING STUDENT DATA
Given that schools have a special legal obligation to protect children’s personal data from misuse, they may overcome these challenges by adopting the following best practices:
i) Establishment of clear data protection policies: Schools should establish comprehensive data protection policies that outline how student data is collected, stored, used, and shared. These policies should be clearly communicated to all educational stakeholders, including teachers, students and parents.
ii) Regular Audits, Gap Analysis and DPIAs: By conducting regular data audits, gap analysis and data protection impact assessments, schools shall be able to have a proactive compliance process, early warning systems for any breach or potential breach of privacy and to properly safeguard their students.
iii) Implementation of robust data encryption: All student data should be encrypted, whether it is being stored or transmitted across networks. Encryption uses cryptography to convert data into an unreadable format, which protects sensitive information from unauthorized access. Schools can, thereafter, implement strong access controls (such as RBAC or MFA) to ensure that only individuals with the decryption key can access the original data.
iv) Collaboration with IT teams: Schools may strength student data privacy by working with IT teams to deploy firewalls and continuously monitor networks for potential breaches.
v) Training and sensitization: It is important for schools to regularly train students, teachers, parents and other educational stakeholders on data protection policies, risks, and practices to foster an environment of cybersecurity awareness. Sensitization efforts may include creating strong passwords, recognizing phishing attempts, and emphasizing the importance of digital identities.
vi) Establishment of child-friendly reporting mechanisms: Schools should create accessible child-friendly channels for students to report data privacy concerns or breaches, e.g. anonymous reporting tools or designated contact points. Such mechanisms would empower students to actively participate in protecting their own privacy.
CONCLUSION
Given that schools are entrusted with sensitive information, they are responsible for protecting student data privacy. As technology becomes more integrated into education, the risk of data breaches and misuse grows if schools are not adequately prepared to address the threats. Consequently, it is critical for schools to make reasonable efforts towards creating a safe environment for students to learn and grow without the danger of their personal information being compromised.
Here at Kioi and Co. Advocates, we are committed to providing legal services to enable institutions to stay fully compliant with data protection laws. If you are interested in transforming your school’s approach to data protection and create a safer, more secure learning environment, feel free to reach us on info@kioi.co.ke.
For more on our services regarding Data Protection and Privacy you can email us on info@kioi.co.ke or call on 0714449123
