Skip to main content
Guide

Processing Personal Data in Primary School

Susanna Lindroos-Hovinheimo Professor of Law, University of Helsinki Eveliina Ignatius Doctoral Researcher in Law, University of Helsinki

This guide is a brief overview of the processing of personal data of primary school pupils in situations where teaching makes use of applications or technologies provided by external parties. It is aimed at primary education professionals — above all, teaching staff. The legislative review focuses on the EU General Data Protection Regulation. The guide is a general overview, not an exhaustive legal analysis.

Introduction

The use of various applications in primary education may be necessary for many reasons — media literacy, communication skills, digital skills education, and digital examinations are examples of justified uses. A digitalising primary school brings data protection issues to the forefront.

Children's personal data occupies a special position in data protection law. Their processing requires particular care — including in primary education. For data protection obligations to be met, it is important that teaching staff have up-to-date knowledge of data protection rules.

Every child has the right to privacy and the protection of their personal data. Other fundamental and human rights must also be taken into account: equality, non-discrimination, and the right to free primary education. For children's personal data, the best interests of the child must also be ensured in accordance with the UN Convention on the Rights of the Child.

The guidance in this guide applies to all personal data processing regardless of the technology used. AI applications are also subject to data protection rules. The EU AI Act is being prepared but will not, as a general rule, change the rules on personal data processing.

1. Processing Children's Personal Data in Primary Education

Children's personal data occupies a special position in data protection law and requires particular protection. The processing of personal data is part of everyday primary education.

Personal data means, in principle, any information relating to an identified or identifiable natural person — this person is referred to as the data subject. The concept is broad: an audio recording, a photograph, or an identifiable physical characteristic are all personal data.

Special categories of personal data enjoy stricter protection. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic, biometric, or health data.

The controller is the party that decides on and is responsible for the processing of personal data. Controllership cannot be agreed upon — actual control is decisive. In primary education, the controller is the body that in the municipality is responsible for organising primary education — usually the board or equivalent body responsible for educational affairs. It bears responsibility for all data protection obligations and is responsible for ensuring that teachers and other staff receive comprehensive guidance on the requirements of data protection law.

1.1 The Controller Is Responsible for Upholding Data Protection Principles

Responsibility for upholding data protection principles lies with the controller. The principles are binding, and the controller must be able to demonstrate compliance.

The data protection principles are:

  • Lawfulness, fairness and transparency — processing must have a legal basis and be carried out openly
  • Purpose limitation — data is collected only for a specific, pre-defined purpose
  • Data minimisation — only necessary data is collected
  • Accuracy — data must be kept up to date and accurate
  • Storage limitation — data is retained only for as long as necessary

The processing of personal data must have a lawful basis. Without one, processing is prohibited. The basis must be determined before processing begins and cannot change mid-process.

In primary education, the main basis is compliance with a statutory obligation: under Section 4 of the Basic Education Act (628/1998), the municipality is obliged to provide primary education for pupils of compulsory school age residing in its area. This obligation is elaborated in the objectives of Section 2 and in the national core curriculum issued pursuant to Section 14.

The lawful bases for processing under the GDPR are:

  1. Consent of the data subject
  2. Contract
  3. Statutory obligation of the controller
  4. Protection of vital interests
  5. Task carried out in the public interest or exercise of official authority
  6. Legitimate interests of the controller or a third party

The choice of legal basis affects the rights of the data subject. The choice is always made on a case-by-case basis before processing begins.

Note on statutory obligation: The obligation to provide primary education does not give the controller a free hand to decide what data is collected or in what environment. In light of current case law, statutory obligation may not be a suitable basis for third-party applications. The burden of proof for the existence of a legal basis always rests with the controller.

Consent of the data subject is one of the lawful bases under the GDPR. It must be specific, informed, genuinely voluntary, and an unambiguous indication of wishes. In the public sector, the use of consent is problematic: the power imbalance between the authority and the citizen affects the genuine voluntariness of consent. The use of a child's consent raises additional specific questions.

Using a child's consent as the legal basis requires very careful prior assessment and informing the child in a manner they can genuinely understand.

Important distinction — consents are not the same thing:

  • Consent serving as a legal basis under the GDPR
  • Consent to participate in research or a pilot programme
  • Ethical consent
  • Consent to the use of technology

These must not be confused. In some situations, both GDPR consent and a separate participation permission are required — they serve different purposes. Not just any consent qualifies as a legal basis under the GDPR.

2. Third-Party Applications in Teaching

Various applications are present in children's leisure time and increasingly in education. The use of applications and digital skills fall within the scope of media education under the curriculum. Technology can increase the accessibility of teaching materials and prepare children for digital environments. At the same time, personal data questions arise that cannot be ignored.

All third-party applications used in teaching that process children's personal data remain the responsibility of the organiser of primary education acting as controller.

In the best case, the organiser of primary education centrally manages all applications and devices used in teaching. This enables the controller to fulfil its obligations — including conducting a data protection impact assessment under the GDPR before introducing applications.

Controller's responsibility: A data protection impact assessment is always the controller's responsibility — it cannot be carried out at the level of individual teachers on a classroom-by-classroom basis. The assessment maps risks to data protection and information security in advance.

The statutory obligation of the organiser of primary education to provide teaching does not automatically mean that all technology used in teaching is permitted on that basis. In light of current case law, statutory obligation may not be a suitable legal basis for third-party electronic teaching programmes or applications.

When considering the introduction of applications, the organiser of primary education must always determine: what is the lawful basis it can rely on?

2.2 Careful Provision of Information

The information obligations under the GDPR protect the rights of the data subject. Clear and timely information enables the data subject to exercise their rights. Pupils must be provided with information about the processing of their personal data in child-friendly language — including in connection with applications.

The special position of children under the GDPR requires that the vocabulary, tone, and style of information be adapted to the child's age level. Note that:

  • Children must be provided with information even when the consent to process their personal data is given by a guardian.
  • The special needs of other target groups must be taken into account — for example, information provided to persons with disabilities must ensure the accessibility of information.

3. Practical Examples

3.1 The City of Espoo Google Workspace Case

Case Study: Google Suite for Education, Espoo (2018–2022)

In 2018, a matter was brought before the Office of the Data Protection Ombudsman in which a person expressed concern about the use of Google Suite for Education in a school in the City of Espoo. The controller (the City of Espoo) considered that the legal basis applied was a statutory obligation — that the processing of personal data necessary to organise primary education also covers the programme in question.

Decision of the Data Protection Ombudsman (2021): The use of the teaching programme was not in conformity with the GDPR. The statutory obligation to provide teaching is indeed the main legal basis — but it does not require the use of a particular electronic teaching programme. The specific risk factors noted were: the programme's use might involve data belonging to special categories of personal data, the controller's monitoring capabilities were limited, and the programme was used outside school as well, from the pupil's own devices.

Decision of the Administrative Court: Notwithstanding the City of Espoo's appeal, the Administrative Court confirmed that the use of the programme could not be justified directly on the basis of the statutory primary education obligation. The special need for protection of children's personal data was emphasised in the ruling.

The case illustrates how important it is to assess the suitability of the legal basis carefully — especially for third-party applications. A standard data processing agreement is not sufficient as a safeguard when the data subjects are children and the controller's monitoring capabilities are limited.

3.2 Who Decides on the Use of an Application?

Current legislation leaves discretion in the choice of applications — neither the Basic Education Act nor the national core curriculum separately prescribe which applications are used in teaching. This does not mean, however, that responsibility does not exist.

Case Study: Regional State Administrative Agency of Eastern Finland (2022)

A class teacher used an application belonging to their own company in physical education without the consent of guardians. Pupils' data was stored in the company's database, and the teacher shared posts about the use of the application on their social media accounts.

Decision of the Regional State Administrative Agency[1]: Homes should have been informed about the use of the application and permission should have been sought from guardians. Responsibility for the fulfilment of pupils' rights — and for the appropriateness of the applications used — lies with the organiser of education.

Note: the Regional State Administrative Agency does not supervise compliance with the GDPR, but the matters raised in the decision are also relevant from the perspective of the GDPR.

The decision emphasises that the controller's responsibility extends from the very choice of application and the conclusion of cooperation agreements.

Summary

The use of applications, social media, and other technologies often involves the processing of personal data — in such cases, data protection rules must be complied with. The most important thing is to assess in advance what impact each technology has on the protection of personal data.

  • Children's personal data requires special protection.
  • The use of applications often involves the processing of personal data — data protection law must be taken into account.
  • Compliance with data protection law is the controller's responsibility. The controller is also responsible for providing guidance to teachers and other staff.
  • Careful advance planning of the use of applications and technology is of primary importance — it enables requirements to be taken into account from the outset.

References

[1] Regional State Administrative Agency, decision summaries. Regional State Administrative Agency of Eastern Finland 2022.

Funder
Research Council of Finland Strategic Research Council
Consortium members
University of Helsinki University of Eastern Finland University of Oulu Codeschool Finland Heureka – The Finnish Science Centre SciFest Joensuu
Project tools gen‑ai.fi

Try free AI tools for classrooms and home use.

Open gen-ai.fi (opens in new tab)