The Malta Independent 26 February 2024, Monday
View E-Paper

School data: revamped law provides for pseudonymous data, parental consent

Therese Bonnici Sunday, 11 January 2015, 11:00 Last update: about 10 years ago

Authorities cannot request data on students under 16 years of age

The government has completely re-drafted its contentious means of gathering information on students, which had sparked widespread controversy when they were first announced.

Amendments to the data protection act made this week have made it illegal for educational authorities to request any data pertaining to students younger than 16, and any sensitive personal data shall only be requested from schools with the explicit consent of a parent or legal guardian. The alterations to the act, specifically to the processing of personal data regulations within the education sector, ensure more protection of students' data following the upheaval caused on Legal Notice 76, proposed by the government early in 2014.  The notice empowered education ministry officials, including the minister, to request private data pertaining to children attending educational institutions, from childcare to university level. The decision was later revoked. The remits of education authorities, as well as institutions, are laid down as follows.

Education authorities

Educational authorities, meaning the directorates as well as the National Commission for Further and Higher Education, are authorised to process personal data related to students, parents or legal guardians, to carry out functions provided under the Education Act.

Any sensitive, personal data shall only be requested with the explicit consent of the parent or legal guardian. In addition, no results associated with identifiable students may be passed on. Any personal identifiable date will be rendered anonymous, deleted or destroyed after the reconciliation exercise is conducted. In implementing policies assisting students who do not achieve the required levels for further education, it is the school which will forward any communication from the directorate.

Authorities are only allowed to request identifiable date to take necessary measures in the interest of the students in the implementation of initiatives, and only data of students over compulsory age may be requested.

If the processing of personal data is required for research and statistics, all identifiable data should be rendered anonymous, unless it is proven that the identification of the data subject is required to fulfil the purposes of the research. If this is the case, personal identification data will be limited through pseudonymous data, meaning that any identifiable fields are replaced by artificial data and will only be traceable where specifically required.


Educational institutions

Educational institutions, meaning any licensed school, is authorised to process personal data in relation to students for the daily operations and efficient running of the institution. Data may also be processed for academic process monitoring - including examination and assessment results. Students' medical data may also be processed by the school, given that it is in the best interest of the student and that they are held in separate, distinctive files and in a secure manner. They may be transferred to another educational institution if the student is transferred, following consent by the student, parent or legal guardian. The same procedures apply for student welfare data. 

Schools are allowed to keep records of their students for historic purposes, however this does not include sensitive data, including medical or welfare records. Any transfer of student data to third parties can be done following consent. Third parties include other educational institutions, health authorities, the police, social workers, the court and the Employment and Training Corporation.


Legal Notice 76 background

In 2014, a proposal by government which would have allowed the Education Minister to request data on students caused uproar in the public sphere, resulting in a change from its original version.  The original Legal Notice, published in the government gazette, would have made it legal for the education ministry to request data related to children of all ages attending educational intuitions.

A number of groups expressed reservations about the original proposal, while the Opposition described it as "a threat to student dignity and privacy."  Nationalist Party MPs argued that the Legal Notice might be in breach of EU directives, Malta's own Data Protection act and a 2004 Legal Notice. They argued that the Legal Notice would give the Minister of Education absolute power, without any safeguards to protect private data. On these grounds, the proposed Legal Notice was challenged in Parliament in April. On his part, Minister Evarist Bartolo argued that the Legal Notice was issued to collect data of students who required assistance in furthering their education.

In May, the Data Protection Commissioner, Savior Cachia, confirmed that a working group was set up to examine the safeguards needed when handling students' personal data.  In August, it was reported that the government is set to publish a new Legal Notice to supersede the one issued in March. 



  • don't miss