European school Luxembourg 2 set up their email service on Google.com as Gmail for business services. This is deviation from standard practice in all other European institutions which are all using their own servers because of security and personal data protection.
Opening Gmail account is a standard practice in European school Luxembourg 2 and all the secondary pupils are getting one. When opening Gmail account pupils have to provide mobile numbers to confirm account. School does that without any permission from parents. Parents are even not informed their children have to give their personal information (like date of birth and mobile phone number). Second point is that when child has Google account he/she can access all the services Google is offering like Youtube, Google Play where they can watch and play everything without any restrictions. Since parents are responsible for our children until they are 18 years old this is very serious concern and school should have written permission from each and every parent.
Google Terms of Service states that opening account for children bellow age of 13 is not allowed: https://support.google.com/accounts/answer/1350409?hl=en. When they get this account they are able to access all the services Google is offering (Youtube, Google apps, Music, Hangouts etc.) This is highly questionable practice and school would definitely need parents permission before opening account since children are 11 years old when they enter Secondary.
Google Terms of Service http://www.google.com/intl/en/policies/terms/ says: When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. So all the information our children and other school employees are sending around is stored and monitor on servers in United stated.
Hosting email server outside of Institution is also against European Commission’s current internal IT rules that requires all the information to be stored on servers inside the Institutions.
European school Luxembourg 2 is also regularly checking children email communication (email spying) and they punish them if they find inappropriate words or content. Children are sending emails between each other so anybody who reads this kind of emails should have explicit written permission from the account owner. This is standard procedure for all European Institutions.
In my complain to EDPS -European Data Protection Supervisor I asked that European school Luxembourg 2 should immediately move all the infrastructure to a locally hosted Exchange server or use one of the European Commission’s servers. They should also inform all the parents about their action and delete all the data stored on Google servers. For second point about checking children’s email school should immediately stop monitoring account without account owner’s written permission and apologies for the current spying to all the effected children.
European school Luxembourg should only hope parents won’t pursue legal actions against them.
As of 01.09.2017 all users on European school Luxembourg 2 are using Microsoft Office 365 account. Although many pupils can’t access their accounts since “experts” in Brussels can’t prepare their accounts properly and first time password are not working.
On the other side it’s very reassuring that incidents like described above are not present any more. It is very positive that new school administration strictly follows all the required data protection regulation.