Today, I received the final decision from the National Data Protection Commission (CNPD) regarding my complaint against European School Luxembourg 2, pertaining to the illegal collection of personal data at the beginning of the school year. This decision has significant implications not just for the individuals involved, but for data protection practices within educational institutions like the European School. Personal data, including that of minors, requires stringent adherence to legal frameworks to ensure privacy and security.
I previously detailed my concerns in this article Did Leene Soekov and Per Frithiofson break the law?. My initial complaint was directed towards the deputy director for secondary education, Leene Soekov, highlighting what I believed were serious breaches of data protection law. Despite my efforts to address this issue directly with her, my concerns were disregarded, prompting me to escalate the matter to the CNPD for formal investigation. It’s vital that educational leaders understand their responsibilities under the law and the potential impact of their actions on students’ rights.
It is crucial for all stakeholders at the European School to recognise the importance of compliance with data protection regulations.
In her response to my concerns regarding questionable data collection practices, Leene Soekov stated: “Please be informed that as of the start of last week, following a meeting of the school management with Luxembourgish authorities concerning a safe and secure start to the school year, we have been closely collaborating with the Ministry of Health. Our goal has been to establish clear guidelines and subsequently inform staff about the proper protocols necessary to ensure the safety and security of our pupils. Furthermore, the Board of Governors of the European School convened on 31 August, making crucial decisions that, in accordance with my duties and responsibilities, are to be implemented within our safety instructions.”
“I am acutely aware of my legal obligations and strive diligently to maintain a safe and secure environment for all students and staff at the secondary school level.”
“I am fully abreast of all demands, requirements, and instructions and take great pride in fulfilling this role.”
The European School must ensure that all staff are trained adequately in data protection practices.
The findings from the CNPD regarding the European School highlight the need for stricter governance and compliance.
All members of the European School community must uphold the highest standards of data protection.
It seems that Leene Soekov may not be entirely cognisant of her legal obligations in this situation. Her comments could be interpreted as either condoning or even taking pride in actions that contravene established data protection laws, underscoring the importance of proper training for school administrators regarding their responsibilities under the GDPR.
CNPD confirmed that European School Luxembourg 2 illegally collected documents containing personal data of students and parents/guardians (the signed “Covid-19 rules – Pupil’s contract).
This confirmation from the CNPD raises serious questions about the governance and compliance practices at European School Luxembourg 2, necessitating a thorough review of their data handling procedures and protocols.
In light of the CNPD’s findings, Leene Soekov and Per Frithiofson have acknowledged their oversight. However, this admission should not absolve them of their responsibility to uphold the highest standards of data protection and privacy for all students.
The European School must communicate effectively with all parents about data protection measures.
As the European School moves forward, prioritising data privacy will be paramount.
All actions taken by the European School should reflect a commitment to data protection principles.
Educational institutions, such as the European School, must remain vigilant in safeguarding student data.
It is vital that the European School fosters a culture of compliance and accountability.
The school informed CNPD that they destroyed all the documents related to this data collection.
UPDATE: 04.02.2021
In response to requests for evidence confirming the illegal actions of the school, I am providing a redacted version of the decision received from the CNPD. All personal data has been removed to protect the identities of those involved. It would be expected that the school administration, particularly Leene Soekov, who initiated this unlawful data collection, inform all affected parents and pupils about the deletion. Given that the demand for signing the document was sent to all secondary parents and pupils, the same transparency should now apply to the actions taken in response to this data breach.
This situation serves as a profound reminder of the critical importance of data protection laws and the need for educational institutions to foster a culture of compliance and accountability. Failure to adhere to these standards not only undermines public trust but can also result in severe legal repercussions.
Furthermore, as we delve deeper into the implications of this incident, it is important to reflect on the broader context of data protection in educational settings. Schools hold vast amounts of sensitive information about their students, including academic records, personal contact details, and health information. The GDPR was enacted not merely as a set of laws but as a framework to protect individuals’ rights in relation to their personal data. Its principles are intended to guide institutions on how to manage data responsibly and ethically.
Educational leaders must prioritise training and awareness around data governance to ensure that all staff understand their obligations under the law. This should include regular workshops, updates on legislative changes, and clear communication channels for reporting concerns regarding data misuse.
Moreover, the involvement of parents and guardians in discussions about data protection policies can strengthen the school’s commitment to transparency and accountability. Open forums or information sessions can provide an opportunity for parents to voice their concerns while also engaging them in the decision-making processes that affect their children’s data.
As we continue to navigate the challenges posed by digital transformation in education, we must remain vigilant about protecting the privacy and rights of our students. This incident serves as an important case study, highlighting the need for robust data protection practices and a proactive approach to compliance.