How does the move to online education affect the rights of teachers and students?

During this year 2020 we have been seeing how the SARS-CoV-2 (COVID-19) coronavirus crisis is becoming an event that is going to cause profound changes in all kinds of areas (at a global level).  For example, as far as consumption is concerned, the lockdown has led to an increase of more than 30% in e-commerce. A trend that has been joined by people over 60, who have seen the speed and ease of payment that online shopping provides. A sector of the population, therefore, that is going to change its consumption habits. Moreover, this expansion of e-commerce has created about 100,000 jobs in recent months. Although, of course, at the expense of weakening the traditional trade. Some local businesses must reinvent themselves for the future.


There is another very important area that has experienced a general transition (although forced), into the digital arena: education.

The coronavirus is affecting the education of more than 1.5 billion students worldwide. According to the latest figures from 31 March 2020, 185 countries have closed schools and universities throughout their territory, affecting 89.4% of the world’s student population, according to data from the United Nations Educational, Scientific and Cultural Organisation (UNESCO), which is constantly monitoring the impact of the coronavirus on education.

With the closure of schools, educational teams have had to adapt; moving teaching content to cloud platforms, where they can upload materials, give classes and evaluate students. However, this new situation does not mean that the use of these technologies can be unlimited, but rather that there are various limits in terms of privacy that must be respected.


In this sense, we must bear in mind that in virtual teaching a great deal of data processing is carried out, both on students and teachers. To safeguard the privacy of this data, when using e-learning environments (Canvas, Osiris, Zoom…) a series of computer tools are required that must have the appropriate security procedures. Therefore, the chosen provider, that is, the cloud computing company that helps the educational centre with the processing of the data, must commit, through a data processor contract (Article 28 GDPR), to provide sufficient guarantees for the protection of the information.

Issues such as privacy and security guarantees included in contracts that these service providers offer to their customers it appears a closed solution in which it is not possible to review or adjust these contracts to the peculiarities of the centre produce a feeling of insecurity and lack of transparency in their use. They also inform that they have adequate guarantees in case it is it is necessary to store the data collected on the servers that are located outside of the European Economic Area as these companies are members of the Agreement between the USA and the European Commission (Privacy Shield) or conclude contracts for the international transfer of data that incorporate the guarantees that were established by the European Commission and/or revised by the data protection authorities (see the article on the Impact of the Schrems II Decision on international data transfer, written by Daphne Stevens and published by SecJure on 9 October).

As it cannot be otherwise, the use of these applications finally impacts in students and, when minor’s data is in risk, their parents, as responsible for the way their sons and daughters use these tools and that lack of information can undermine the right to data protection for students.

Educational administrations and centres should establish policies of online teaching that determine the guarantees for preserving the privacy of all those interested, students and teachers, the selected tools, as well as the obligations of the users of these in their different roles: administrators, teachers, parents, students and any other interested party.

The protocols and instructions derived from the above must be established, guides, guidelines or recommendations for the use of ICTs by teachers which should be used by the educational administration and/or the centre willing. Their teaching and use should be adapted to the child’s developmental level.

The management teams, teachers, administrative and auxiliary staff of the educational institutions in the exercise of their functions and tasks need to process data of personal character of the students and their families, which they will have to carry out with due diligence and respect for their privacy and intimacy, bearing in mind the interest and protection of minors.

Administrations and educational centres are responsible for the data processing and should provide training on its basic principles and how to do it correctly.

As a general rule, educational institutions do not need the consent of holders of the data for processing, which shall be justified in the exercise of the educational function and in the relationship caused with the students’ enrolment.


The duty of transparency (Articles 5 (1) (a) and 12 to 14 of the GDPR) must be complied with, in all cases, and therefore the general conditions of treatment must be indicated (in access to the virtual classroom; at the entrance to each subject; before each session, or through a statement).

In this way, before the beginning of each class, students must be warned that the session (image, sound and chat) will be recorded (the student will be able to control his/her microphone and camera). Students will also be advised of the need to protect family privacy and the privacy of others during the course of teaching or assessment. For example, you should be warned when the Zoom lecture is recorded.


The right of opposition may be exercised when there is adequate justification. The application will be decided by the competent body in the field of education established for this purpose.


In an assessment process both the student and the teacher may exercise their fundamental right to data protection (information; access; rectification; deletion; opposition; portability, and limitation of processing (Articles 12 to 23 of the GDPR). In the event of the student refusing to be recorded without just cause, and without any other means of identifying him/her, this decision may have the academic repercussions determined by the centres in question.


Great care must be taken on this point. The broadcast of recorded classes may violate the fundamental right to data protection, as well as the student’s own image and intellectual property rights. For this reason, this material may only be included within the scope of the university service. If you wish to re-use academic material (teachers), the content must be limited to your image and voice only (without students or third parties appearing). This type of recording will be kept only during the academic year (except for evaluation tests, and with a duly protected copy).

Grades during online assessment must follow the same procedure as for face-to-face assessment. They will have a virtual publication board, but limited to the minimum data necessary for the identification of the student (Article 5 (1) (c) of the GDPR).


The Data Protection Authorities have made it clear that online teaching “is legitimised” by “a mission of public interest, which is the educational function and which is covered by a regulation of legal rank, just as if it were face-to-face education”. Therefore, the obligation to attend a virtual class would be the same as that of attending a face-to-face class.

In conclusion, the proliferation of online education has created a series of risks for the privacy of the users of these online learning platforms, especially teachers and students. The rights recognised by the GDPR must be respected (access, deletion, modification…) and users must always be informed of the processing of their data in the most transparent way possible. The power of education must be to create a fairer society that respects the rights of all!