The impact of POPIA on education
In the corporate space, the pst few years have held a lot of attention around the Protection of Personal Information Act, or POPIA as it is more commonly known. Outside of the corporate space, and particularly in the schools and education arenas, considerably less noise has been made around the Act, which is surprising as schools are a veritable treasure trove of personally identifiable information (PII) of both adults and minors.
PII can be seen as any information that can reasonably be used to identify one person from another or ascertain someone’s identity from what would otherwise be anonymous data. This extends from the basics of your name and surname through to information like medical records, account information, banking, and a whole host of other related information.
The reason PII is a treasure trove is that data can be used for nefarious purposes. Identities can be stolen and data can be made available on auction to the highest bidder – with certain types of information fetching a higher price than others. And, like toothpaste out of a tube, once the data is out it is nigh impossible to contain it again.
In the education space, registrations of learners alone capture a massive amount of information into a school’s internal systems and databases. Systems and databases that can either be digitally based or still in physical form, such as original paperwork. These repositories of data exist all over a school; think about cabinets in offices and admin areas as well as online systems and tools – how many of them are in use? Each one poses a risk in a different way and they are often forgotten about in day-to-day operations.
It’s important to state that POPIA is not just there to protect the parents and learners, the Act covers the entire process within the school system. Standard processes and documents like indemnity forms, deployment reports and educator details are all protected. Even processes such as submitting reports to the department will be affected by the Act. As such, protection of this information should come to the fore for any school.
POPIA defines a number of principles instead of imposing a checklist of things you need to do. This makes it quite a daunting Act in terms of ‘where to start’. A lot of schools mistakenly approach POPIA thinking that all it boils down to is obtaining consent for everything, which most certainly is not the case. It fans out into other principles too, such as ensuring there is security in place for data (both physically and digitally), that consent is obtained where necessary, that schools are transparent and above board with what they are doing with data, and that they are not collecting too much data.
Ultimately, the requirements of POPIA should not be seen as onerous within the education space, they should be seen as good business practice for day-to-day operations. The principles of the Act, while relating to data protection, also form a great basis for being responsible with information under your charge. Yes, the initial process of complying with the Act will take a lot of time and effort, but once it is embedded in the school, it should become business as usual – with privacy being taken care of by default and the risk to the school and its stakeholders dropping significantly.