Universities and schools deal daily with data from hundreds (and even thousands) of people. These include students, parents, teachers, technicians, and various other staff members who are carrying out enrollments, registrations, and requests. Not to mention uploading assignments to the institution's systems. 

Concern about this diverse data comes into focus with the new General Data Protection Law. These schools and universities now need to pay attention to how they handle the personal data of everyone in the academic community. This includes, for example, CPF numbers (Brazilian tax identification numbers), addresses, grades, financial information, and anything else that can be linked to a person.

Providing data based on legitimate interest.

When it comes to data protection laws, much is said about consent. Indeed, it is essential when we talk about online stores and websites that collect user information. However, in the case of educational institutions, the provision of data is based on legitimate interest and also on the necessity for enrollment to be completed. Therefore, the focus is less on obtaining consent from individuals and more on maintaining transparency in the process of collecting and using this personal information.

Be careful when using new technologies.

The use of technologies that possess artificial intelligence – such as facial recognition, biometric systems, performance statistics, access passwords, among others – is gaining more space in everyday life. However, the use of these tools must be done in a way that respects data protection. With the LGPD (Brazilian General Data Protection Law) coming into effect, all personal data must be protected, and the academic community must be aware of what information is collected and for what purpose.

How can institutions adapt?

The first step towards compliance is having a team within your institution dedicated to thoroughly understanding the law and seeking the best methods for protecting personal data. This team should be multidisciplinary, involving the legal, academic, technology, marketing, and human resources sectors.

It is essential to clearly define what information is collected, for what purpose, and how long it remains in your educational institution's database. It is also important to emphasize that data concerning children and adolescents must be collected with the authorization of their guardians. For children under 12 years of age, no information should be collected without parental consent. For adolescents up to 18 years of age, parental authorization is only required for the collection of sensitive data. From the age of 18 onwards, the student decides what information they wish to share.

The next step, then, is to generate the personal data protection impact assessment report, a document that may be requested by the National Data Protection Agency (ANPD). This agency is responsible for imposing fines for the improper use of data, which can reach up to 2% of the institution's revenue. In addition to fines, there are other penalties. sanctions, such as formal warnings and the blocking of data relating to the infraction.

Points that educational institutions should pay attention to:

1. Students, parents/guardians, and teachers must authorize or not the collection of information, in addition to knowing what data is being collected and for what purposes;
2. There must be ways for students, parents/guardians, and teachers to request the deletion of personal information or to stop data collection;
3. Each person should be able to access, request a copy of, or migrate collected data to other educational institutions;
4. Clear language should be used so that anyone can understand what happens to their data, including the privacy terms;
5. In the event of a data breach or leak that could harm the rights of the academic community, the institution must notify the authorities;
6. It is recommended that the institution protect sensitive information by concealing it or replacing it in some way so that the person's identification is only possible with the addition of other data;
7. In some cases, schools and universities will have to work with a Data Protection Officer (DPO), who will oversee the processing of personal data and provide clarifications to the ANPD (National Data Protection Authority). 

The website of the educational institution. 

Your university or school website must also comply with the LGPD (Brazilian General Data Protection Law). The collection of personal data begins even before a student enrolls in the university or school. Many educational institutions already request information from interested individuals on their websites so they can send materials and maintain a relationship with the community. 

Therefore, all institutional websites must comply with the LGPD (Brazilian General Data Protection Law). One way to begin the adaptation process is to determine if the data collection on the website is correct. In addition to contact forms, many web pages use cookies, those small files that track user behavior on the site. Each user must authorize or not the collection of personal information from these cookies.

Do you work in education and want to start managing the privacy of the academic community in accordance with the new law? Learn about the solutions from [Company Name/Company Name]. Privacy Tools. As Compliance Report and Cookie ManagementBy making your website compliant, you improve your institution's positioning, fostering a more transparent relationship with the public.