Our Digital & Data lawyers at Al Tamimi & Company discuss DP101: A Lesson on Data Protection in the Education Sector and provide updates on the latest news
Digital and Data
Nileena Susan Alexander
Digital and Data
In the last quarter of 2021, the United Arab Emirates (“UAE”) issued Federal Decree-Law No. (45) of 2021 Concerning the Protection of Personal Data (“DP Law”), which came into force on 2 January 2022. The DP Law introduces a legislative framework for protecting the privacy and confidentiality of data relating to data subjects located inside and outside the UAE.
Educational institutions, whether K – 12 or Higher Education (“Schools”), typically process an substantial amount of personal data relating to their students and their families, including prospective students. In addition to personal data relating to their students and their families, Schools also process personal data relating to their staff members, alumni, job applicants, visitors, third-party contractors and other stakeholders. Therefore, Schools will need to establish appropriate mechanisms in place to ensure that their processing of personal data is compliant with the DP Law.
Generally speaking, personal data processed by Schools would include names, addresses, photographs, dates of births, ID’s, passports, visas, grades, assessments, performance data, etc. Additionally, by virtue of the nature of the activities undertaken by them, Schools may also often be required to process large amounts of “Sensitive Personal Data”. Sensitive Personal data under the UAE DP Law is defined as data relating to family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to such person's health and physical, psychological, mental, genetic or sexual condition.
The DP Law requires that a special record be maintained for personal data that contains certain mandatory information, such as a description of the categories of personal data, details of the persons authorised to access the personal data, processing times, limitations and scope, the mechanism for erasing, modifying or processing Personal Data, the purpose of processing, any data related to the cross-border movement and processing of such data, and the technical and organizational measures related to information security and processing.
Under the DP Law, consent is the primary basis for processing personal data. However, the DP Law lists certain limited circumstances in which personal data may be processed without obtaining prior express consent from the data subjects. The DP Law does not contain a provision similar to Article 8 of the GDPR that requires the consent or authorization of the holder of parental responsibilities over the child in relation to the processing of personal data relating to minors. However, individuals below the age of 21, the legal age of majority under the UAE law, are not considered to have legal capacity under law, except in certain limited circumstances. Therefore, the consent of the parents or guardians would be required in order to process personal data relating to minors, such as the students in schools, under the DP Law, where no other lawful basis, as detailed under the law, exists. A point to note is that the DP Law outlines certain requirements that need to be complied with in obtaining consent for the processing of personal data. Consent under the DP Law needs to be specific, clear and unambiguous, provided through a clear positive statement or action. Schools may need to assess whether consent obtained by them meets the specific requirements under the DP Law.
The DP Law lists certain limited circumstances when personal data may be processed without the consent of the data subjects. The most relevant of these include processing necessary for protecting the interests of the data subject, performing a contract that the data subject is a party to, and fulfilling specific obligation stipulated by other laws in force in the UAE. Schools will need to assess the purposes of processing the personal data held by them in order to determine what basis can be cited for processing such data, especially in light of the mandates from regulatory bodies such as the Knowledge and Human Development Authority that require Schools to maintain records of their students.
The UAE DP Law outlines certain mandatory disclosures that must be made to data subjects prior to commencing the processing of their personal data. Schools will need to consider how they can provide such disclosures to all relevant data subjects and how much detail they provide. These disclosures can be provided through privacy policies or notices, consent forms or contracts.
Schools may often employ third-party processors outside the UAE or host the personal data held by them on servers outside of the UAE, which requires the transfer of personal data out of the UAE. In such cases of transfer of personal data outside the UAE, the DP Law imposes restrictions similar to the GDPR – European Data Protection Law that requires the employment of certain protective measures in order to ensure that such data is awarded the same level of protection in the foreign jurisdiction, as is under the DP Law. There may also be additional requirements imposed on public schools that are owned and operated by the government of UAE.
Another important point to consider whilst processing personal data is for how long such personal data can be held by Schools. Traditionally, Schools have held on to personal data for a long time in order to enable them to comply with requests for information. Regulatory bodies often impose an obligation on Schools to retain personal data held by them for a certain minimum number of years. An example of this would be the Abu Dhabi Department of Education and Knowledge requirement that all private schools in Abu Dhabi retain data relating to students and staff members for a minimum of five (5) years from the date on which they leave the school.
Some of the other points to consider for Schools are the need to appoint a Data Protection Officer (“DPO”), conduct data impact assessments and maintain records of their processing activities.
According to the DP Law, DPO must be appointed where the processing activities would, cause a high-level of risk to the confidentiality and privacy of the data subject as a result of adopting new technologies or processing high volumes of personal data, involve a systematic and comprehensive assessment of sensitive personal data, or be carried out on a large volume of sensitive personal data. Considering Schools process a large amount of personal data, especially sensitive personal data, they may be required to appoint or authorise a DPO with sufficient skills and knowledge, either inside or outside the UAE. The DP Law outlines the duties and responsibilities of the DPO, as well as the duties of the controller and processor towards the DPO. Even where DPO’s are not appointed, it would be prudent for Schools to appoint a data coordinator, who will be responsible for tracking and managing the personal data processed by the different departments and maintain the mandatory special record for processing activities, as mentioned above.
Data impact assessments are mandatorily required where the processing includes a systematic and comprehensive assessment of the personal aspects of the data subject using automated processing that can have legal consequences or a serious impact on the data subject, or if the processing is carried out on a large volume of sensitive personal data. Data impact assessments must be carried out prior to commencing processing of personal data and shall comply with the minimum requirements outlined under the DP Law.
Schools must ensure that they take appriproate technical and organisational measures to implement the necessary standards to protect and secure the personal data processed by them in order to preserve the confidentiality and privacy of the personal data. They must ensure that it is not breached, destroyed, altered, or tampered with, taking into account the nature, scope and purposes of processing, and the possibility of risks to confidentiality and privacy of the data subject. However, in case there is still a breach of the personal data, the DP Law outlines measures that need to be taken by the Schools at the time it becomes aware of the existence of a breach or violation of personal data.
Additionally, although the DP Law is in force, the Executive Regulations supplementing the DP Law, expected in March 2022, have yet to be issued, and the DP Law states that the DP Law will be enforced within 6 (six) months of the Executive Regulations being published. Therefore, Schools will have a relatively short timeframe from the date of issuance of the Executive Regulations in order to align and regularize their compliance with the provisions of the DP Law.
Schools may often employ third-party processors outside the UAE or host the personal data held by them on servers outside of the UAE, which requires the transfer of personal data out of the UAE.
For further information,
please contact Krishna Jhala.
Published in August 2022
Illustration of Rosalind Franklin