Part 1: When children's data becomes a commodity – Privacy challenges in the digital school

Digitalisation opens new opportunities in education, but it also places ever-greater demands on how student data is handled. In this two-part blog series, we take a closer look at the privacy challenges faced by schools and local authorities– and how we together, can create a safer digital learning environment.

Children’s privacy receives special protection under the EU’s GDPR legislation, and regulators across Europe have expressed concern that digitalisation could compromise student privacy. Particular attention has been paid to the risks associated with tools from large international technology providers, which may operate under different assumptions and frameworks for processing personal data. Hundreds of digital learning tools must be assessed and managed, a demanding task, particularly for smaller municipalities, or schools, with limited resources.  The challenge is not a lack of willingness on the part of schools or municipalities, but rather navigating a complex landscape where pedagogical needs, legal requirements, and technical solutions must be carefully balanced.

Children's data: Where does it go?

Children's personal data is considered not only sensitive but also ethically charged. This means there must be full transparency about how data is collected, processed, and used. Yet many schools use free tools or solutions from international providers without always realising the risks this can pose to student privacy. Data may be shared, stored, or accessed outside secure European frameworks, sometimes for commercial purposes. Data protection authorities in Denmark and Sweden have uncovered several serious breaches, ranging from illegal data transfers to unauthorised access to student records.

These findings highlight the importance of thorough assessments and clear requirements for data handling in schools, both from providers and school authorities.

The reality for municipalities:
High expectations, few resources

This year, the Norwegian Data Protection Authority conducted an extensive review of the school sector, examining 50 municipalities to assess how they safeguard students’ personal data. The report shows that many municipalities have a limited understanding of what constitutes personal data and little insight into whether providers can use student data for their own purposes, such as commercial exploitation or service development.
The problem is particularly pronounced with free services and web-based tools that do not require logins, which are often adopted locally without centralised risk assessment. This can result in critical privacy considerations being overlooked.

The report also highlights the need for more systematic processes and expertise within municipalities. This involves clear roles, documentation of data processing, risk assessments, and agreements with providers. Municipalities participating in inter-municipal IT collaborations are more likely to have written procedures, qualified staff, and clearly defined responsibilities, making privacy work more robust.

The provider maze: Complex and challenging

The Norwegian Data Protection Authority’s investigations reveal that many municipalities find the provider market complex and difficult to manage. Four main challenges were identified:

• Providers make changes without notification
• Tools are not always designed for school use
• Communication with providers is challenging
• Data processing is difficult to navigate

The way forward: What can be done?

Digitalisation in schools is here to stay, and the challenges must be addressed through collaboration, expertise, and better tools. But how can providers contribute to strengthening privacy in practice? In Part 2, we look more closely at how itslearning approaches privacy from the ground up, and how we help municipalities create a safer digital learning environment.