POPIA and Schools: What Administrators and ECD Operators Need to Know About Learner Information

POPIA and Schools: What Administrators and ECD Operators Need to Know About Learner Information

South African schools and Early Childhood Development (ECD) centres collect a remarkable amount of personal information every day — enrolment forms, health records, progress reports, photos, emergency contacts, and more. Much of this information belongs to children, which places it in a particularly sensitive category under the Protection of Personal Information Act (POPIA). Understanding how POPIA applies to your institution is an important step toward responsible, lawful operations.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Why Schools Are "Responsible Parties" Under POPIA

When your school or ECD centre decides *why* and *how* personal information is collected and used, POPIA classifies your institution as a responsible party. That means the obligations in the Act — keeping data secure, limiting its use, and respecting the rights of data subjects — sit with you.

For most schools, the data subjects include: - Learners (who are minors and therefore receive heightened protection) - Parents and guardians (whose consent is often required on behalf of the child) - Staff members - Third-party service providers

This article focuses on learner and parent information, because that is where the most common questions arise.

---

The Eight Conditions for Lawful Processing

POPIA sets out eight conditions that any responsible party must satisfy whenever it processes personal information (section 8). In plain terms, your school should be able to answer "yes" to each of the following:

1. Accountability — Is a designated Information Officer registered with the Information Regulator and responsible for compliance? (See section 55 for the Information Officer's duties.)
2. Processing limitation — Are you only collecting information you genuinely need?
3. Purpose specification — Is the purpose for collecting each type of information clearly defined? (Section 13)
4. Further processing limitation — If you share or re-use information, is that use compatible with the original purpose? (Section 15)
5. Information quality — Is the information accurate and up to date?
6. Openness — Do parents and learners know you hold their information and why? (Section 18)
7. Security safeguards — Have you taken reasonable steps to protect records from loss, damage, or unauthorised access? (Section 19)
8. Data subject participation — Can parents or learners access, correct, or object to the use of their information? (Sections 23 and 24)

---

Special Protection for Children's Information

POPIA places children's personal information in the category of special personal information, which attracts a higher level of protection under section 26. Processing this category of information is generally prohibited unless one of the specific authorisations under section 27 applies — for example, where processing is carried out with the consent of the parent or guardian, or where it is required to establish, exercise, or defend a right or obligation in law.

In practical terms, this means: - Enrolment forms should clearly state what information is collected, why, and how it will be used — and should obtain explicit consent from the parent or guardian. - Learner photos, videos, and work samples should not be published (on websites, social media, or newsletters) without specific, informed consent. - Health, therapeutic, or psychological records require careful access controls and should only be shared on a strict need-to-know basis.

---

Lawful Basis for Processing Learner Information

Under section 11, processing of personal information is only lawful if one or more of the following bases apply:

• Consent of the data subject (or, for a minor, the parent or guardian)
• Contractual necessity — the information is needed to fulfil the enrolment contract
• Legal obligation — a law or regulation requires you to hold the information
• Legitimate interest — the school has a genuine, proportionate reason that does not override the rights of the data subject

For children, consent must come from the parent or legal guardian. Section 11(3) also preserves the right to object to processing, which parents may exercise in certain circumstances.

---

How Long Can You Keep Learner Records?

Section 14 of POPIA requires that personal information not be kept longer than is necessary for the purpose for which it was collected. Once a learner leaves your institution, you should have a documented retention schedule that explains how long each record type is kept and why. Some records (such as academic transcripts or financial records) may need to be retained for defined periods under other legislation — your retention policy should account for both POPIA and any applicable sector-specific requirements.

When the retention period expires, records should be destroyed or de-identified in a secure manner.

---

Notifying Parents When You Collect Their Child's Information

Section 18 requires responsible parties to notify data subjects when collecting their personal information. For schools, this means that enrolment packs, registration forms, and communication consent forms should clearly explain:

• What information is being collected
• The purpose for collecting it
• Whether providing the information is voluntary or mandatory
• Who will have access to it (including any third parties such as a school management system provider)
• How to access or correct the information

A privacy notice — either as a standalone document or incorporated into enrolment paperwork — is a practical way to meet this requirement.

---

Data Breaches: When You Must Notify

If personal information held by your school is compromised — lost, stolen, accessed without authorisation, or otherwise exposed — POPIA's section 22 requires notification to both the Information Regulator and the affected data subjects as soon as reasonably possible. For a school, this could mean a stolen laptop containing learner records, an email sent to the wrong address, or unauthorised access to a cloud-based school management platform.

Having an incident response plan in place before a breach occurs significantly eases the pressure when something goes wrong.

---

Practical First Steps for Schools and ECD Centres

1. Register your Information Officer with the Information Regulator at inforegulator.org.za. This is a legal requirement.
2. Audit your data flows — map what personal information you collect, from whom, why, and where it is stored or shared.
3. Review your enrolment and consent forms to ensure they include a clear privacy notice aligned with section 18.
4. Establish a retention schedule documenting how long each record type is kept.
5. Strengthen access controls on physical files and digital systems holding learner or staff information.
6. Train staff who handle personal information on basic POPIA obligations.
7. Prepare a breach response plan so you know what to do if information is compromised.

---

Where to Find Official Guidance

• Information Regulator (South Africa): inforegulator.org.za
• Full text of POPIA (Act 4 of 2013): available via the Information Regulator's website and the Government Gazette
• Department of Basic Education: education.gov.za for sector-specific guidance on learner records

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA (Act 4 of 2013). It is not legal advice. The specific obligations that apply to your school or ECD centre will depend on your individual circumstances, the nature of the information you process, and any sector-specific legislation that applies to you. Please consult a qualified attorney for advice tailored to your situation.