The issue of protecting the personal data of students and teachers in Andalusia is once again in the spotlight after it was revealed that the profiles of more than 738,000 students and over 43,000 educators ended up in Google’s possession. This situation directly affects the interests of families, educational institutions, and society as a whole, since this concerns confidential information that could impact children’s futures.
According to El Pais, regional authorities violated European data protection standards for five years, resulting in several fines. The Andalusian government is now developing a new agreement with the American corporation to avoid further sanctions and ensure its actions comply with legal requirements.
Data protection concerns
The Andalusian Council for Transparency and Data Protection has acknowledged that the region is heading in the right direction, but key issues remain unresolved. In particular, a full risk assessment for personal data has not been carried out, despite this being a requirement under European law. Such an assessment is essential to prevent leaks and misuse, especially when it comes to minors.
One of the most serious criticisms against the authorities is the transfer of student data to countries where data protection standards do not meet EU requirements. Previously, information was sent to Singapore, El Salvador, and the Philippines, which resulted in particularly large fines. Now, according to Google, all transfers comply with European regulations, and a special privacy agreement is used for exchanges with the US.
Responsibility and risks
The Andalusian authorities claim they control the processing of personal data, and Google cannot access the contents of student profiles. However, experts point out that even with data anonymization, there are still risks associated with analyzing large data sets. Additionally, some of the responsibility for security was placed on school principals and teachers, who had to take on new duties without adequate preparation.
Some experts recommend using alternative open-source platforms such as Moodle to reduce dependence on large tech companies. However, many schools continue to use Google due to its convenience and wide range of tools, often without considering the potential consequences for students.
Local mistakes
In several cases, schools uploaded official documents, including medical records and grades, to Google Drive, even though the secure Séneca platform is intended for this purpose. The provincial inspectorate did not always respond to such violations, and teachers are reluctant to speak out about the issues due to fears of sanctions. Meanwhile, improper data storage could lead to children’s personal information becoming accessible to third parties even years later.
Authorities remind that only Séneca is recognized as the official system for storing such documents. European legislation places special emphasis on the protection of medical and other sensitive data, as leaks could seriously harm the rights and interests of citizens.
Politics and public reaction
Andalusia’s Minister of Education, Carmen Castillo, stated in parliament that there have been no major data leaks, and all recommendations regarding informing families and educators are being followed. However, the opposition is demanding that the agreement with Google be terminated, an internal investigation be conducted, and those responsible be held accountable. The debate continues, as public trust in the education system and the safety of children depend on the authorities’ decisions.
In recent years, Spain and other EU countries have repeatedly faced scandals involving the transfer of educational institutions’ personal data to major tech companies. In 2024, a similar situation occurred in one of the autonomous communities, where regulatory intervention forced a complete overhaul of information storage policies. European authorities continue to tighten data processing requirements, while schools and universities seek a balance between the convenience of digital platforms and the protection of personal data.
