• Processing of personal data in relation to students, parents and legal guardians by educational institutions such as licensed schools, is permitted for administration, daily operation and providing necessary educational services under the Education Act. Personal data processing is also permitted for academic progress monitoring and organization of extra-curricular activities as well. Medical data in relation to students may also be processed in the best interest of the students as long as it is held securely, and it is destroyed once the student leaves the school.
  • The access to personal data in relation to students, parents and legal guardians is to be restricted to those employees who by virtue of their roles and responsibilities are required to process such data and are subject to the Professional Secrecy Act or for part of a regulated profession, or have taken an oath of confidentiality for the carrying out of their duties.
  • Any students who have attained the age of sixteen may give their consent under these Regulations. Otherwise, any consent under the Regulations may be provided by the parents or legal guardians. Consent is required for visual images or for disclosure of personal data to third parties, except when the third parties are education authorities, transferring education institutions, examination bodies, health authorities, the Police, social workers and ETC.
  • For processing of personal data required for research and statistical data, all identifiable data is to be rendered anonymous. The Data Protection Commissioner’s Office has advised that administrative procedure is to be implemented in educational institutions so that the collection and processing of data in this regard is done in a manner that administratively coincides with easier arrangements so that the data may be transferred in an anonymous manner, or else under pseudonyms, as requested by this law.
  • Education authorities are allowed to process personal data in relation to students, and where specifically required in the best interest of the students, as well as personal data relating to parents and legal guardians in order to carry out their functions under the Education Act. (Chap 327 of the Laws of Malta). Therefore, education authorities may request, in writing, the furnishing of personal data related to the above, from the education institutions. Sensitive personal data may only be requested with the explicit consent of the parent or legal guardians.

Definitions
“education authorities” means the Directorates constituted in terms of Part II of the Education Act, as well as the National Commission for Further and Higher Education established in terms of Part VI of the Education Act;

“educational institutions” means any licensed school or other institution or entity offering educational services, whether at a preprimary (kindergarten), primary, secondary, post-secondary or tertiary level and also includes further and higher educational institutions, institutions offering formal and non-formal learning, and vocational education;