As digital technology becomes increasingly central to modern education, many schools have turned to platforms like Google Classroom, Microsoft Teams, and SchoolBright to support teaching, learning, and internal administration — including student record management. While these tools have made educational management more efficient, they also introduce real risks around privacy and data leaks, particularly when students' personal information needs to be transferred to third-party service providers.
Few incidents illustrate the urgency of student data protection more vividly than the Appscook Data Leak of 2023. Appscook, a school data management platform serving institutions across India and Sri Lanka, suffered a cloud misconfiguration that exposed children's personal data from over 600 schools to the public. The leaked information included names, photos, birth certificates, tuition receipts, and parent details — all made accessible through public links due to improperly configured access permissions.
This breach is a stark reminder that student data protection cannot be treated as an afterthought. Without proper safeguards and formal agreements with third-party vendors, children's personal data is left dangerously vulnerable.
Under Thailand's Personal Data Protection Act (PDPA), accountability for student data protection falls clearly on the school:
• Schools act as Data Controllers — holding authority over how children's personal data is collected, used, and disclosed.
• Third-party service providers act as Data Processors — handling data strictly within the scope the school defines.
This means that when schools delegate data-related tasks to external parties, the duty to safeguard children's personal data remains firmly with the school itself.
A Data Processing Agreement (DPA) is a foundational tool in any serious student data protection framework. It is a binding contract that governs exactly how a Data Processor may handle children's personal data — and ensures they operate only within agreed boundaries.
A robust DPA for student data protection should cover:
• Purpose and scope of processing children's personal data
• Types of data involved
• Retention periods
• Security measures specific to student data protection
• Restrictions on secondary use of children's personal data
• Breach notification procedures
Without a DPA, schools lose control over how children's personal data is used or whether it is adequately protected. If a breach occurs without documented safeguards, schools face civil, criminal, and administrative liability under the PDPA — as well as significant reputational harm that undermines community trust.
Children's personal data warrants a level of protection that goes beyond the standard applied to adults. Under PDPA Section 20, minors have limited legal capacity to consent to data processing on their own behalf — meaning schools must, in many cases, obtain consent from a parent or legal guardian before collecting or using children's personal data.
Beyond consent, student data protection must also account for the sensitivity of what schools typically hold: personal histories, health records, and other information that could cause serious harm if mishandled. Because children cannot fully advocate for their own rights, the institutions responsible for their education must maintain the highest possible standards of student data protection — not merely as a legal obligation, but as a fundamental ethical commitment.
An effective student data protection strategy combines organizational, technical, and physical safeguards to secure children's personal data at every stage:
1. Establish a DPA with every third-party provider handling children's personal data
2. Encrypt data — both in storage and in transit — to block unauthorized access
3. Enforce access controls — limiting who can view children's personal data and requiring proper authentication
4. Monitor data access continuously to detect suspicious activity early
5. Train all staff on student data protection principles and responsibilities
6. Maintain a breach response plan
Thailand's Personal Data Protection Committee (PDPC) has taken meaningful steps to strengthen national standards for children's personal data, including plans to establish a dedicated task force. The initiative centers on three pillars:
1. Stronger legal frameworks — developing targeted guidelines for digital platforms with child users, including age-appropriate consent mechanisms and verified parental authorization processes that genuinely protect children's personal data.
2. Enhanced oversight — increasing scrutiny of platforms where children are the primary users, promoting Privacy by Design, and requiring children's rights impact assessments as part of student data protection due diligence.
3. Wider awareness — equipping children, parents, and educational institutions with the knowledge to understand their rights over children's personal data, and providing accessible channels to report violations.
The PDPC is also working alongside UNICEF Thailand, which has contributed recommendations to AI and data protection guidelines currently under development — guidelines that will serve as a meaningful step forward in strengthening personal data protection across the country.
Protecting student data is not just about complying with legal requirements. — it is a core responsibility of every school operating in the digital age. Children's personal data is uniquely sensitive, and the children it belongs to are uniquely vulnerable. Schools that take student data protection seriously — through formal agreements, rigorous security practices, and a culture of accountability — are not just avoiding legal risk. But it also lays the foundation for effective and sustainable personal data protection.
