What Data Does Your School Actually Hold?
Before thinking about compliance, take stock of what you collect. A typical Pakistani school maintains:
- Student CNICs and B-forms
- Parent CNICs and employment information
- Home addresses and phone numbers for every family
- Academic records — marks, positions, results
- Attendance records — when and where a child was present
- Health records — blood group, vaccination status, medical conditions
- Financial records — fee payment history, outstanding dues, family income if scholarships are involved
- Disciplinary records — incidents, suspensions, behavioural notes
That is a significant amount of sensitive personal information. Most schools hold it in registers, Excel files, and filing cabinets — without formal data protection policies.
Pakistan's Relevant Legal Framework
PECA 2016 (Prevention of Electronic Crimes Act): Pakistan's primary digital data law. Section 14 criminalises unauthorised disclosure of personal information where it causes harm. A school that leaks a student's health record or a family's financial situation to a third party could face legal liability under PECA.
PDPA 2023 (Personal Data Protection Act): Pakistan's first dedicated data protection law. Schools collecting personal data are classified as "data controllers" and must:
- Inform individuals what data is being collected and why
- Obtain consent for data collection and processing
- Ensure data is accurate, complete, and not retained longer than necessary
- Take reasonable security measures to prevent unauthorised access
- Allow individuals to request correction or deletion of their data
The Biggest Compliance Risks for Schools
- Sharing result photos in WhatsApp groups: Posting a student's marks in a parent group exposes private academic data to 40+ families. This is a PDPA violation for the families who did not consent to that disclosure.
- Unsecured Excel files on shared computers: Fee registers with family financial data sitting on an unlocked staff computer is a data breach waiting to happen.
- Third-party vendors with access to student data: If you share student lists with a transport contractor, printing company, or photography studio, they need data handling agreements.
- No data deletion policy: Old student records, including B-forms and health cards from students who left five years ago, create unnecessary liability.
Role-Based Access: The Practical Fix
The most effective data privacy measure for a school is role-based access control — ensuring each staff member can only see the data they need for their job.
- Teacher: Sees their class list, attendance, and marks — not fee records or health data
- Accountant: Sees fee ledgers and payment records — not academic marks or disciplinary history
- Nurse: Sees health records — not financial or academic data
- Principal: Has oversight access to all modules
In Skoo, permissions are set per role at setup. A teacher logging in cannot accidentally see a family's outstanding fee balance. An accountant cannot see a student's health record. The architecture enforces privacy by design.
Where Your Data Lives Matters
Skoo hosts all school data on Pakistan-region servers. Student CNICs, family addresses, and financial records never leave Pakistan's jurisdiction. This is relevant under PDPA, which restricts cross-border data transfers to jurisdictions without equivalent protection. Schools using software hosted in India, Ireland, or the US may face compliance questions they cannot easily answer.
