Results shared on WhatsApp group 

/in /by

I am in a WhatsApp group for parents at my child’s primary school. During admission, we signed social media forms consenting to the use of social media. However, we were informed that this was intended for special occasions, such as sharing emergency information or photos from school trips. Recently, the head teacher posted the end-of-term results in the parents’ WhatsApp group, which included the full class list, including all pupils’ names, dates of birth, and home addresses. Some parents are worried this could be misused. Is this allowed under the new data protection law?
TN, Dar es Salaam

Under the Personal Data Protection Act, Cap. 44 [R.E 2023] (PDPA), Personal data is defined broadly to include identifiers such as names, birth dates, and home addresses. According to Section 3 of the Act, personal data includes any information that identifies an individual. The section further considers data concerning children as sensitive data. Section 25 of the Act imposes a legal obligation on data controllers (such as schools) to collect and process personal data lawfully, fairly, and in a strictly limited manner for the purpose for which it was originally gathered.

Publishing children’s details in a WhatsApp group without explicit consent from parents is risky and unlawful. The school should have anonymised the information or shared it through secure, consent-based channels. In this case, while parents may have signed social media consent forms during admission, those consents were clearly limited to specific uses such as emergency updates or sharing photos from school trips. The recent decision by the head teacher to publish end-of-term results in a WhatsApp group, including a full class list with sensitive personal details, exceeds the scope of that consent and arguably constitutes a breach of the PDPA.

As stated under section 3 of the PDPA, children’s data is subject to heightened protection under the law, and any processing must be necessary, proportionate, and aligned with the original purpose. Sharing such detailed personal information even within a closed group of parents exposes minors to risks such as identity theft, stalking, and other forms of misuse, and lacks a clear legal basis. Moreover, the failure to anonymise or limit the data shared violates the principles of data minimisation and purpose limitation. It is advisable that Schools and other learning institutions must now treat data privacy as a legal duty, not merely a matter of courtesy.

An amicable resolution with the school management is currently the best option. However, if the school does not cooperate, concerned parents are entitled to lodge a formal complaint with the Personal Data Protection Commission and demand corrective action, including a review of the school’s data handling practices and safeguards. Consult a lawyer for further guidance.