Jamf’s privacy and compliance approach for European schools

Students spend a large portion of their lives in school, sometimes half a year at a time, for a decade or more. Whether they realize it or not, school shapes the way they learn, think, socialize and develop their sense of identity. That's no small thing for schools. Each student is precious and deserving of care and respect — schools are the stewards of their education and well-being.

That responsibility has become more complex in the digital age. Today, schools communicate, teach and store information through devices and online systems, creating opportunities — and vulnerabilities — that didn’t exist before. Striking a balance between keeping students safe, storing required data and maintaining data privacy is difficult. Unfortunately, threats to student well-being and privacy come from all sides: attackers, themselves, peers, software and even the school itself, if they're prone to surveillance.

That's why schools are subject to data handling regulations. Though some schools believe that protecting their students involves watching their every interaction on their devices, there are issues with this. After all, doesn't this violate their privacy like an external attacker would? UNICEF sums this up nicely, noting that the right to privacy and data protection enable further protections, like "the rights to non-discrimination, development, freedom of expression, play and protection from economic exploitation". Data surveillance doesn't actually protect the student; instead, it can alienate them from their peers, get them in undue trouble or put them in danger. This erodes the trust students have in their school.

Children do not lose their human rights by virtue of passing through the school gates. Education must be provided in a way that respects the inherent dignity of the child and enables the child to express his or her views freely.

— Adapted from UN Committee on the Rights of the Child, Annex 9. General comment no. 1 (2001), Article 29 (1), The aims of education

Data handling in schools

What exactly do we mean when we say "data"? Of course, schools need certain data to identify students, like their name and address. Some keep records about student health, ethnic origin and more. Data can come from educational tech (edtech) too, both explicitly and implicitly. Much like how social media develops profiles of us based on our interaction with certain content, edtech can create profiles of students too. While not always malicious or with the intent to infringe on privacy, this data needs to be considered too.

So how should schools handle student data? Much of this is governed by the General Data Protection Regulation (GDPR). While this blog won't be comprehensive, we'll highlight a few key principles, adapted from UNICEF's publication, Data protection in schools: guidance for legislators, policy makers and schools.

• Lawfulness, fairness and transparency: Handle and process data only if there is a legal basis for it. Consider how it affects an individual and handle it in a way that is reasonable and justifiable. Be open and honest about data use and inform subjects about their rights.
• Purpose limitation: Identify and document the purpose for data processing and relevant context. Regularly review this and adapt based on any changes.
• Data minimization: Only collect data needed for a specified purpose, and review and delete/anonymize data at appropriate intervals.
• Accuracy: Ensure data collected is accurate, understand and comply with the individual's right to rectify their data, and keep a record of any mistakes.
• Storage limitation: Remove data when necessary and when it is no longer needed or justified.
• Integrity and confidentiality: Employ appropriate technical and organizational controls to keep data secure.
• Accountability: Employ appropriate policies, practices and other measures and maintain records to show compliance.

There's a lot that goes into achieving these goals. While Jamf can't help with all of them, we know that if your school uses Jamf, we need to be held to strict data protection standards too.

Jamf privacy and compliance

Jamf is committed to helping schools meet the highest standards of data protection and regulatory compliance.

Built to support your GDPR compliance

Jamf aligns its products and practices with the GDPR, the gold standard for privacy protection. This includes:

• Data minimization: We only process personal data essential for educational use cases.
• Clear data roles: Schools retain full control as data controllers. Jamf acts strictly as a data processor.
• Privacy by design: Our tools are engineered with built-in safeguards to support secure configurations from day one.

Student data stays safe and secure

• European data centers: For Jamf School, data is stored within the EU to meet localization and residency requirements.
• Strong encryption: In transit and at rest, encryption protects sensitive student and staff information.
• Role-based access controls: Jamf ensures the right people have access to the right data — nothing more.

Transparent practices and support

• Clear privacy documentation and Data Processing Agreements (DPAs) are available to all customers.
• Jamf offers dedicated support for schools to complete DPIAs (Data Protection Impact Assessments).
• Regular audits and updates are in line with evolving EU privacy standards.
• SIVON Assessment: Jamf School successfully completed a DPIA conducted by SIVON, a Dutch digital education authority, over two years. SIVON affirms that Jamf “can be safely used by educational institutions … while maintaining strong privacy controls.”

Learn more about the frameworks, regulations and certifications behind Jamf products >>

Built for education, trusted by schools

Whether you’re a local authority, an individual school or a Ministry of Education, Jamf gives you the tools to manage Apple devices with confidence — balancing innovation with privacy.