What is health data, and where do you store it?

An LMS shouldn't store health data

As schools go digital, Learning Management Systems (LMS) have become everyday tools for teachers. They help organise lessons, assignments, and communication. But one thing they should not be used for is storing student health information.

What is health data and why can’t it be stored?

Health data refers to any information related to an individual’s physical or mental health, including medical conditions, allergies, medications, and special accommodations. Under the General Data Protection Regulation (GDPR), health data is classified as special category data, meaning it requires extra protection and cannot be stored without a solid legal reason. Article 9 on special category data can be read here. 

Many teachers may not be aware that while it is okay to note that a student is absent due to illness, it is not okay to specify the exact illness. For example, writing “Jane is sick” is fine, but writing “Jane has influenza” could be a violation of GDPR rules. 

This distinction is important because mentioning a specific illness reveals detailed health information, which falls under special category data. GDPR requires a clear legal basis for processing such data, and without explicit consent or another valid reason, storing it, even in an LMS, could be unlawful. Additionally, sensitive health data requires stricter security and privacy measures than an LMS typically provides.

Why an LMS is the wrong place for health data

1. LMS platforms aren’t built for it
   LMS platforms are designed for learning, not for storing sensitive information like student allergies, medication, or medical conditions. While itslearning and similar platforms have strict security measures in place, they are not specifically designed for storing health data. Moreover, access control and data management are ultimately the school's responsibility, meaning the same level of oversight and control as a dedicated medical record system is not guaranteed.
2. It might be against the law
   Under GDPR, storing health data in an LMS is usually not allowed unless a specific exception applies (like explicit consent from parents). Schools disregarding the rules face significant legal consequences.
3. Too many people can see it
   An LMS is meant to be accessed by teachers, administrators, and students. That’s too many people when it comes to private health details. Health data should only be available to those who really need it, like the school nurse.
4. You should only store what’s necessary
   GDPR says schools must collect only the minimum amount of personal data needed for a clear purpose. Storing detailed health records in an LMS is usually unnecessary and could go against these rules.
5. Hard to keep track of and delete
   Schools should only keep personal data as long as it’s needed and then delete it securely. Most LMS platforms don’t have the right tools to track and completely remove health data properly.

Where should health data be stored?

Instead of using an LMS, schools should use:

• Secure medical record systems – Proper platforms designed for handling sensitive information.
• Official school databases – Systems approved by local authorities that meet legal requirements.
• Encrypted files with strict access controls – If absolutely necessary, files should be stored securely with limited access.

What can schools do instead?

• Get clear permission – If health data must be stored, get explicit consent from parents or guardians.
• Limit access – Only let people who truly need the information see it.
• Keep it to a minimum – Only collect what’s absolutely necessary for student safety.
• Have a clear deletion plan – Make sure health data is deleted when it’s no longer needed.