Data protection in schools is a special issue, which is why data protection officers take a closer look here and are stricter. What are the challenges and opportunities for educational institutions, what has actually been implemented and what needs to be changed.
The protection of sensitive data in schools is very important – and there is still a lot to be done
© Fotolia / Thaut Images
A controversy surrounding the popular Microsoft Office 365 program hit the headlines in the summer of 2019 on a topic that deserves the attention of a wide audience: schools should get the software package
of the American group Microsoft no longer use – no Word, no Excel, no Powerpoint, nothing. This is the conclusion reached by the Hessian commissioner for data protection and information security, Michael Ronellenfitsch.
In the meantime, the data protection activist has slightly weakened his assessment due to discussions with Microsoft. But the test continues. Data protection in schools and educational institutions is a particularly sensitive topic for a variety of reasons and therefore it is only good that the data protection officer examines the topic critically.
As CEO, I deal with the subject of data protection every day. As a company founder, it is also very important to me to deal with the founders of the future and to arouse the interest in starting a company in schoolchildren.
I visit schools regularly to talk to the children and young people about their perspectives and ideas. Of course, in addition to the students, I also come into contact with the teaching staff and the headmasters. The topic of data protection and IT security is always very present, as I am also committed to integrating it more into the curriculum and promoting the IT skills of both children and teachers. I would like to share my impressions on this topic here.
Data protection in schools is a special issue, which is why data protection officers take a closer look here and are stricter. I would like to talk about the challenges and opportunities for educational institutions as well as the current legal situation, the actual implementation in schools and what needs to change in the future.
Data protection in schools – sensitive data and decentralized work
The subject of data protection in schools and educational institutions is very important, because they work with very sensitive data. Not only are evaluations of school performance in the form of grades from minors and young adults recorded and processed, but notes on behavioral problems, social behavior and personal issues such as illnesses or absences are also created.
These data have a major influence on the further development and future of children. If the students are minors, according to recital 38 of the
once again special protection:
“Children deserve special protection with their personal data because children may be less aware of the relevant risks, consequences and guarantees and their rights when processing personal data.”
As a result, the personal data to be processed in schools are particularly sensitive. In addition, employees in educational institutions are forced to always work decentrally: at school, but often also at home and on their private computers. Sharing data with others is an integral part of everyday school life, because teachers have to communicate with one another, with parents and students.
This can become a problem in terms of data protection, because it must always be ensured that all teachers are imparted the necessary knowledge and technical security solutions are made available that are necessary to protect this data in such an agile work environment.
When teachers work from home, which is common due to the lack of workplaces in schools, if the school does not do it, they themselves face the challenge and question: How do I access the data and how do I ensure that I have all the data Have available that I need?
In terms of data protection law, this means that you not only have to protect the computers in the school, but also the private devices of the teachers, because:
“As a teacher, I use personal data on private end devices because my employer (yet?) Does not provide any service laptops.” (Anonymous)
Teachers shouldn’t have to take care of data protection on their own, but it should go without saying that the educational institution assumes responsibility, organization and costs for it.
The subject of data protection in educational institutions therefore affects a large number of groups and brings with it some challenges due to the heterogeneity of the jobs to be secured. On the one hand, the topic affects the students themselves, because their personal data must be protected in order to protect the right to informational self-determination.
On the other hand, the topic naturally affects the school as an institution and the school management, who are responsible for compliance with data protection laws – and must be liable in an emergency. However, it also affects the teachers who are responsible for complying with the guidelines set by the school in their daily work. And of course the parents are also affected, who as legal guardians should be informed about the topic.
It is important to me to define the topic. The point here is not that there is a Whatsapp group in the class that can be used to send information about the next class trip or distribute homework. It is about personal and sensitive data such as illnesses, personal characteristics, ratings, grades and conversation notes that must be protected by the school institution – as the person responsible for data protection.
Legal framework – the GDPR does not stop at schools
This does not apply directly to public schools
, but due to the new General Data Protection Regulation
as well as the state data protection laws are adapted, and the latter in turn also apply to educational institutions. This means that the principles of the GDPR still have to be demonstrably implemented by schools.
According to Article 39 of the GDPR, every school must appoint a data protection officer who is responsible for compliance with the regulation. However, in the event of a data breach, neither the data protection officer nor the teaching staff would have to be personally liable, because only the person responsible for the data processing is liable and that is the educational institution itself.
This means that the school alone is responsible for data protection. It is the responsibility of the institution to train the teachers and to provide a functioning system in which the teachers can work flexibly but in compliance with data protection regulations.
The particular challenges of data protection in educational institutions
In addition to the fact that teachers work flexibly at different workstations and process, among other things, very sensitive data, there are other challenges that apply specifically to educational institutions. School management, teaching staff and other employees in educational institutions are generally not IT security experts. Nevertheless, it is their job to collect sensitive data and work with it.
In the training of teaching staff, the topic of IT security hardly occurs or not at all, and the use of modern and innovative software is not exactly the favorite subject of every teacher. Therefore, only those who are privately interested are up to date with the latest technology and know the exact threats and opportunities of various technical systems and software.
Problem number 1: Security is a personal preference
At universities in particular, it is often the case that students and doctoral candidates take up teaching assignments in which grades and assessments are awarded. One of my employees had interesting experiences in this regard during her doctorate at two universities, one in Germany and one in the USA. The word data protection was not even mentioned and how the teacher stores and manages the grades was left up to her. It goes without saying that the private computer is used for this. No one asked or checked whether this computer was secured enough to process personal data.
This example shows that the responsibility lies with the respective school or educational institution and that it makes a big difference how the topic of data protection is communicated and how important the topic is. If data protection is a high priority, all teachers are picked up and trained in the area of data protection, as described, for example, by a user who oversees the educational network at his school:
“On the private computer (which is usually used at the same time for work) you are on your own. However, together with a colleague, I offer a weekly IT / media consultation hour to which all colleagues can come. I also publish a newsletter that appears every two months and offers tips and questions. “(B.R., teacher and network consultant)
If this is not the case, only teachers interested in this topic will implement adequate protective measures.
The Technical University of Dresden is an educational institution that gives high priority to data protection. It has evaluated encryption software and rates it as a suitable tool for secure data storage and secure data exchange via cloud services. The software will be made available to all students and employees free of charge at the start of the 2019 winter semester. Other universities, on the other hand, don’t even educate their teachers about the privacy risks of the cloud.
Problem number 2: security vs. Prestige on budget issues
In addition to the awareness of the relevance of IT security and data protection, there is another problem: Schools often only have rudimentary IT equipment due to low budgets and when the budget is increased, it is often used more for hardware that is visible Makes a difference, for example tablets or interactive whiteboards.
IT security software that could secure the school’s entire IT system and the data storage on private computers is not the most popular investment in my experience. The security solutions compete with presentable gadgets that “visibly” modernize a school. Software that runs unnoticed in the background protects the students’ data. But ideally – when the software is doing its job and effectively protecting the systems – you won’t notice anything. When security software competes against prestige programs, it loses out when the budget is tight.
Problem number 3: Decentralized organizational structure
Another challenge is that schools are organized on a decentralized basis. There are guidelines and assistance from the individual countries, but every school can and must do its own thing and must implement the desired safety precautions itself. The IT people in schools, if there are dedicated IT people at all and the IT teacher or math teacher doesn’t just do it on the side, they all do their own thing and have to fight for budgets.
If you want to do data protection properly, you have to deal with it a lot, but very few teachers have the resources and the time to do so. IT security standards are constantly changing and it is not enough to deal with the topic once. Rather, ongoing training and observation of the market environment are required.
To make matters worse, some federal states have not managed to bring the recommendations on data protection on their website up to date, even three years after the GDPR came into force and one year after it came into force. Even if the school management or a teacher tries to adhere to these key recommendations, it will be made unnecessarily difficult for him or her. You can still contact the state data protection officer. But since the new GDPR became binding, these have also been chronically overloaded.
A wish list for more data security in schools
The schools and educational institutions are certainly doing their best to protect the data of children and young people with the means and knowledge available. Unfortunately, there is often a lack of data protection awareness, support and education. I have therefore formulated six wishes to improve data security in schools, to take the burden off the shoulders of teachers and at the same time to make processes more efficient.
More support for teachers:
My preferred solution would be workstations provided by the institutions. They should contain a secure and user-friendly environment that enables collaboration on sensitive data. Alternatively, the teachers’ private computers are equipped with a secure environment and reliably brought up to date with the latest technology.
More staff for the data protection officers of the federal states.
These authorities support companies and educational institutions with GDPR compliance with words and deeds and this important task should be distributed on more shoulders than on those who are currently burdened.
Education ministries should not commission their own IT security solutions for schools
Examples of such well-intentioned but poorly implemented services already exist in other areas, such as De-Mail. Only recently, Federal Interior Minister Horst Seehofer announced the commissioning of a so-called Europe Cloud, which in my opinion is doomed to failure from the start. There are already mature and secure cloud solutions in Germany. The Europa-Cloud will not be able to catch up with these services – even if the funding rate is high.
A safe and contemporary working environment:
The cloud is ideal for collaboration because you can access the data from anywhere and easily collaborate with other teachers and other people involved. For data protection reasons and because of the special sensitivity in the field of education, I would rely on German providers. For example, the state of Baden-Württemberg recommends the use of
. A German cloud is perfectly secured with the additional end-to-end encryption with zero knowledge guarantee from
. Even highly sensitive data such as grades and other information about minors can be saved easily and in compliance with the GDPR.
In the course of the current controversy about Office 365 and the GDPR, the use of Word, Powerpoint and Co. should be avoided until Microsoft has responded to the demands of German data protectionists when collecting data. Because no encryption software can prevent the sending of telemetry data. If this is not possible, it must be ensured that no diagnostic data is sent to Microsoft. An alternative to Microsoft could be the German program
Compulsory training for teachers:
Data protection and the opportunities and dangers of new technologies should become core competencies of teaching staff. Student data would be better secured and at the same time teaching staff would learn important skills that would also help them in teaching, understanding their students and preparing class materials. In addition, it should not be forgotten that teachers are always role models for students. And that’s why it’s especially important to lead by example when it comes to data protection.
A separate budget for IT security:
Security shouldn’t have to struggle for budget with gadgets and showcase projects. IT security is an independent area and everyone should be aware of its relevance. A budget tied to improving and maintaining IT security would help a lot here.
I understand, of course, that this is a comprehensive and optimistic wish list and that teachers and school management go out of their way to get the most out of their students. But this professional group’s awareness of the relevance of data protection must be heightened. At the same time, more resources must be freed up for IT security.
Here I do not see the school institution alone as being responsible, but mainly politics, which should take on the issue of data protection in schools more closely. An important step has already been taken with the GDPR, as thanks to it everyone suddenly had to deal with data protection. Now it is a matter of implementing this with the necessary resources.
GDPR: your data protection rights
GDPR – consumers need to know that now
Data protection and security: switch off hardware as a weak point