Karlsruhe Institute of Technology: Data protection and data security: certification for virtual learning

Distance learning has been part of everyday school life for children and young people since the beginning of the corona pandemic. The market for corresponding school information systems and learning software is booming worldwide. In the case of learning platforms, chat programs, video conference tools or cloud storage for the virtual classroom, however, according to media reports, there is often a lack of data protection. Researchers at the Karlsruhe Institute of Technology (KIT) want to remedy this with a data protection certification. In the DIRECTIONS project, they are developing reliable criteria for such a certificate. The Federal Ministry of Education and Research (BMBF) is funding the project with almost 6.5 million euros.

“When new technologies find their way into teaching, data protection must of course be guaranteed,” says Professor Ali Sunyaev from the Institute for Applied Computer Science and Formal Description Procedures (AIFB) at KIT. According to the EU General Data Protection Regulation (GDPR), providers of school information systems must ensure that their products meet all data protection requirements, while schools are only allowed to use systems that guarantee data protection. “There were cases in which, for example, the confidentiality of the data was not guaranteed,” reports the head of the Critical Information Infrastructures research group.

First data protection certification in education

One way of addressing this problem is through data protection certification for school information systems. The KIT scientists are now developing one in the DIRECTIONS project (stands for Data Protection Certification for Educational Information Systems). The aim of the researchers is to design a sustainable data protection certification for school information systems, to implement it in an exemplary manner and finally to test it. Because certifications have proven themselves as a means of checking cloud services, and seals of approval are already known from online retail in particular. “The DIRECTIONS certification is being developed as the very first data protection certification in the education sector to demonstrate compliance with the GDPR with legal certainty,” announced Sunyaev.

Clear criteria for schools when purchasing learning software

“One problem is that the schools sometimes lack the knowledge and experience to assess whether online services and IT products even meet data protection requirements,” Sunyaev states. In addition, there is the transfer of data to third countries outside the EU, if providers of learning tools are, for example, based in America. “This makes it a lot more difficult to keep control over what happens to the students’ data,” warns the expert. He also sees a serious security gap in the often missing encryption of the data: “Personal data is partially stored or transmitted in clear text so that it can in principle be read.”

In addition, there is a lack of clear decision-making guidelines for the evaluation of individual products, recommendations differ in the individual federal states. “This means that school information systems are not used at all or only to a limited extent, and so many potentials of digitized teaching are not fully exploited,” says Sunyaev. “With a corresponding certification, as we are now developing, a provider can prove that all requirements are met. Certifications thus create transparency and improve the comparability of systems. “

A certification includes an examination by an independent and accredited certification body such as TÜV or DEKRA. This determines whether a system and the provider meet all requirements of the catalog of certification criteria. Checks include technical security measures such as a firewall or the use of encryption and anonymization procedures, but also organizational measures such as training the provider’s employees or appointing a data protection officer. If the test is successful, a certificate and a seal of approval are awarded with which the provider can advertise.

The BMBF is funding the project with a total of almost 6.5 million euros. KIT will receive almost four million euros from this. The University of Kassel and datenschutz cert GmbH are also involved in the project.