Educational Institutions: Data Protection in Schools and Universities
Is there actually anyone who has positive memories of IT lessons at their school? The anecdotes I hear are all about outdated hardware and mishaps. Of course it is funny when the permanent marker lands on the touch screen, but unfortunately this story is almost a metaphor for the IT structure in our schools.
I have made it my business to be a role model for pupils as company founder and for this purpose I am invited to seminar projects at schools, from time to time. When I talk to the teachers during these projects, we quickly turn the conversation towards topics such as data protection and IT security. After all, I am actively committed to ensuring that these areas occupy a larger place in education.
The turmoil over the Office 365 software package has made me thinking again. Do you remember that Michael Ronellenfitsch, Hessian Commissioner for Data Protection and Information Security, is of the opinion that Office 365 should no longer be used in schools? The outcry was great - among teachers as well as from Microsoft. Ronellenfitsch had taken his task seriously, because data protection in schools is a particularly sensitive issue, due to the concerned persons being minors. For this reason, the data protection officers at schools do take a particularly scrutinizing look.
Today, I would like to give you an overview of the circumstances of IT security in educational institutions, in Germany.
Special Protection of Children's Data in the GDPR
Schools do not only collect grades and evaluations of school performance about their pupils. A lot of other information that may not be immediately thought of is stored and processed electronically:
- Reports on behavioral abnormalities
- Reports on social behavior
- Notes on absences and illnesses
- Address data and contact information of legal guardians
According to recital 38 of the GDPR, such information deserves even greater special protection:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. (…)
Decentralized Working is the Rule and not the Exception
For employees in the education sector, decentralized work is mostly rather the rule than the exception. Preparation times and corrections of tests at home are normal, especially for teachers. In addition, there is the exchange of data with pupils, legal guardians, school administrators, colleagues.
In terms of data protection, this way of working can become a problem because a certain degree of IT affinity is necessary in order to work flexibly and securely at the same time. It must always be ensured that teachers have the necessary knowledge and technical skills to manage the data they store appropriately and securely.
The hardware is a factor that should not be neglected, either. In a survey we conducted among Boxcryptor users at the beginning of 2019, it was precisely this issue that was cited as the reason for using our encryption software:
Boxcryptor complies with the GDPR. As a teacher, I use personal data on private end devices because my employer does not (yet?) provide service laptops.
(Anonymous, Boxcryptor Survey 2019)
This statement shows how tense the situation is. Educational institutions must take responsibility for the costs and maintenance of data-protection-compliant equipment.
GDPR and German BDSG-neu
Schools and other public educational institutions are subject to the BDSG, the Federal Data Protection Act, of Germany. This law was revised in the course of the introduction of the GDPR and contains its principles.
For example, each school is obliged to appoint a data protection officer. This person must monitor compliance with the BDSG. However, they would not be personally liable in the event of a data breakdown. Liability lies with the person responsible for data processing - and that, in turn, is the educational institution.
This fact brings us back to the point that schools should actually provide the IT infrastructure for teachers.
Three Challenges for Data Protection in Education
In our schools, people who a) have not been trained to do so, and b) are already busy with other tasks, often have to take care of data protection. It is clear that one is knowingly maneuvered into a dramatic situation. It cannot be the strategy of our education ministries to leave the protection of particularly sensitive data to teachers who take care of it in their spare time and do so out of personal interest. Universities, on the other hand, mostly have departments responsible for IT, but they are often overstreached with the task of organizing IT for many different departments and chairs.
1. Security Depends on Personal Preferences
I'd like to start with an example. In universities, academic staff without their own chair, also holds courses. doctoral candidates, for example, give courses and grade and evaluate their students. There is email traffic between the students and teachers, and teachers most of the time have to work on their private laptops, and store sensitive student information there. From personal experience and from reports of my employees, data security of this sensitive student data is never an issue. Often, there is no authority to verify the security of private equipment used for the work at the university.
So there are big differences in how a school or university deals with data protection. A positive example of a school:
On the private computer (which is also mostly used occupationally, at the same time) one is alone for oneself. But together with a colleague, I offer a weekly IT/media consultation, to which all colleagues can come. I also publish a newsletter that appears every two months and provides tips and answers questions." (Benjamin Riedl, teacher and network consultant)
Another example: The "Technische Universität Dresden (TUD)" has found an individual way to support the members of the university with regard to data protection. The university has evaluated our encryption software Boxcryptor and rates it as a suitable tool for secure data storage and data exchange via cloud services. The software has been made available to all students and staff, free of charge, since the beginning of the 2019 winter semester.
You can read more about this in their success story “Security in the Cloud: The Technical University of Dresden Starts with 45,000 Boxcryptor Licenses”.
However, especially in schools, if there are no committed and technology-oriented people at an institution who take on the subject of data protection, the subject mostly remains untouched. An absurdity.
2. Prestige Outweighs Security
In most educational institutions there is only a general budget for IT. In theory, all IT security expenses, such as training, encryption software and the personnel costs of data protection officers, would have to be paid from the budget.
Practically however, these expenses compete with the cost of hardware. These include, for example, tablets or interactive whiteboards – devices that can be seen and touched, that significantly change teaching, are fun, and make an impression.
In comparison with such visible changes, data protection is naturally at the bottom of the list. In my experience, software that could secure the school's entire IT system and data storage on private computers is not the most popular investment. If encryption software competes against prestige programs, it will lose out, if the budget is small.
3. Status Quo is a Hotchpotch with Holes
The current situation at schools is differing strongly. There are several reasons for this.
On the one hand, we have the schools that want to strictly adhere to the specifications of the respective state data protection officers. However, these schools are often obstructed, because the state data protection officers have been chronically overstreached since the GDPR came into effect on May 25, 2018. Theoretically, the websites of the state data protection authorities give recommendations for action to the school management. But some of them have not even been updated, since the GDPR cam into effect.
On the other hand, we have the above-mentioned dependence on the IT knowledge of individual players. If by chance there is no IT-savvy teacher employed in a school, the data protection situation might be problematic.
Finally, I would like to draw attention once again to the fact that IT security is a field in which there are innovations and major developments almost on a weekly basis – Be it updates or new programs, legislative changes or best practice examples. Thus, it's a big challenge for individuals to keep up with all developments. In parallel with a challenging job in teaching, this is almost impossible.
My Suggestions on How to Improve Data Protection in Education
In my opinion, the teachers at the schools are doing a wonderful job. I always experience highly motivated staff during my visits and therefore, look forward to every visit.
It is my objective to relieve the teachers of data protection with clear regulations and better organization. For this purpose, I have 6 points on my wish list.
- Teachers get more support. Primarily, I am thinking here of equipment provided and maintained by the facilities. The objective has to be to provide every teacher with a safe and user-friendly working environment.
- Federal data protection authorities will receive more staff. Data protection in schools falls within the scope of supervision of the data protection officers of the federal states. With more staff, these authorities could better support schools and universities in data protection issues.
- Ministries of culture rely on existing IT security solutions Experience shows that there is nothing to be won when authorities commission their own software solutions. DE-Mail, BeA and the Europacloud Gaja-X are just a few examples. I expect the authorities to first examine the free market and evaluate proven software solutions, instead of having new programs developed at great expense and hardship. Existing systems are already widely accepted by the population. The technological advance, of those solutions can hardly, if ever, be made up for, by government software.
- Teachers have a secure and modern working environment. Data storage in the cloud solves a vast number of problems, teachers currently face. The cloud is ideal for flexible access from different locations and is, in combination with good data encryption, a secure storage location for particularly sensitive information. For German schools, the federal state of Baden-Württemberg, for example, recommends the use of TeamDrive. A cloud with additional end-to-end encryption, including a zero-knowledge guarantee, like Boxcryptor, is perfectly secure. Even highly sensitive data such as grades and other information about minors can be stored easily and in compliance with the GDPR. If you use Office 365, you must ensure that no diagnostic data is sent to Microsoft, by the software. No encryption software can prevent the transmission of telemetry data. An alternative to Microsoft could be the German program LibreOffice.
- Teachers are trained in data protection Teachers are not only concerned with protecting their students' data. Their role as role models is equally important. Children must experience first hand, how adults treat information and software with care and awareness. Adults, however, can only set an example if they themselves have sufficient basic knowledge. The opportunities and threats of new technologies should become a core competencies of teaching staff.
- IT security gets a separate budget. Trying to pay privacy and hardware expenses from the same budget, is like trying to multiply apples with pears - it will not work. And yet, it is common practice at our schools. A separate budget, available for the improvement and maintenance of IT security, would certainly elevate the data protection in schools.
This wish list is intended for politicians. Yes – education is a matter of the federal states. However, just as the GDPR was introduced in a major effort for all member states of the European Union, it must be possible to introduce everyday data protection practice at all German educational institutions that corresponds to the reality of life of teachers and students in the 21st century.