DIRECTIONS: Rethinking data protection for schools

Portrait von Sebastian Lins, Akademischer Rat am KIT und Projektkoordinator von DIRECTIONS.

The “DIRECTIONS” research project from the Karlsruhe Institute of Technology (KIT) could play a decisive role in how schools in Germany deal with the issue of data protection in the future. But what is the guide to secure digital education all about? We took a closer look and spoke to Sebastian Lins, Academic Advisor at KIT and project coordinator of DIRECTIONS.

In recent years, the use of digital solutions in schools has increased worldwide. From learning platforms and video conferencing tools to learning apps: the digitalization of teaching brings many advantages, but also raises questions – particularly with regard to data protection.

Providers of these systems must ensure that their products comply with the strict requirements of the General Data Protection Regulation (GDPR). However, it is not always easy for schools and school authorities to assess whether a system is really compliant with data protection regulations. This is where the DIRECTIONS (Data Protection Certification for Educational Information Systems) project comes in.

The project has the potential to fundamentally change the way digital information systems are used in schools. By introducing data protection certification, uncertainties could be reduced and the digitalization of the education system could be advanced – under the premise that the protection of pupils is always paramount.

Symbolic image of a school class.
A pupil comes forward.
Data protection for schoolgirls is particularly relevant. Image: Canva Pro

DIRECTIONS creates framework conditions for the digitalization of German schools

The main objective of DIRECTIONS is to develop a sustainable data protection certification that ensures that school information systems are GDPR-compliant.

This is done in two steps: The first step is a self-commitment declaration (SVE). This enables providers to check for themselves whether their systems meet the data protection requirements set out in a catalog of criteria – and to communicate this transparently. “The self-commitment declaration creates transparency and comparability on the market at an early stage. It also reduces potential uncertainties among customers,” explains Sebastian Lins, Academic Advisor at KIT and project coordinator of DIRECTIONS.

In a second step, this declaration will be developed into a legally compliant data protection certification, which will then be issued by an independent certification body. This will give schools the assurance that the systems used actually guarantee the necessary data protection.

Status quo at German schools

But what is the current situation in Germany’s schools? During the coronavirus pandemic, many of them were forced to integrate video conferencing tools and digital learning platforms into lessons virtually overnight. Nevertheless, the hoped-for long-term digitalization boost failed to materialize – largely due to a lack of security in the use of digital systems.

“Teachers are often unsure whether the tools used meet data protection requirements,” reports Lins. This uncertainty leads to some systems not being used at all, even if they might be of educational value. “However, it is almost impossible for schools and school authorities to check such things themselves with legal certainty, which is why they often rely on the recommendations of the data protection supervisory authorities of the federal states.”

Symbolic image of two learners in front of a Smart Board.
Certification provides orientation. Photo: Canva Pro

Data protection must be seen as an opportunity, not an obstacle

The importance of binding data protection standards becomes particularly clear when you consider that the protection of pupils’ data is at stake. “Data protection is particularly relevant for minors,” emphasizes Lins. “The use of digital learning systems can lead to sensitive data such as individual learning profiles being collected. Such sensitive information must be specially protected in order to prevent its misuse.” However, as the systems are usually selected by the school, the pupils themselves have little influence on this.

Critics could now argue that strict data protection requirements are slowing down the digitalization of schools. Sebastian Lins takes a different view: “Data protection should not be seen as a brake, but as a minimum standard.” He emphasizes that the protection of pupils must have top priority. A data protection breach could have serious consequences and must be avoided at all costs.

“With certification, schools and their sponsors can be confident that the respective systems comply with data protection regulations.” This makes the selection decision easier and alleviates potential concerns. “Certification in particular counteracts a possible ‘brake’,” summarizes Lins, who has been working on the topic for a decade.

What’s next for DIRECTIONS?

The catalog of criteria drawn up as part of DIRECTIONS is currently being tested with selected system providers. Tests on five specific use cases are planned for the summer and fall of this year. At the same time, the project team is working on the further development of the certification process and the set of rules. “As soon as the certification has been designed, it will also be tested and then submitted to the necessary formal approval process,” explains Lins. If the certification is approved, it can be offered on the market and providers will have the opportunity to have their systems officially certified.