DIRECTIONS – Data Protection Certification for Educational Information Systems
Ali Sunyaev, Sebastian Lins
- Project Group:
Ali Sunyaev, Sebastian Lins, Eva Späthe, Kathrin Brecker, Philipp Danylak
German Federal Ministry for Education and Research (BMBF)
Prof. Dr. Gerrit Hornung, University of Kassel;
Dr. Maseberg and Dr. Karper, datenschutz cert GmbH;
and many more partners from practice and research.
The aim of the research project Data Protection Certification for Educational Information Systems ("DIRECTIONS") is the conceptual design, exemplary implementation and testing of a sustainable, applicable data protection certification for school information systems. Certification in accordance with the General Data Protection Regulation (GDPR) is in the interest of all parties involved: the data subjects, i.e. in particular the students, whose personal data is protected; the schools and school authorities, who may only work with information system providers who can demonstrate sufficient guarantees for compliance with data protection; the providers, who can demonstrably offer their customers this very security with certification; and the certification bodies, for whose business field the GDPR provides mandatory rules.
In order to achieve the project goal, two expansion stages of DIRECTIONS are envisaged: First, a quality seal will be designed and tested, which will then be further developed and applied to become an approved and recognized data protection certification. By developing a quality seal of approval in the first stage of development, a means can be created in the short term that providers of school information systems can use to communicate their data protection practices. This can create transparency and comparability on the market at an early stage and reduce potential uncertainties. However, a quality seal is not sufficient to demonstrate compliance with the GDPR. For this reason, it is planned in the second stage to develop the seal of approval into a data protection certification in accordance with Art. 42 of the GDPR and to have it formally approved.
In order to implement the expansion stages, suitable certification objects will first be defined, which encompass data processing operations of data controllers or processors. Subsequently, a criteria catalog for the seal and certification according to the GDPR will be developed. In addition, suitable organizational structures and procedures for the auditing and awarding of a seal as well as for the implementation of a recognized data protection certification will be designed. This includes, in particular, the specification of modular certification processes to meet the needs of small and medium-sized enterprises. Finally, in order to ensure the sustainable use and widespread dissemination of DIRECTIONS, application concepts for a sustainably successful seal and certification process will be investigated and publicity measures will be implemented. The developed seal is to be implemented in practice by selected partners in the near future. Finally, the certification procedure and the criteria developed in the DIRECTIONS project are to be assessed for their accreditability and tested and validated in practice.