Data Protection warns against “shadow IT” in schools

A part of Austria’s schools have set up a “shadow IT”, warns the Arge data. By using clouds or WhatsApp, student, teacher and parent data would end up in “no-man-rights data-protection land”. The Ministry of Education emphasizes that the introduction of the Data Protection Regulation (DSGVO) clearly communicates what is allowed. Any violations want to punish.

“Schools do what they want in principle – without a legal agreement and technical security and the Ministry of Education stands in the way”, criticized Arge data chairman Hans Zeger. The privacy advocates would watch a sprawl of “weird IT solutions” for years.

School used Gmail and Google Drive

Data Protection warns against "shadow IT" in schools

Well documented is a case reported by the teacher of a federal school in Lower Austria to the Arge Daten. There since 2015 for the communication of teachers and parents the mail program of Google and in addition to the storage of data such as pupil lists, pictures of excursions etc. the cloud service Google Drive is used.

This is theoretically allowed, according to Zeger. However, this would require, in addition to the consent of those affected, that the Ministry of Education or the Education Directorate (formerly Landesschulrat) concludes a processor agreement with Google. That is prescribed in the GDPR. In Austria one investes “very much money” in own school software such as Socrates or Web Unitis, apparently these are not suitable for everyday use. “Real life is taking place in the area of ​​US cloud solutions.”

“According to DSGVO banned”

Data Protection warns against "shadow IT" in schools

The problem thereby from Zeger view: If private persons decide for themselves by using these IT solutions their data are analyzed and interest profiles developed, that is their affair. “But somebody else does it for me and that is forbidden according to DSGVO. There are clear guidelines that are ignored or only partially respected by the schools. “If a director does this knowingly, it even limits the abuse of office, according to Zeger. The Ministry of Education must effectively shut down these practices, demands the privacy advocates.

Ministry sees schools adequately informed

Martin Netzer, Secretary General of the Ministry of Education, points out that with the introduction of the GDPR, the Department has made it very clear by decrees and appropriate training of the Directors that the use of services such as Google is taboo for student-related data such as addresses or dates of birth , According to Netzer, that would not even be allowed if all concerned agree.

At present, the case described by the Arge Daten can not be verified. Especially in Lower Austria, however, the schools have been particularly urged to draw attention to the new data protection rules. However, should it actually come here to a violation, this must be punished.

Data Protection warns against "shadow IT" in schools

According to Netzer, the situation is somewhat different if the data has nothing to do with school administration and no personal reference. Although there is a clear recommendation from the ministry that offers from Google and Co should not be used in a school context. However, if everyone agrees, it will be fine if the students or parents, as private persons, share photos of the school ball or a trip on such a platform.

Parents and students, however, should be informed by the school leaders on the privacy risks. For WhatsApp Netzer said that this application for the Ministry is not considered a secure communication and therefore should not be used systematically.