More schools, colleges, universities and EdTech application providers are migrating to the cloud to store data. But what does the storing of this data mean in terms of security and privacy? EdTech has seen huge growth in the past few years, from nursery right up to university; education is slowly becoming more digitised.
The shift towards digital education is not without its problems. EdTech has become a top target for frequent and high-intensity cyberattacks, which are increasing every year. With more EdTech companies using cloud-based solutions, there’s a bigger risk of data breaches. The personal information of students and educators, along with sensitive financial and operational data, is at risk if data is not properly protected.
According to a recent Dutch study, most educational institutions across the Netherlands store a lot of data on American cloud servers.
The research, conducted by scientists from Delft University of Technology, the University of Vienna and the Max Planck Institute, gathered DNS data from institutions across the US and Europe – including countries such as Austria, Germany, Switzerland, the Netherlands and the UK.
In the study, researchers analysed the data that educational institutions sent to major cloud computing providers such as Amazon, Google and Microsoft between 2015 and June 2021. The results indicate that the majority of universities, not only in the Netherlands, have linked at least one of their systems to an American commercial cloud provider.
There is a lot of debate around the storage of data in Europe vs the US. Since the introduction of General Data Protection Regulations (GDPR) in Europe back in May 2018, a high bar has been set in privacy protection for individuals within EU member states.
EdTech firms should be familiar with data protection regulations and rules, including GDPR.
While the data privacy landscape in the US has changed significantly in recent years, with data protection rules aligning more closely with European standards, some key differences still remain.
GDPR in Europe was a gamechanger, providing a comprehensive data law that applies to all organisations that collect, store or hold personal data belonging to ‘data subjects’ in EU member states, which includes educational institutions.
Arguably the key difference between American data privacy laws and those in Europe is that the US lacks a comprehensive data privacy law that applies to all types of data and all US companies. Instead, American data laws adopt a more fragmented approach, with various regulations governing different industry sectors and types of data.
There are also cultural differences in how the US and Europe approach data privacy laws. The EU Charter of Fundamental Rights establishes data protection as a fundamental right. However, the US has traditionally taken a far more ‘hands-off’ approach, tending to favour companies that collect and use personal data.
Despite historically taking a more hands-off approach, the US government did establish The Patriot Act in the aftermath of 9/11. The act reportedly gives government agencies, in emergency situations, the authority to not only access personal data, but data held by all organizations, which authorities themselves decide upon. According to the act, the US government can access data held within their borders and all the data of companies that operate in the US. This obviously creates huge data privacy concerns.
To protect data from being accessible via the Patriot Act, your organisation will need to maintain operations outside of the US and use a cloud provider that stores data outside America.
ISO 27001 is the standard which outlines the requirements for an organisation’s Information Security Management System (ISMS) – including educational institutions. The goal of ISO 27001 is to ensure that you have a clear framework for managing information security, plus demonstrate compliance with the framework.
The ISO 27001 standard will help your educational institution to secure information entrusted by third parties in addition to organisation-specific assets such as Intellectual Property. Tilaa does have the ISO certifications in place, positioning you to help support data protection for EdTech companies.
Meanwhile, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) also plays a very active role in data protection, which affects EdTech enterprises. The agency is an independent administrative body that has been appointed by law as a supervisory authority for the processing of personal data.
In 2021, Autoriteit Persoonsgegevens (APG) identified a number of data privacy risks in education and issued recommendations to better protect personal information. The APG highlighted three trending risks to privacy in education, including:
Safe cloud computing in EdTech is a must amid an increase in cyberattacks. That’s why we recommend using an ISO certified cloud provider. Our cloud VPS is fully certified and stored in two data centres in the Netherlands. Plus, our systems are secure and compliant in design. Tilaa offers data protection for EdTech done right. To talk more about cloud EdTech, get in touch.