Data protection in eLearning

When introducing eLearning, one will quickly stumble upon the privacy issue - not only in terms of learner registration, but more importantly in terms of the software used, the learning processes and their analysis. So the good news first: eLearning and data protection can be combined quite easily, provided you follow a few basic tips. In the following article, you will find the necessary info on the legal basis and the 6 tips that will help you to make your eLearning project secure in terms of data protection right from the start.

Short and sweet: the legal basis for data protection regulations in eLearning is essentially the General Data Protection Regulation, or GDPR for short and the Federal Data Protection Act. Data protection covers all information that makes it possible to identify personal or factual circumstances. This naturally includes the obvious data such as names, addresses, telephone numbers, e-mail addresses, etc., but in the specific case of eLearning, it also includes data such as learning times, test results, length of stay, and the like. It would be particularly problematic if this data could be disclosed to third parties or if a link could be established between learning process data and the respective person.

Even though the GDPR has caused one to get a stomach ache just thinking about it, in the case of digital training, one may gladly consider it a crucial success factor: Because only if learners can be sure that their data on learning processes and test results is protected and cannot be used, for example, to decide on their future careers, will they be able to learn freely and with motivation. In the case of e-learning, data protection is therefore much more than a necessary evil. It is the basis for a trusting, successful learning culture.

From experience, the most frequent doubts regarding data protection come from the works council and data protection officer(s), and the latter will be instrumental in stemming the challenge. It is therefore important to involve both bodies in the project from the outset, to address data protection issues transparently and to dispel doubts with facts and measures. After all, the decision as to whether eLearning may be introduced at all rests decisively with the works council, so it is advisable to get it on the "safe side" from the outset.

It's probably the most important tip of all: Start with data protection as early as possible. Include data privacy and IT security considerations directly in your list of requirements. Typically, your compliance department can assist you with a checklist. For example, clarify whether providers from abroad are even a possibility, which security measures must be guaranteed and whether the provider is willing to sign a contract on commissioned processing. 

Parallel to this, you should attach importance to a detailed, easy-to-understand privacy policy for your employees. According to the GDPR, you as a provider are obliged to provide your users with transparent, detailed and comprehensible information about the processing of their data.

The more transparency, the stronger the basis of trust for a successful learning project. The transparency requirement of the GDPR means that employees should know what data processing is taking place. So what data is collected, for what purpose it is collected, how it is stored (anonymized or not?), where it is stored and for how long. <br/>Notes within the learning platform provide even more confidence. For example, at comment fields, you can re-emphasize who can subsequently see the comment or let employees know that exam results are stored anonymously only. Also note the right of access of the GDPR.

In general, when collecting data it is important to consider the principle of data minimization. This is closely related to the purpose limitation of data discussed above and means that only the data you really need for the learning processes and their evaluation and optimization should ever be collected. 

Concretely, this means that both

• quantities of data
• the scope of processing
• the duration of storage 
• and accessibility 

must be reduced to the practical minimum.

Further training measures must often be documented, i.e. it must be proven at a later point in time that all relevant employees have attended training on a specific topic. This applies in particular to compliance topics such as occupational safety, data protection or antitrust law. At this point, it is important to document why, which and how long the data is collected and stored. 
If there is no reason to establish a personal reference to the data, you should attach importance to an anonymized evaluation of your training measures. For example, you can evaluate how many employees have taken advantage of the offer, completed a specific e-learning course or collect feedback with the help of a survey.

When choosing your e-learning provider, make sure their software fully complies with the GDPR and is hosted in the European Economic Area (EEA). Ask for independent certifications or a data protection concept. In most cases, you will already notice in the first contact with the sales department whether there is an awareness of data protection and IT security in the company.  

Professional e-learning providers with market experience in Germany know the challenges around data protection and should be able to advise you comprehensively and adjust exactly which data is collected at all, personal or anonymized. Therefore, arrange a consultation appointment even before selecting the tools.

If you primarily work with learning videos, it is of course tempting to use one of the numerous free video platforms for this purpose. However, in doing so, you quickly find yourself on legal ice, because the business model of these platforms usually consists of collecting IP addresses, usage data and device-related information and combining them to create personality profiles. In the worst case, without anonymization. In this case, your employees would only be able to take advantage of the training offers at the price of processing their personal data. Moreover, US providers are behind most video platforms. Transferring personal data to the USA without the consent of your employees is critical. Here, you should also ask yourself what happens if an employee refuses to give their consent. 

For targeted, in-house training, a learning management system (LMS) from a professional provider is therefore always the safer choice. There, you can initially define which data is actually collected, processed and stored, can provide information about the use of the data at any time and can train your employees in a targeted manner.

Learning analytics are the topic that causes the most headaches in terms of data protection - after all, all data relevant to the learning process, such as learning times, learning duration, learning progress, test results, retention time, etc., are collected and specifically analyzed here. The safest solution here is also: Anonymization. But beware: The natural conditions in companies can ensure that conclusions can be drawn about individuals despite anonymization - for example, if data is clustered by department and there is only one person in a department. In such cases, an individual data protection concept that includes your company's internal circumstances in all considerations can help. chemmedia AG will be happy to advise you.