Data protection at schools: project by the University of Kassel and KIT creates legal certainty

In the DIRECTIONS (Data Protection Certification for Educational Information Systems) project, researchers from the University of Kassel and the Karlsruhe Institute of Technology are working on a certification that is intended to simplify data protection in the digitalization of schools and other educational institutions.

The project team. From left to right: Prof. Dr. Gerrit Hornung (University of Kassel), Marcel Kohpeiß (formerly University of Kassel), Prof. Dr. Ali Sunyaev (KIT), Kathrin Brecker (KIT), Jan Torben Helmke (University of Kassel), Eva Späthe (KIT), Hendrik Link (University of Kassel), Philipp Danylak (KIT). Not in the picture: Sebastian Lins (KIT), Hans-Hermann Schild (University of Kassel) and Stephan Schindler (University of Kassel).

During the coronavirus pandemic, many schools had to quickly switch to digital learning platforms, video conferencing and other digital forms of communication in order to ensure educational progress even in times of home schooling. While systems that were questionable in terms of data protection were tolerated for pragmatic reasons at the time, the question of data protection compliance when using digital tools is now increasingly being raised. This is where the DIRECTIONS project comes in. The aim of the project is to develop a data protection certification for school information systems. To this end, the team from the University of Kassel is working on criteria together with the consortium partners from the Karlsruhe Institute of Technology (KIT), datenschutz cert GmbH and Trusted Cloud. The Kassel team is responsible for the legal expertise.

The first version of the criteria catalog was published on July 1, 2024. "As a key milestone, the data protection criteria that providers must meet for certification are now available. In addition to the requirements of the GDPR, these also take into account the heterogeneous regulations of the state school laws. In further testing, we will now subject our criteria to a practical check and make them more precise," says Prof. Dr. Gerrit Hornung, Head of the Department of Public Law, IT Law and Environmental Law at the Scientific Center for Information Technology Design (ITeG) at the University of Kassel.

"There is a great deal of legal uncertainty in schools as to which IT programs are questionable or harmless under data protection law. It would be a great relief for both schools and the data protection supervisory authorities if they could fall back on reliable certifications for school programs. A trustworthy certification program that can competently classify such IT programs would therefore be a great asset. For this reason, data supervisory authorities are supporting the 'DIRECTIONS' project benevolently," says Prof. Dr. Alexander Roßnagel, Hessian Commissioner for Data Protection and Freedom of Information and Chairman of the Conference of Independent Federal and State Data Protection Supervisory Authorities.

The list of criteria will serve as the basis for the first official data protection certifications in the education sector and sets out various criteria for providers of school information systems on 166 pages. These include the rights and obligations of the system provider and requirements for system design. In addition, some school-specific and federal state-specific criteria have been included in the catalog. It is now being tested in practice with selected system providers before the final certification procedure can be applied in practice. The research project is being funded by the Federal Ministry of Education and Research with around EUR 6.4 million, of which around EUR 2.1 million will go to the University of Kassel.


Prof. Dr. Gerrit Hornung

Head of the Department of Public Law, IT Law and Environmental Law

Phone: +49 561 804-7923

E-mail: gerrit.hornung[at]uni-kassel[dot]de


