Finding and selecting a secure e-learning environment
In order to deliver online courses that are data secure, it is necessary to use secure tools, manage who has access to the learning platform, and ensure appropriate handling of personal data.
When using, or deciding which learning platform to use, at least these things should be checked:
- The system has appropriate login and user management
- The digital environment is regularly backed up
- The data is transferred over a secure (SSL-certified) connection
- The learning environment provider and its subcontractors follow GDPR regulations in their operations
- Data security has been tested and proven (with e.g. regular third party penetration testing)
- Data processing activities are recorded and documented (e.g. in the organiser's log files)
It is a good idea to ask different service providers, how they take care of cyber security.
The possibilities of user management
If the learning environment is being used as part of another digital environment, for example for internal use or maintaining a customer portal, the user management can often be simplified through single sign-on (SSO). Single sign-on means connecting the learning platform to another platform’s credentials, such as an email provider or a member portal.
With using single sign-on
- managing user credentials is easier when users don’t need to memorize a new password and username
- access to the learning environment can be easily restricted to authorized users
- access to the learning environment will automatically terminate when the account used for the SSO is closed
In addition to data security, single sign-on also improves software usability and reduces administrative work when user management simplifies.
Importing data from other systems
Sometimes additional data, such as AD groups from Office365, are imported to the learning platform to simplify user management. This data can be used to group users in the learning environment by for example department or position.
When additional data from another system is brought to the learning environment, it is appropriate to consider which data to transfer and which not to transfer. Importing unnecessary personal data should be avoided. Appropriate and useful data for the learning environment might be for example the participants’ email addresses to use for communicating or information about the participants’ departments to help grouping. An example of unnecessary information would be the participants’ social security numbers.
GDPR, the EU’s data protection law
The EU's General Data Protection Regulation (GDPR) obliges us to process personal data responsibly. Personal data is information that identifies users, such as email addresses or names. In some situations, indirect information such as an IP address may also be sufficient to identify a user. In such cases, indirect identifying information will also be processed as personal data. In contrast, for example, the total number of users of a learning environment is not personal data.
From a GDPR perspective, it is good to note that:
- what and how personal data is processed and where it is stored should be agreed with the service provider
- only data that is necessary for the course should be stored in the learning environment
- user management in the learning environment can be used in a way that allows only invited users to participate in the course
- users’ access to the environment can be terminated and their data deleted from the system
- there is a certain process for how to handle data deletion requests
- user data and back-ups will be deleted after the system is no longer in use
Along with the GDPR, it has become common practice to require the processing of user data within the EU. Whenever a service contract is made, a data processing agreement should always be made as an attachment.