Please enable JavaScript.
Coggle requires JavaScript to display documents.
Data Protection and Privacy in Educational Technology - Coggle Diagram
Data Protection and Privacy in Educational Technology
Principles of Personal Data Protection in Education
Based on
Legality
Requires
Data processing according to the law (Panama Law 81 of 2019)
May rely on
Consent
Contract execution
Legal obligation
Purpose limitation
States that
Data must be collected for specific and legitimate purposes
Applied to
Grades management
Enrollment processes
Academic planning
Prevents
Use for unrelated purposes without explicit consent
Data minimization
Indicates
Collect only what is strictly necessary
Avoids
Excessive or irrelevant data collection
Data quality
Requires
Accuracy
Completeness
Up-to-date information
Ensures
Informed decisions
Efficient educational management
Confidentiality
Protects against
Unauthorized access
Improper disclosure
Implemented through
Encryption
Secure systems
Staff training
Accountability
Obliges
Compliance with principles and legal requirements
Falls on
Educational institutions
Access and rectification
Recognizes the right to
Access personal data
Request corrections
Update information
Management of Sensitive Information in Educational Platforms
Includes data such as
Personal data
Academic records
Medical information
Financial information
Starts with
Risk assessment
Identifies
Sensitive data types
Potential threats
System vulnerabilities
Requires technical safeguards
Encryption
Protects
Data in transit
Data at rest
Multi-factor authentication (MFA)
Ensures
Access only for authorized users
Firewalls and intrusion detection systems
Block
Unauthorized access attempts
Monitor
Suspicious activity in real time
Depends on access management
Role-based access control (RBAC)
Assigns permissions by role
Administrator
Teacher
Student
Regular permission reviews
Prevents
Excessive access
Strengthened by
User training and awareness
Strong passwords
Phishing recognition
Responsible data handling
Auditing and continuous monitoring
Detects
Security gaps
Vulnerabilities
Incidents
Documentation
Records
Policies
Procedures
Actions taken
Incident response plan
Defines
Containment
Notification
Remediation
Consent and Student Privacy Control
Consent
Must be
Informed
Freely given
Specific
Unequivocal
Requires
Transparency
What data is collected
Why it is used
Who can access it
How it is protected
Communicated through
Clear and accessible privacy policy
Includes student rights
Access
Rectification
Deletion
Objection
Privacy control
Enables
Privacy settings management
Who can view information
What data is shared
Voluntary participation in surveys
Data update or deletion
Linked to
Data minimization
Prevents
Unnecessary collection
Includes rights such as
Right of access
Check accuracy and usage
Right to rectification
Correct inaccurate information
Right to deletion
Remove data when no longer needed
Right to data portability
Transfer data in a structured, readable format
Risks and Threats to Data Security in Educational Environments
External threats include
Cyberattacks
Ransomware
Encrypts institutional data and demands payment
Mitigated by
Regular backups
Incident response planning
Phishing
Tricks users into sharing
Passwords
Personal data
Mitigated by
Training
Advanced email filtering
DDoS (Denial-of-Service attacks)
Overloads servers and causes
Service disruptions
Mitigated by
DDoS protection solutions
Capacity planning
Internal risks include
Accidental data exposure
Misconfigured permissions
Inappropriate sharing
Human error
Weak passwords
Unintentional disclosure
Incorrect data entry
Insider threats
Malicious staff with access
Controlled by
Monitoring
Audit logs
Role limitations
Technical risks include
Software vulnerabilities
Caused by outdated systems
Reduced by
Patching and updates
Security scanning
Weak access controls
Improved by
MFA
RBAC policies
Legal and third-party risks include
Non-compliance
Requires adherence to
Panama Law 81 of 2019
Third-party services
Risks in
Cloud storage
Data analytics services
Managed by
Vendor security assessment
Clear data protection agreements
Best Practices in Collecting and Using Educational Data
Before collecting data
Obtain informed consent
Explain
What data is collected
Purpose of use
Storage methods
Who can access it
Allow
Consent withdrawal without penalties
During collection
Data minimization
Collect only necessary information
Define clear purposes
Performance evaluation
Academic tracking
Learning improvement
Avoid
Using data beyond what was disclosed
During storage and use
Secure storage
Encryption in transit and at rest
Restricted access
Secure deletion
Transparency
Communicate how data is used
Enable user review
Legal compliance
Follow Panama Law 81 of 2019
Align internal policies with regulations
Continuous improvement
Periodic evaluation
Internal audits
Security reviews
Privacy-preserving analysis
Data anonymization
Data aggregation
Human factor
Continuous staff training
Accountability
Document processes
Ensure responsibility and oversight
Communication
Provide channels for
Questions
Complaints
Clarifications
Institutional Responsibility and Ethics in Protecting Educational Data
Institutional responsibility means
Acting as guardians of
Personal data
Academic data
Requires policies and procedures
Collection
Storage
Use
Deletion
Includes key roles
Data protection officer / responsible person
Oversees compliance
Manages incidents
Strengthened by
Ongoing staff training
Risks
Security practices
Legal compliance
Ethics requires
Confidentiality and respect
Fairness and transparency
Student well-being as the priority
Transparency includes
Explaining data practices
Describing security measures
Teaching student rights
Access
Correction
Deletion
Objection
Avoid conflicts of interest
Prioritize
Privacy over commercial motivations
Incident management requires
Incident response plan
Detection
Containment
Notification
Remediation
Incident investigation
Root cause analysis
Future prevention actions
Regular audits
Verify
Compliance
Areas for improvement
Data minimization
Reduces exposure and risk
Security across the data lifecycle
Technical
Encryption
Access controls
Organizational
Policies
Training
Promotes an institutional culture
Ethical values
Good practices
Shared responsibility