When introducing e-learning, many HR developers face the question of what to do regarding data protection. After all, a digital learning platform is always associated with personal data. However, data protection and e-learning can essentially be easily reconciled – if you keep a few fundamental things in mind. The three most important tips: consider data protection from the outset, pay attention to transparency, and when in doubt, anonymize data.
The good news upfront: Those who engage with data protection in general need not fear the topic in e-learning either. Laws like the GDPR have contributed to the fact that just mentioning the term data protection causes many people discomfort. Those who are not specialized in data protection often face many questions.
Therefore, I spoke with our blink.it data protection expert, who has completed an intensive data protection training of 60 hours. I wanted to know from him: What can HR developers in companies specifically do to ensure that data protection does not become a problem when introducing new e-learning processes?
Note: All information is based on careful research and consultation with experts. In principle, however, we cannot provide legal advice. For specific questions about your company, it is best to contact your internal data protection officer directly.
In e-learning and offline: This means “data protection must be maintained”
The expert's answers were all illuminating and easy to understand. In principle, it always applies: Data protection must be maintained. Those who process personal data should engage with this, as it applies in the seminar as well as when setting up an e-learning platform for employee training.
Processing personal data is thus generally prohibited, unless you have a legal basis. And you can ensure this by keeping in mind a few tips. A legal basis exists primarily in the following two cases:
The consent of the affected individual is available (in writing).
Another law takes precedence over data protection, e.g., the retention obligation for invoices.
E-learning and data protection? No problem if you obtain the consent of the participants.
Regarding e-learning, the consent of the participants in your employee training is key to maintaining data protection. In principle, our data protection officer has three tips for companies that want to use e-learning:
Consider data protection from the outset
Pay attention to transparency
When in doubt: Anonymize data
What is meant by these broadly summarized tips, I will explain in more detail below.
Tip 1: Consider data protection from the outset
The most important tip that our data protection officer passed on to me: Think about data protection as early as possible and contact the internal data protection officer. Explain to him what type of e-learning is to be used in the context of employee training and inquire about internal data protection regulations.
The best and easiest way to maintain data protection is a consent form from the affected individuals – i.e., the participants of the e-learning or employee training. Important: A consent form cannot be given retroactively. The consent of each participant must already be in place before the platform is used for the first time. That is exactly why you should consider data protection from the outset.
In principle, the following applies to a consent form for processing data:
It cannot be given retroactively.
It can be revoked by the affected individual at any time.
It must be purpose-bound.
The purpose must be time-limited.
Purpose-bound means that the consent is given for a specific use of data processing. The time limit does not need to be stated in calendar days – it is sufficient to relate the processing, for example, to the duration of the employee's employment in the company. In this example, the time limit is reached when the employee leaves the company.
By the way: According to the GDPR, "processing of personal data" refers to any case in which data is written down. This applies to the file folder just as much as to the digital file – whether offline or online. Personal data is considered to be any detail that makes an individual identifiable. More on this at: www.dsgvo-gesetz.de
Considering data protection from the outset means specifically:
Contact the internal data protection officer as soon as the topic of e-learning arises in the company.
Obtain consent from the participants as soon as they register on the e-learning platform.
Tip 2: Pay attention to transparency
Even with a consent form, the data protection officer advises making every processing of data as open and transparent as possible. This means: Inform your training participants when and how each piece of information is stored. For example, if 2,000 participants work on one platform in e-learning and every comment can be viewed by all participants – alert the participants to this, for example with an info text on the platform itself or detailed information in the intranet.
By the way: Anyone who writes their own address on a (freely accessible) website is publishing it. However, if one leaves their address in a protected place on the web, they have not made it public. A barrier is present, for example, if you have to create an account to access a website. Thus, personal data displayed on platforms such as LinkedIn, the intranet, or an e-learning platform must not be shared or otherwise processed.
Transparency in e-learning: Participants should always be clear about when and for what their data is stored and processed.
A transparent e-learning provider
The point transparency applies not only to the disclosure of data processing for the participants. The technology partner of the e-learning platform should also have transparent data protection policies. Check whether your digital provider meets the following requirements:
Options for anonymization, e.g., in quiz questions and examinations
Ability to obtain the consent of participants in a simple and transparent manner before processing
Existence of a contract for data processing
A contract for data processing (AV contract) is mandatory when two parties make an agreement involving the processing of digital data. It specifies the appropriateness and nature of the processing. Ideally, your e-learning provider already has an AV contract that your company or your data protection officer reviews.
And us at blink.it? Data protection is not only fundamentally important to us, but we also place great value on transparency and ease of application of data protection in e-learning. Thus, we not only fulfill the above points but also offer to adapt the consent form during user registration according to our own data protection regulations. This way, individual regulations for you and your participants can also be included. And by the way: All blink.it employees have completed a basic data protection training.
See the data protection regulations of blink.it
Tip 3: When in doubt – anonymize data
If there is no sufficient reason to collect personal data in e-learning, you can still anonymize or pseudonymize the data in the interest of data protection. Thus, when evaluating an online training, it may not be important how the individual participant performed. If it concerns the overall success of the e-learning measure, the trainer should summarize the data in such a way that no conclusions can be drawn about individual results.
In the best case, the trainer can already set the platform in such a way that results from interactive modules such as quiz questions, surveys, or examinations are provided anonymously. That way, you can internally decide whether and to what extent even the trainer can view the personal results.
Involve the data protection officer from the outset, pay attention to transparency, and review the AV contract – then you can reconcile e-learning and data protection without difficulties!
