Andrii Lytvynchuk
https://orcid.org/0000-0002-7523-558X
Hanna Tereshchenko
https://orcid.org/0000-0002-9458-2843
Andrii Kyrianov
https://orcid.org/0000-0003-0452-7689
Yurii Kryvoruchko
https://orcid.org/0009-0007-0494-9749
Yaroslav Solohub
https://orcid.org/0009-0008-5408-9246
INFORMATION SECURITY IN EDUCATIONAL INFORMATION SYSTEMS UNDER THE CONDITIONS OF DIGITAL TRANSFORMATION AND EUROPEAN INTEGRATION: ASPECTS OF PERSONAL DATA PROTECTION
Full text (pdf)
Language: Ukrainian
Abstract. This article explores the topical issues of ensuring information security in Ukraine’s educational information systems amid digital transformation and the country’s path towards European integration. It focuses on threats of data breaches, unauthorised access, and misuse of personal data stored and processed in digital educational environments, particularly in large-scale systems such as the software and hardware complex “Automated Information Complex of Educational Management” (SHC “AICEM”). It is noted that further digitalisation of the educational process necessitates the introduction of comprehensive cybersecurity mechanisms that combine technical, organisational, and legal instruments. The paper outlines the specifics of personal data protection in the field of education, emphasising the increased sensitivity of such data. Particular attention is given to European cybersecurity approaches, based on the principles of “privacy by design and by default”, systematic risk management, and defence-in-depth architecture. Key EU regulations are reviewed, such as the GDPR, NIS2, and the ePrivacy Directive, along with international standards like ISO/IEC 27001:2022 and NIST, which define the requirements for organising information security. Within the framework of the comparative analysis, the differences between the EU and Ukrainian approaches are outlined in terms of legal regulation, institutional structure, technical standards, and the rights of personal data subjects. The need to align national legislation in line with European standards is emphasised. Using the SHC “AICEM” as an example, practical aspects of personal data protection in educational information systems are demonstrated, including the implementation of cryptographic protection, multi-level authorisation, access control, and audit systems. The article concludes with recommendations for harmonising Ukrainian practices with EU norms, including the enhancement of legislation, development of educators’ digital competencies, institutionalisation of cybersecurity functions and strengthening the protection of data subjects’ rights.
Keywords: digital transformation, information security, educational information systems, personal data protection, European integration.
https://doi.org/10.32987/2617-8532-2025-2-48-65
Keywords: digital transformation, information security, educational information systems, personal data protection, European integration.
https://doi.org/10.32987/2617-8532-2025-2-48-65
References:
1. Shopina, I. (2023). Information security of digital transformation. Scientific Journal of Lviv State University of Internal Affairs, 1, 28-35. DOI: https://doi.org/10.32782/2311-8040/2023-1-4 [in Ukrainian].
2. Pinchuk, O. P., & Yaskova, N. V. (Eds.). (2024). Digital transformation of scientific and educational environments under martial law. Kyiv: ITsO NAPN Ukrainy. Retrieved from https://tinyurl.com/yc23j2ss [in Ukrainian].
3. Laptiev, S. (2022). The advanced method of protection of personal data from attacks using social engineering algorithms. Cybersecurity: Education, Science, Technique, 4(16), 45-62. DOI: https://doi.org/10.28925/2663-4023.2022.16.4562 [in Ukrainian].
4. SSI “Institute of Educational Analytics”. (2023). Education during the war: development of information and analytical support, digital transformation, European integration. Kyiv. 216 p. Retrieved from https://iea.gov.ua/wp-content/uploads/2023/11/book-of-abstracts_ssi-iea_2023.pdf?utm_source=chatgpt.com [in Ukrainian].
5. Dreis, Yu. (2015). Measures to protect personal data in information (automated) systems. Promising areas of information protection, Proceedings of the 1st All-Ukrainian Scientific and Practical Conference. Odesa. Retrieved from https://www.researchgate.net/publication/389562867_ZAHODI_ZAHISTU_PERSONALNIH_DANIH_V_INFORMACIJNIH_AVTOMATIZOVANIH_SISTEMAH [in Ukrainian].
6. Hulak, H., Kozachok, V., Skladannyi, P., Bondarenko, M., & Vovkotrub, B. (2017). Personal data protection systems in modern information and telecommunication systems. Modern Information Security, 2(30), 65-71. Retrieved from https://journals.dut.edu.ua/index.php/dataprotect/article/view/1491 [in Ukrainian].
7. Nosulych, M. (2014). Protection of personal data in information systems by depersonalization. Information Society: Technological, Economic and Technical Aspects of Formation, Abstracts of Papers of the All-Ukrainian Scientific Internet Conference. Ternopil: Taip. Retrieved from http://www.konferenciaonline.org.ua/data/downloads/file_1633503018.pdf#page=31 [in Ukrainian].
8. Korchenko, O., Dreis, Yu., & Lozova, I. (2016). Model and method of assessment risks protection of personal data during their processing at the automated system. Ukrainian Information Security Research Journal, 18(1), 39-47. DOI: https://doi.org/10.18372/2410-7840.18.10111 [in Ukrainian].
9. Krasnoshchok, V., & Shestak, Ya. (2024). Protection of information in applied information systems. In Current cybersecurity issues in Ukraine under martial law (pp. 81-83). Kyiv: National Academy of Internal Affairs. Retrieved from https://www.researchgate.net/publication/392895306_Zahist_informacii_v_prikladnih_informacijnih_sistemah [in Ukrainian].
10. Bakaiev, O., & Susskiy, G. (2024). Methods of protecting personal information in information systems. Telecommunication and Informative Technologies, 2(83), 68-77. DOI: https://doi.org/10.31673/2412-4338.2024.028190 [in Ukrainian].
11. Lehka, О. (2021). Current issues of personal data protection: domestic and international experience. Legal Position, 2(31), 74-79. DOI: https://doi.org/10.32836/2521-6473.2021-2.15 [in Ukrainian].
12. Kalchenko, V., Obodiak, V., & Puhach, I. (2024). Regulatory requirements of Ukraine in the field of cyber protection of personal data in information and communication systems in comparison with the requirements of the USA and the EU. Visnyk of Kherson National Technical University, 2(89), 162-169. DOI: https://doi.org/10.35546/kntu2078-4481.2024.2.23 [in Ukrainian].
13. Kalchenko, V., & Obodiak, V. (2024). Comparative characteristics of the regulatory requirements of Ukraine and the EU in the field of personal data cyber protection in information and communication systems. Information Technology and Society, 5(11), 14-20. DOI: https://doi.org/10.32689/maup.it.2023.5.2 [in Ukrainian].
14. Romansky, R. (2023). Internet of Things and User Privacy Protection. 2023 International Conference on Information Technologies (InfoTech). DOI: https://doi.org/10.1109/InfoTech58664.2023.10266883.
15. Brown, R., Truby, J., & Ibrahim, I. A. (2022). Mending Lacunas in the EU’s GDPR and Proposed Artificial Intelligence Regulation. European Studies, 9(1), 61-90. DOI: https://doi.org/10.2478/eustu-2022-0003.
16. Zhang, Y., & Dong, H. (2023). Criminal law regulation of cyber fraud crimes – from the perspective of citizens’ personal information protection in the era of edge computing. Journal of Cloud Computing, 12, 64. DOI: https://doi.org/10.1186/s13677-023-00437-3.
17. Cookiebot by Usercentrics. (2024). What you need to know about privacy by design. Retrieved from https://www.cookiebot.com/en/privacy-by-design/.
18. Treharne, J. (2024), Defence in Depth: Why a Multi-Layered Approach is Essential for Cybersecurity in 2024. Retrieved from https://assureddigitaltech.com/news/defence-in-depth/.
19. ISO. (2022). ISO/IEC 27001:2022. Retrieved from https://www.iso.org/standard/27001.
20. Pascoe, C., Quinn, S., & Scarfone, K. (2024). The NIST Cybersecurity Framework (CSF) 2.0. National Institute of Standards and Technology. DOI: https://doi.org/10.6028/NIST.CSWP.29.
21. Federal Trade Commission. (n. d.). Understanding the NIST cybersecurity framework. Retrieved from https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nist-framework.
22. IBM. (n. d.). What is the NIST Cybersecurity Framework? Retrieved from https://www.ibm.com/think/topics/nist.
23. The European Parliament and the Council of the European Union. (2016). Directive (EU) 2016/1148 of the European Parliament and of the Council. Official Journal of the European Union, L 194/1. Retrieved from https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
24. The European Parliament and the Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council. Official Journal of the European Union, L 119/1. Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj.
25. The European Parliament and the Council of the European Union. (2002). Directive 2002/58/EC of the European Parliament and of the Council. Official Journal of the European Union, L 201. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058.
26. The European Parliament and the Council of the European Union. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council. Official Journal of the European Union, L 333/80. Retrieved from https://eur-lex.europa.eu/eli/dir/2022/2555/oj.
27. The European Parliament and the Council of the European Union. (2018). Regulation (EU) 2018/1725 of the European Parliament and of the Council. Official Journal of the European Union, L 295/39. Retrieved from https://eur-lex.europa.eu/eli/reg/2018/1725/oj.
28. The European Parliament and the Council of the European Union. (2022). Regulation (EU) 2022/868 of the European Parliament and of the Council. Official Journal of the European Union, L 152/1. Retrieved from https://eur-lex.europa.eu/eli/reg/2022/868/oj.
29. Verkhovna Rada of Ukraine. (2018). On the national security of Ukraine (Act No. 2469-VIII, June 21). Retrieved from https://zakon.rada.gov.ua/laws/show/2469-19#Text [in Ukrainian].
30. President of Ukraine. (2021). On the Decision of the National Security and Defense Council of Ukraine of May 14, 2021 “On the Cybersecurity Strategy of Ukraine” (Decree No. 447/2021, August 26). Retrieved from https://zakon.rada.gov.ua/laws/show/447/2021#Text [in Ukrainian].
31. State Service of Special Communications and Information Protection of Ukraine. (n. d.). Retrieved from https://cip.gov.ua/ua [in Ukrainian].
32. Verkhovna Rada of Ukraine. (2006). On the State Service of Special Communications and Information Protection of Ukraine (Act No. 3475-IV, February 23). Retrieved from https://zakon.rada.gov.ua/laws/show/3475-15#Text [in Ukrainian].
33. State Service of Special Communications and Information Protection of Ukraine. (2025). President Zelenskyy Signs Law Enhancing Cybersecurity of State Information Resources. Retrieved from https://zakon.rada.gov.ua/laws/show/3475-15#Text [in Ukrainian].
2. Pinchuk, O. P., & Yaskova, N. V. (Eds.). (2024). Digital transformation of scientific and educational environments under martial law. Kyiv: ITsO NAPN Ukrainy. Retrieved from https://tinyurl.com/yc23j2ss [in Ukrainian].
3. Laptiev, S. (2022). The advanced method of protection of personal data from attacks using social engineering algorithms. Cybersecurity: Education, Science, Technique, 4(16), 45-62. DOI: https://doi.org/10.28925/2663-4023.2022.16.4562 [in Ukrainian].
4. SSI “Institute of Educational Analytics”. (2023). Education during the war: development of information and analytical support, digital transformation, European integration. Kyiv. 216 p. Retrieved from https://iea.gov.ua/wp-content/uploads/2023/11/book-of-abstracts_ssi-iea_2023.pdf?utm_source=chatgpt.com [in Ukrainian].
5. Dreis, Yu. (2015). Measures to protect personal data in information (automated) systems. Promising areas of information protection, Proceedings of the 1st All-Ukrainian Scientific and Practical Conference. Odesa. Retrieved from https://www.researchgate.net/publication/389562867_ZAHODI_ZAHISTU_PERSONALNIH_DANIH_V_INFORMACIJNIH_AVTOMATIZOVANIH_SISTEMAH [in Ukrainian].
6. Hulak, H., Kozachok, V., Skladannyi, P., Bondarenko, M., & Vovkotrub, B. (2017). Personal data protection systems in modern information and telecommunication systems. Modern Information Security, 2(30), 65-71. Retrieved from https://journals.dut.edu.ua/index.php/dataprotect/article/view/1491 [in Ukrainian].
7. Nosulych, M. (2014). Protection of personal data in information systems by depersonalization. Information Society: Technological, Economic and Technical Aspects of Formation, Abstracts of Papers of the All-Ukrainian Scientific Internet Conference. Ternopil: Taip. Retrieved from http://www.konferenciaonline.org.ua/data/downloads/file_1633503018.pdf#page=31 [in Ukrainian].
8. Korchenko, O., Dreis, Yu., & Lozova, I. (2016). Model and method of assessment risks protection of personal data during their processing at the automated system. Ukrainian Information Security Research Journal, 18(1), 39-47. DOI: https://doi.org/10.18372/2410-7840.18.10111 [in Ukrainian].
9. Krasnoshchok, V., & Shestak, Ya. (2024). Protection of information in applied information systems. In Current cybersecurity issues in Ukraine under martial law (pp. 81-83). Kyiv: National Academy of Internal Affairs. Retrieved from https://www.researchgate.net/publication/392895306_Zahist_informacii_v_prikladnih_informacijnih_sistemah [in Ukrainian].
10. Bakaiev, O., & Susskiy, G. (2024). Methods of protecting personal information in information systems. Telecommunication and Informative Technologies, 2(83), 68-77. DOI: https://doi.org/10.31673/2412-4338.2024.028190 [in Ukrainian].
11. Lehka, О. (2021). Current issues of personal data protection: domestic and international experience. Legal Position, 2(31), 74-79. DOI: https://doi.org/10.32836/2521-6473.2021-2.15 [in Ukrainian].
12. Kalchenko, V., Obodiak, V., & Puhach, I. (2024). Regulatory requirements of Ukraine in the field of cyber protection of personal data in information and communication systems in comparison with the requirements of the USA and the EU. Visnyk of Kherson National Technical University, 2(89), 162-169. DOI: https://doi.org/10.35546/kntu2078-4481.2024.2.23 [in Ukrainian].
13. Kalchenko, V., & Obodiak, V. (2024). Comparative characteristics of the regulatory requirements of Ukraine and the EU in the field of personal data cyber protection in information and communication systems. Information Technology and Society, 5(11), 14-20. DOI: https://doi.org/10.32689/maup.it.2023.5.2 [in Ukrainian].
14. Romansky, R. (2023). Internet of Things and User Privacy Protection. 2023 International Conference on Information Technologies (InfoTech). DOI: https://doi.org/10.1109/InfoTech58664.2023.10266883.
15. Brown, R., Truby, J., & Ibrahim, I. A. (2022). Mending Lacunas in the EU’s GDPR and Proposed Artificial Intelligence Regulation. European Studies, 9(1), 61-90. DOI: https://doi.org/10.2478/eustu-2022-0003.
16. Zhang, Y., & Dong, H. (2023). Criminal law regulation of cyber fraud crimes – from the perspective of citizens’ personal information protection in the era of edge computing. Journal of Cloud Computing, 12, 64. DOI: https://doi.org/10.1186/s13677-023-00437-3.
17. Cookiebot by Usercentrics. (2024). What you need to know about privacy by design. Retrieved from https://www.cookiebot.com/en/privacy-by-design/.
18. Treharne, J. (2024), Defence in Depth: Why a Multi-Layered Approach is Essential for Cybersecurity in 2024. Retrieved from https://assureddigitaltech.com/news/defence-in-depth/.
19. ISO. (2022). ISO/IEC 27001:2022. Retrieved from https://www.iso.org/standard/27001.
20. Pascoe, C., Quinn, S., & Scarfone, K. (2024). The NIST Cybersecurity Framework (CSF) 2.0. National Institute of Standards and Technology. DOI: https://doi.org/10.6028/NIST.CSWP.29.
21. Federal Trade Commission. (n. d.). Understanding the NIST cybersecurity framework. Retrieved from https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nist-framework.
22. IBM. (n. d.). What is the NIST Cybersecurity Framework? Retrieved from https://www.ibm.com/think/topics/nist.
23. The European Parliament and the Council of the European Union. (2016). Directive (EU) 2016/1148 of the European Parliament and of the Council. Official Journal of the European Union, L 194/1. Retrieved from https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
24. The European Parliament and the Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council. Official Journal of the European Union, L 119/1. Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj.
25. The European Parliament and the Council of the European Union. (2002). Directive 2002/58/EC of the European Parliament and of the Council. Official Journal of the European Union, L 201. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058.
26. The European Parliament and the Council of the European Union. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council. Official Journal of the European Union, L 333/80. Retrieved from https://eur-lex.europa.eu/eli/dir/2022/2555/oj.
27. The European Parliament and the Council of the European Union. (2018). Regulation (EU) 2018/1725 of the European Parliament and of the Council. Official Journal of the European Union, L 295/39. Retrieved from https://eur-lex.europa.eu/eli/reg/2018/1725/oj.
28. The European Parliament and the Council of the European Union. (2022). Regulation (EU) 2022/868 of the European Parliament and of the Council. Official Journal of the European Union, L 152/1. Retrieved from https://eur-lex.europa.eu/eli/reg/2022/868/oj.
29. Verkhovna Rada of Ukraine. (2018). On the national security of Ukraine (Act No. 2469-VIII, June 21). Retrieved from https://zakon.rada.gov.ua/laws/show/2469-19#Text [in Ukrainian].
30. President of Ukraine. (2021). On the Decision of the National Security and Defense Council of Ukraine of May 14, 2021 “On the Cybersecurity Strategy of Ukraine” (Decree No. 447/2021, August 26). Retrieved from https://zakon.rada.gov.ua/laws/show/447/2021#Text [in Ukrainian].
31. State Service of Special Communications and Information Protection of Ukraine. (n. d.). Retrieved from https://cip.gov.ua/ua [in Ukrainian].
32. Verkhovna Rada of Ukraine. (2006). On the State Service of Special Communications and Information Protection of Ukraine (Act No. 3475-IV, February 23). Retrieved from https://zakon.rada.gov.ua/laws/show/3475-15#Text [in Ukrainian].
33. State Service of Special Communications and Information Protection of Ukraine. (2025). President Zelenskyy Signs Law Enhancing Cybersecurity of State Information Resources. Retrieved from https://zakon.rada.gov.ua/laws/show/3475-15#Text [in Ukrainian].