Data Privacy in Educational Contexts: Analyzing Perceptions, Practices

and Challenges in Personal Data Protection

Yuri Correia de Barros

and J

essyka Vilela

Centro de Inform

atica, Universidade Federal de Pernambuco (UFPE), Av. Jornalista An

ıbal Fernandes,

s/n – Cidade Universit

aria, Recife-PE, Brazil

Keywords:

Privacy, LGPD, Data Privacy, Educational Environment, Personal Data Protection, Systematic Mapping

Study, Survey.

Abstract:

This study aims to investigate the increasing relevance of data privacy in the educational context as digital

processes and the use of technology become more prevalent in educational institutions. The protection of per-

sonal data, especially in academic environments, is a sensitive and challenging topic due to the large volume of

information shared between students, teachers, and administrators, making the adoption of efﬁcient and secure

practices essential. The study analyzes current data security practices and the challenges faced by educational

institutions in safeguarding personal information. Focusing on the guidelines and requirements established by

data protection laws such as Brazil’s LGPD and the European Union’s GDPR, the research examines both the

legal implications and ethical issues related to the treatment of personal data in the educational ﬁeld. Along-

side a detailed review of best practices and regulatory demands, the study is based on ﬁeld research conducted

through a survey with students and teachers from various institutions, including public universities, private

institutions, and technical schools. The survey’s goal is to understand users’ perceptions of data protection

and to assess their knowledge of the relevant legislation. This approach provides a critical insight into how

prepared students and teachers are to address data privacy challenges in academic settings. The analysis of

the research conducted with educators and students from educational institutions revealed key insights into the

treatment of personal data. The results indicate concerns about transparency and data security, highlighting

the need to improve education on privacy and promote more transparent practices within institutions, in line

with the LGPD, to foster a safer and more ethical environment for students.

1 INTRODUCTION

Technology plays a crucial role in people’s daily lives,

and the collection and processing of personal data

have become common practices. However, the grow-

ing concern about the privacy and security of this in-

formation highlights the importance of protecting it

effectively and responsibly (S

a, 2022)(Santos et al.,

2021).

It is essential to ensure students’ privacy by pre-

venting the unnecessary exposure of their personal

data. This requires implementing clear internal poli-

cies about who can access such information and re-

stricting sharing to authorized individuals only. Ad-

ditionally, raising awareness among students, par-

ents, and teachers about the importance of protect-

ing personal data is critical. Providing clear guide-

https://orcid.org/0009-0004-7490-2127

https://orcid.org/0000-0002-5541-5188

lines on security practices in the digital environment

can signiﬁcantly enhance privacy protections (S

2022)(Machado et al., 2023).

Cultural adaptation within institutions and among

their employees regarding the need to handle personal

data responsibly poses a considerable challenge (San-

tos et al., 2021). These changes require time and in-

vestment in adequate awareness programs and train-

ing. Integrating new data protection practices into

the organizational routine demands ongoing efforts

through regular training and educational campaigns

(Rojas, 2020).

Educational institutions must commit to under-

standing the nuances of the LGPD (General Data Pro-

tection Law) and implementing policies that extend

beyond IT. Engaging all staff members and students

in this journey of awareness and accountability not

only protects personal data but also fosters a safer and

more ethical educational environment. Collaboration

308

Correia de Barros, Y. and Vilela, J.

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection.

DOI: 10.5220/0013426900003929

In Proceedings of the 27th International Conference on Enterprise Information Systems (ICEIS 2025) - Volume 2, pages 308-319

ISBN: 978-989-758-749-8; ISSN: 2184-4992

among all stakeholders is essential to cultivate a cul-

ture of respect for privacy and information security,

ensuring everyone is aware of and responsible for ad-

hering to data protection laws and guidelines (Mar-

tirena, 2022).

The collection of personal data is a common prac-

tice in universities, starting during the enrollment pro-

cess when students provide personal information and

documents. This data circulates across various insti-

tutional departments, including academic ofﬁces and

administrative areas.

In addition to personal information, higher educa-

tion institutions also access ﬁnancial data such as ﬁ-

nancing contracts, bank details, and family income.

Furthermore, academic performance and students’

histories throughout their courses are also recorded

(Rosso, 2023).

In the digital era, information is a valuable re-

source, and data protection has become a necessity.

This need has led to the emergence of new legisla-

tion worldwide to regulate data use and processing. A

notable example is the General Data Protection Reg-

ulation (GDPR), effective since 2018 in the European

Union, which inspired the creation of Brazil’s LGPD

(de Lucena et al., 2024).

The improper disposal of documents containing

personal data poses serious risks to individuals. In-

formation such as names, addresses, grades, and aca-

demic records can be exploited by criminals for fraud,

identity theft, reputation damage, and other offenses

(Mackenzie, ).

Each sector has speciﬁc characteristics that de-

serve consideration. In the educational context, the

inherent nature of education—focused on culture dis-

semination, learning, and training—facilitates the

promotion of data protection rules, primarily involv-

ing teachers and students (SERPRO, 2020).

Against this backdrop, it is essential to analyze

how students and teachers understand the collection

and processing of their data under the LGPD. This

study aims to address this through a survey applied

to educational institutions and a systematic literature

review.

This study’s primary objective is to analyze the

various types of personal data collected in educational

institutions and the main problems and challenges re-

lated to data protection in these settings. By explor-

ing the complexity of personal data in this context,

the research seeks to understand which information is

collected, processed, and utilized within educational

environments. Furthermore, it aims to highlight the

growing importance of personal data protection in the

educational community.

Ultimately, the research seeks to understand how

users perceive data protection and assess their level

of knowledge about current legislation in educational

environments. This analysis will provide a critical

perspective to answer the following research ques-

tion: How are personal data collected, processed, and

protected in educational institutions, and what chal-

lenges and practices are associated with their use?

This document is organized as follows: Section

2 presents the main concepts addressed in this study;

Section 3 describes the research methods employed;

Section 4 discusses the ﬁndings; and ﬁnally, Section

5 outlines the conclusions and suggestions for future

research.

2 BACKGROUND AND RELATED

WORK

2.1 LGPD

The General Data Protection Law (LGPD) was in-

spired by the European Union’s General Data Protec-

tion Regulation (GDPR), a regulation focused on pri-

vacy and data protection. In Brazil, the protection of

personal data has been recognized as a fundamental

right, ensuring the right to data protection, including

in digital media, as established by law. The LGPD

aligns with the latest international standards for per-

sonal data protection. It was created to regulate the

use of citizens’ information, including in digital me-

dia, ensuring the rights to privacy, freedom, and per-

sonal development. It applies to any individual or or-

ganization, public or private, that processes personal

data, whether online or ofﬂine (GOVERNO DO ES-

TADO DE ROND

ONIA, 2023). This means that ev-

ery individual has the right to decide how their per-

sonal data will be used by others, including compa-

nies and government entities.

The LGPD outlines its main principles for per-

sonal data protection in Article 2. These principles in-

clude respect for privacy, ensuring fundamental rights

such as the inviolability of intimacy, honor, and pri-

vate life. Another crucial aspect is informational self-

determination, which grants citizens control over their

data. The law also protects freedom of expression,

information, and opinion while promoting economic

and technological development by fostering a legally

secure environment. Additionally, the LGPD rein-

forces free enterprise, fair competition, and consumer

protection while safeguarding human rights, dignity,

and citizenship (BRASIL, 2018).

Thus, the LGPD aims to balance the protection

of fundamental rights by modernizing and clarifying

concepts to minimize risks and establish clear rules

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

309

for the processing of personal data (Maldonado and

(Coord.), 2020).

The LGPD sets essential rules for personal data

use, ensuring security and respect for privacy. Data

must be processed for legitimate and speciﬁc pur-

poses, as informed to the data subject. Only necessary

information should be used, and individuals have the

right to easy and free access to information about their

data. The data must be accurate and up to date, and

processing must be transparent, providing clear infor-

mation about how and by whom the data is used. Se-

curity measures must be adopted to prevent unautho-

rized access or issues such as loss and alterations. The

LGPD also prohibits data use for discriminatory pur-

poses, requiring accountability and compliance from

those processing the data.

2.2 Educational Environment

The term ”educational environment” is used in vari-

ous contexts and can seem broad. Generally, it refers

to any context where teaching and learning processes

occur. It can also be described as the ”educational

context” or ”educational space.”

The educational environment not only inﬂuences

the quality of education but also determines the suc-

cess of learning outcomes. An essential aspect of this

deﬁnition is the active role of the student, who is not

merely a recipient but also a participant in the envi-

ronment, taking part in its maintenance and improve-

ment. Thus, the educational environment includes not

only the infrastructure and resources provided by the

institution but also the human interactions and emo-

tional conditions that directly impact educational de-

velopment (de A. Troncon, 2014).

2.3 Related Works

(Baloyi and Kotz

e, 2017) conducted an investigation

through a survey into the perceptions and practices

of individuals in South Africa regarding the use of

their personal information. The study aimed to un-

derstand privacy concerns, knowledge levels about

legal rights, and risks associated with data shar-

ing. Using a 12-question ”yes” or ”no” question-

naire with snowball sampling, the research gathered

138 responses from diverse professional ﬁelds such

as healthcare, telecommunications, and information

technology. Key ﬁndings revealed that 79% of par-

ticipants do not read privacy policies, highlighting

a tendency to prioritize convenience over data secu-

rity. Despite this, nearly 80% recognized the dan-

gers of data misuse, while 20.3% did not share this

perception. Furthermore, nearly 72% of respondents

expressed distrust in organizations’ ability to protect

their data, indicating that transparency and security

practices are not yet deemed reliable. The study

concludes that, although awareness of privacy impor-

tance is growing, many South Africans are unaware of

their legal rights and underestimate the risks of data

misuse. The article recommends educational cam-

paigns and increased transparency from organizations

to build trust and enhance personal data security.

(Martinovic and Ralevich, 2007a) discuss the

complexity of privacy in educational systems, empha-

sizing its growing relevance as digital technology ex-

pands. They argue that educational institutions face

challenges in managing students’ personal data, par-

ticularly on online platforms, and stress the need for a

comprehensive approach to handle this data securely

and ethically. The authors highlight that privacy con-

cepts vary by cultural and political context, citing ex-

amples from the United States, where privacy focuses

on individual freedom; the European Union, which

prioritizes human dignity; and Canada, where there is

a balance between concerns over government surveil-

lance and private sector misuse. They analyzed types

of personal data collected by educational institutions,

such as student identities, academic performance, and

demographic data, highlighting risks associated with

improper handling. They also explored data secu-

rity practices like partial encryption and two-step ac-

cess controls, which may be insufﬁcient for guaran-

teeing data security. The study underscores the lack

of awareness among users, including students and

teachers, about data security practices and calls for

greater transparency and rigorous institutional prac-

tices to ensure privacy protection.

(Mollick and Pearson, 2003) investigated how stu-

dents’ concerns about the collection and use of their

personal data by universities inﬂuence their sense

of ”alienation.” Conducted with 187 students from a

U.S. university, the study used a questionnaire to as-

sess the impact of these concerns. The authors identi-

ﬁed two main concerns: data collection and data use.

Lack of transparency in institutional data collection

practices emerged as a signiﬁcant factor contributing

to distrust. Students felt inadequately informed about

how their information was collected and used, leading

to feelings of insecurity. The study also revealed that

concerns over the collection of sensitive data, such as

race and sexual orientation, were strongly linked to

alienation. The ﬁndings suggest that universities need

to be more transparent about their data practices to

reduce student concerns and improve trust.

(E. Mougiakou and Virvou, 2020) focused on

compliance of educational platforms with the Gen-

eral Data Protection Regulation (GDPR). They high-

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

310

lighted the need for educational practices to respect

students’ rights and privacy. The study identiﬁed

challenges faced by educational institutions in imple-

menting synchronous and asynchronous learning plat-

forms. One key ﬁnding was that lack of clarity in data

collection and usage could infringe on user rights,

such as the ”Right to be Informed” and the ”Right

to Object,” as stipulated by the GDPR. The authors

proposed practical suggestions for designing GDPR-

compliant educational platforms, including conduct-

ing Data Protection Impact Assessments (DPIAs) be-

fore data processing and clearly communicating user

rights. They emphasized the importance of education

and awareness among students and stakeholders re-

garding data privacy risks. By ensuring ethical and

responsible handling of student data, institutions can

improve learning experiences and foster trust.

The comparison presented in Table 1 highlights

the methodologies, participants, privacy laws, and

conclusions of several related studies, alongside the

current research. Each study contributes unique in-

sights into privacy and data protection across differ-

ent contexts, illustrating diverse approaches and out-

comes.

Table 1: Comparison of Related Works and our Study.

Authors Method #d Privacy

Law

Conclusion

N. Baloyi

and P.

Kotz

(2017)

Survey 138 POPI

and

PAI

Actions and recom-

mendations to enhance

awareness and protection

of personal data in South

Africa.

Mollick

J.S. and

Pearson

J.M.

(2003)

Survey 187 USA Recommendations for

improving privacy prac-

tices in universities.

Martinovic

D. and

Ralevich

V. (2007)

Data

Model

Com-

pari-

son

Not

Appli-

cable

Various

(USA,

Canada,

EU)

Critical analysis of pri-

vacy issues in educa-

tional systems, highlight-

ing the importance of

regulations.

Mougiakou

et al.

(2020)

Review

Prac-

tices

Not

Appli-

cable

GDPR Guidelines for managing

personal data in educa-

tional institutions, with a

focus on GDPR compli-

ance.

This

Study

(2024)

Survey 125 LGPD Analyze students’ and

teachers’ perceptions of

personal data protection

in educational environ-

ments.

3 RESEARCH METHOD

The study utilized the survey and systematic review

methodologies due to their effectiveness in collecting

and analyzing data consistently. The research steps

conducted in each method are described in the next

sections.

3.1 Survey

Following the framework by (Kasunic, 2005), the sur-

vey aimed to gather insights into user perceptions of

data privacy and LGPD compliance in educational

settings. The survey aimed to answer the Survey Re-

search Questions (SURQ) listed in the ﬁrst column of

Table 2.

The survey was conducted following ﬁve steps.

Deﬁnition and Objectives: The research deﬁned

its goals through preliminary studies focusing on data

privacy culture, legislation, and user understanding.

This informed the research direction to address the

challenges in educational contexts.

Target Audience: The participants included pro-

fessors and students from public, private, and techni-

cal higher education institutions. The aim was to cap-

ture a comprehensive understanding of their knowl-

edge and concerns about data handling.

Questionnaire Design: A structured question-

naire was developed, starting with general questions

and moving toward more speciﬁc ones. It comprised

4 common proﬁle questions for all participants and 10

tailored questions for students and professors, along

with one open-ended question for each group. Google

Forms was used for its accessibility and reach. The

questions are listed in the second column of Table 2.

Pilot Test: A pilot test with two participants en-

sured clarity and improved question phrasing. The

survey duration averaged 5 minutes, balancing com-

prehensiveness and participant engagement.

Distribution: The questionnaire was distributed

via institutional emails and social media platforms

such as WhatsApp and Instagram from August 6 to

September 21, 2024, encouraging voluntary partici-

pation and further sharing.

Response Analysis: The survey received 125 re-

sponses (17 professors, 108 students) with a total

of 15 open-ended comments. The data provided in-

sights into participants’ perceptions of privacy and

their knowledge of LGPD.

The analyses obtained from the results are pre-

sented in Section 4 of this work. The application of

the survey allowed for collecting volunteers’ general

impressions regarding privacy and security, as well as

evaluating their level of knowledge about the General

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

311

Table 2: Mapping of Survey Research Questions to Survey

Questions.

Survey Research

Question

Survey Questions

SURQ1. What

is the level of

knowledge of stu-

dents and teachers

about regulations

and practices for

personal data

protection in the

educational envi-

ronment?

• How do you evaluate your knowledge of your

privacy rights?

• How do you evaluate your knowledge about

the General Data Protection Law (LGPD)?

• Do you know how to request the correction

or deletion of your personal data at the educa-

tional institution?

• Do you know whom to contact at the institu-

tion regarding data protection issues?

SURQ2. What

practices and poli-

cies are perceived

by participants

regarding the col-

lection, processing,

protection, and

transparency of

personal data?

For teachers:

• Did the institution provide training on LGPD?

• Are you aware of the privacy policies?

• Do you know how to protect students’ per-

sonal data?

• Are the collected data secure?

• Is the data processing ethical?

• Is the data processing transparent?

For students:

• Do you have easy access to privacy policies?

• Is consent requested clearly and explicitly?

• Are students’ personal data secure?

SURQ3. What

are the main con-

cerns, challenges,

and perceptions

about personal

data processing

in educational

institutions?

For teachers:

• Have you processed students’ personal data?

• What personal data have you processed?

• Have you dealt with data protection-related

issues?

For students:

• How concerned are you about data protec-

tion?

• Have you experienced or know someone who

has experienced data misuse or leaks?

• What data do you believe the institution col-

lects?

Data Protection Law within the educational environ-

ment.

3.1.1 Threats to Validity

When designing a survey, it is essential to be aware

of threats to validity, as they can compromise the ac-

curacy of the results obtained. Two main types of va-

lidity were considered: construct validity, which eval-

uates whether the questionnaire truly measures what

it is intended to measure, and external validity, which

examines to what extent the results can be applied to

different groups, contexts, or time periods.

To minimize these threats, the survey was care-

fully designed, aligning each question with the re-

search objectives. Through a pilot test, the survey was

structured to avoid ambiguous interpretations, with a

clear order of questions. Additionally, the total re-

sponse time was planned to be concise, to avoid de-

motivation or rushed and uninterested answers. The

questionnaire was distributed to students and teachers

from various ﬁelds and higher education institutions,

including public, private, and technical universities,

encompassing a diversity of proﬁles and experiences.

Furthermore, the survey was disseminated at two dif-

ferent points during the academic period to ensure

that the responses were not inﬂuenced by a speciﬁc

moment.

3.2 Systematic Literature Review

A Systematic Literature Review (SLR) was con-

ducted following the guidelines outlined by (Kitchen-

ham et al., 2009) to systematically collect and analyze

relevant data on personal data processing in the edu-

cational environment.

3.2.1 Planning the Review

To effectively design the SLR, it was essential to

develop research questions to guide the search and

selection processes. Therefore, the central research

question (How are personal data collected, pro-

cessed, and protected in educational institutions, and

what challenges and practices are associated with

their use?) was expanded into the following sec-

ondary questions:

• Q1 - What are the most common problems and

challenges related to personal data protection

faced by teachers and students in educational in-

stitutions?

• Q2 - What are the main practices adopted by ed-

ucational institutions to ensure compliance with

GDPR/LGPD in personal data processing?

• Q3 - What personal data is handled by educational

institutions?

• Q4 - What type of data processing is carried out?

To thoroughly address these research questions, a

comprehensive search string was designed to capture

the core concepts and ensure the focused and exten-

sive retrieval of relevant literature. The search string

integrates the key terms ””personal data processing”

and ”educational” context resulting in the following

search string:

(”personal data processing” OR ”personal data

handling” OR ”personal data storage” OR ”personal

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

312

data collection” OR ”subject data processing” OR

”subject data handling” OR ”subject data storage”

OR ”subject data collection”) AND (”educational”

OR ”educational institution” OR ”high school” OR

”university”).

3.3 Conducting the Review

The research methodology adopted for this study in-

cluded an automated search performed across ﬁve

leading academic databases: IEEE, Science Direct,

ACM, Scopus, and SOL (SBC Open Lib)

In the initial search, 126 results were obtained

across the ﬁve databases: IEEE (80 articles), Science

Direct (3 articles), ACM (4 articles), Scopus (39 arti-

cles), and no articles were returned from SOL.

A systematic three-step selection process was em-

ployed to select the relevant studies. In the ﬁrst step, a

pre-selection process applied exclusion criteria based

solely on the abstract. These criteria included studies

that were unavailable for access, required payment,

were duplicates, fell outside the deﬁned research area,

were early access articles, or had fewer than four

pages.

The second step implemented inclusion criteria to

reﬁne the selection further. These criteria were as fol-

lows: (1) articles published between 2018 and 2023,

(2) articles written in English or Portuguese, (3) stud-

ies within the ﬁeld of computer science or related

disciplines, and (4) publications categorized as jour-

nal articles, conference papers, or similar scholarly

works. After ﬁltering based on the title and abstract,

110 articles remained, with an additional 18 articles

approved after analyzing their introduction and con-

clusion sections, resulting in a total of 17 articles.

In the ﬁnal step, quality criteria were applied to

evaluate each study. These criteria used were ”clear

context,” ”well-deﬁned methodology,” ”practical ap-

plication,” ”relevant and consistent discussion,” and

”limitations and threats of the research addressed.”

A grading system was used, assigning scores of 0,

0.5, or 1 for each criterion, with a maximum possi-

ble score of 5 points per study. Studies scoring below

2.5 points were excluded, and any article scoring zero

in the ”Answers at least one research question” crite-

rion was also discarded. Ultimately, 6 papers, listed

in Table 3, were selected to data extraction.

3.3.1 Threats to Validity

The primary threat to validity in the systematic re-

view was the difﬁculty in ﬁnding articles within the

https://sol.sbc.org.br/index.php/indice

Table 3: Selected Papers on Data Privacy in Educational

Contexts.

ID Title Authors Citation

S1 Synchronous and Asyn-

chronous Learning Methods

under the light of General

Data Protection Regulation

E. Mougiakou;

S. Papadim-

itriou; M.

Virvou

(Mougiakou

et al.,

2020)

S2 Do users know or care about

what is done with their per-

sonal data: A South African

study

N. Baloyi; P.

Kotz

(Baloyi

and

Kotz

2017)

S3 Towards automated personal-

ized data storage

J. Lange; A.

Labrinidis; P.

K. Chrysanthis

(Lange

et al.,

2014)

S4 Effects of Two Information

Privacy Concerns on Students’

Feeling of Alienation

Mollick J.S.;

Pearson J.M.

(Mollick

and

Pearson,

2003)

S5 Personal Learning Environ-

ments as socio-technical sys-

tems: does decentralised data

ﬁnally give us the right bal-

ance

Rajagopal K. (Rajagopal,

2023)

S6 Privacy issues in educational

systems

Martinovic D.;

Ralevich V.

(Martinovic

and Rale-

vich,

2007b)

restricted scope of the research, which speciﬁcally fo-

cused on the educational context and its relation to

LGPD. Most of the identiﬁed articles addressed data

protection in broader scopes, complicating the acqui-

sition of materials that dealt speciﬁcally with educa-

tional environment dynamics. Only one directly re-

lated article was identiﬁed, which limited the scope

of the conclusions.

Moreover, challenges arose in constructing the

search string. The limitations imposed by connec-

tors in Science Direct, where only eight connectors

were allowed, may have restricted more satisfactory

results. To address this issue, the search string was

adjusted to include terms more focused on the central

theme, but the limitation of speciﬁc articles persisted.

4 RESULTS

4.1 Survey Results

4.1.1 Subjects’ Proﬁle

The participant proﬁle reveals two distinct groups:

professors and students. Among students, 67% fall

within the 18-25 age range, indicating a concentra-

tion of young adults, followed by participants aged

26-35. For professors, the age distribution is more

balanced, with the highest proportion in the 46-55 age

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

313

range, followed by equal representation in the 26-35

and 36-45 brackets, and a smaller group over 55 years

old. Most participants (96%) are afﬁliated with pub-

lic universities, likely due to the institutional email

channels used for recruitment. Additionally, 86.4%

of respondents are students, emphasizing the study’s

strong focus on this group.

4.1.2 Level of Knowledge About User Rights

Under LGPD

There are notable differences in the distribution of re-

sponses regarding the level of knowledge students and

professors have about the General Data Protection

Law (LGPD), particularly at the extremes of ”very

little” and ”very good.” Among students, only 1.9%

claimed to have a very good understanding, while

34.3% reported very limited knowledge. Professors

demonstrated similar patterns, with 5.9% evaluating

their knowledge as very good and 11.8% as very lit-

tle. Most participants, however, fell within the ”mod-

erate” and ”low” categories, with 58.8% of professors

and 55.6% of students indicating intermediate levels

of knowledge. Additionally, professors were slightly

more likely to rate their knowledge as ”good,” sug-

gesting a somewhat stronger understanding of LGPD

among faculty. Figure 1 illustrates these ﬁndings.

Figure 1: Perception of Knowledge about LGPD by Profes-

sors and Students.

4.1.3 Professors’ Perception of Personal Data

Handling in Educational Institutions

Regarding the courses in which the professors

teach, the majority, 58.8%, selected ”Other” as their

course category, suggesting a variety of disciplines

not explicitly listed. ”Computer Science” follows

with 52.9%, and ”Information Systems” with 17.6%.

Additional courses, including ”Biomedical Sciences,”

”Medicine,” and ”Computer Engineering,” were rep-

resented by 5.9% each. No responses were recorded

for the remaining listed courses, such as Adminis-

tration, Social Sciences, Law, Mathematics, and oth-

ers. This distribution highlights a predominance of re-

spondents involved in diverse and technology-related

disciplines.

Most professors (58.8%) reported that their in-

stitutions did not offer training or guidance on

LGPD, with 29.4% having received some training

and 11.8% unsure (Figure 7). Regarding awareness

of privacy and data protection policies, 76.5% of pro-

fessors were unaware, with 11.8% either aware or un-

sure.

When asked about knowledge of procedures to

protect students’ personal data, 64.7% of profes-

sors reported being unaware of such procedures, com-

pared to 29.4% who were informed and 6% who were

uncertain.Regarding trust in the institution’s data

storage security, 47% believed the data was secure,

while 29.4% were unsure, and 23.5% disagreed.

Ethical concerns about data collection and han-

dling revealed that 64.7% of professors believed the

practices were ethical, 29.4% were unsure, and 5.9%

disagreed.Transparency during data collection was

also a concern, with 41.2% unsure, 35.3% agreeing

it was transparent, and 23.5

Regarding experience with personal data han-

dling, presented in Figure 2, 47.1% of professors had

performed data-related activities, while 35.3% had

not, and 17.6% were unsure.The most commonly han-

dled data types were names (58.8%), enrollment num-

bers (47.1%), and CPF numbers (a unique Brazilian

taxpayer registry number - 29.4%). Other data types,

such as ethnic origin and health data, were handled

by smaller proportions, while some categories, such

as religious beliefs and political opinions, were not

handled at all.

Figure 2: Types of Student Personal Data Processed by Re-

spondents.

Notably, none of the professors reported en-

countering issues related to personal data pro-

tection involving students.A single participant ex-

pressed concern in an open-ended question, stating

they lacked knowledge on the subject.

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

314

4.1.4 Students’ Perception of Personal Data

Handling in Educational Institutions

Regarding the courses in which students are en-

rolled, 30.6% selected ”Other,” indicating a variety

of disciplines not explicitly listed. ”Computer Sci-

ence” follows closely with 28.7%, while ”Dentistry”

accounts for 12%. ”Information Systems” represents

11.1%, and ”Computer Engineering” and ”Physio-

therapy” each account for 8.3%. ”Psychology” was

the least represented, with 1% of responses. This

distribution highlights a signiﬁcant representation of

technology-related courses, while also reﬂecting di-

versity among other disciplines.

Students expressed signiﬁcant concerns about

data privacy, with 60% worried about protecting per-

sonal information, 56% concerned about sharing data

with online companies, and 46% about sharing with

ofﬂine entities. Only 3% reported no concern across

all topics (Figure 3). Regarding knowledge of privacy

rights, most students reported low levels of aware-

ness, with only 8.3% indicating good knowledge and

1.8% very good knowledge.

Figure 3: Levels of Concern Regarding Personal Informa-

tion.

When asked if they knew someone affected by

improper data usage or leaks, 62% responded af-

ﬁrmatively, 28.7% negatively, and 9.3% were un-

sure. Students also identiﬁed common data types col-

lected by institutions, including CPF (99.07%), RG

(94.44%), phone numbers (93.52%), and enrollment

numbers (91.67%). Less frequently mentioned cate-

gories included religious beliefs (9.26%) and political

afﬁliations (4.63%) as presented in Figure 4.

Regarding access to privacy policies, 51% were

unsure, 44.5% found access difﬁcult, and only 4.5%

found it easy.Similarly, 83% of students were un-

aware of how to request data correction or deletion,

with only 11.1% knowing the process.

Students were divided on whether their data was

secure with the institution: 38% disagreed, 32.5%

were unsure, and 30% agreed.Transparency regard-

ing consent for data collection and sharing was also

Figure 4: Levels of Concern Regarding Personal Informa-

tion.

questioned, with 42.6% unsure, 37% disagreeing, and

20.4% agreeing.Lastly, 78% of students did not know

whom to contact for data-related issues, with only

15.7% aware of the appropriate channels.

4.1.5 Summary of the Survey Research

Questions

SRQ1: What is the level of knowledge of students and

teachers about regulations and practices for personal

data protection in the educational environment?

The study found that both students and teach-

ers exhibit limited knowledge regarding the General

Data Protection Law (LGPD) and their privacy rights.

Among students, only 1.9% reported having a ”very

good” understanding, while 34.3% admitted to having

”very little” knowledge. Professors showed slightly

better awareness, with 5.9% rating their knowledge as

”very good” and 11.8% as ”very little.” Most partici-

pants fell within the ”moderate” or ”low” categories,

with 58.8% of professors and 55.6% of students indi-

cating intermediate levels of knowledge. This demon-

strates a signiﬁcant gap in awareness and highlights

the need for educational initiatives. Moreover, many

professors noted the absence of institutional training

on data protection laws, with 58.8% conﬁrming they

had not received any training. These results empha-

size that both students and teachers are inadequately

prepared to address data privacy challenges in educa-

tional environments.

SRQ2: What practices and policies are perceived

by participants regarding the collection, processing,

protection, and transparency of personal data?

The study revealed several concerns and deﬁcien-

cies in institutional practices and policies related to

personal data handling. Among professors, 76.5%

were unaware of their institution’s privacy policies,

and 64.7% did not know how to protect student data.

Only 47% of professors believed that the collected

data was securely stored, and 35.3% considered the

data collection process transparent. Training gaps

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

315

were evident, with nearly 59% of professors stating

they had not received guidance on the LGPD.

Students, on the other hand, struggled with access-

ing privacy policies, with 51% unsure about how to

ﬁnd them and 44.5% ﬁnding access difﬁcult. Trans-

parency issues were also a concern, as 42.6% of stu-

dents were unsure whether consent for data collection

was explicitly requested, and 37% disagreed entirely.

Regarding the security of personal data, 38% of stu-

dents believed their data was not secure, compared to

30% who thought it was secure. These ﬁndings reﬂect

a systemic lack of communication and transparency

between institutions and their members.

SRQ3: What are the main concerns, challenges,

and perceptions about personal data processing in

educational institutions?

Both students and teachers expressed signiﬁcant

concerns about the handling of personal data in ed-

ucational settings. For students, key challenges in-

cluded a lack of transparency about what data was

collected and how it was used, as well as fears about

data misuse. Notably, 62% of students knew someone

who had experienced a data breach or improper data

usage. Students also expressed high levels of concern

about data sharing with online companies (56%) and

ofﬂine entities (46%).

Professors reported handling various types of stu-

dent data, including names (58.8%), enrollment num-

bers (47.1%), and CPF (29.4%). However, many pro-

fessors (64.7%) were unaware of proper procedures

for safeguarding student data, highlighting a gap in

institutional support and training. Furthermore, eth-

ical concerns were raised, with 29.4% of professors

unsure whether their data handling practices were eth-

ical.

The study underscores the need for robust insti-

tutional measures to address these concerns, such as

clearer privacy policies, enhanced training programs,

and the promotion of transparency in data collection

and processing practices.

4.2 Results of the Systematic Literature

Review

RQ1: What are the most common problems and chal-

lenges related to personal data protection faced by

teachers and students in educational institutions?

• Lack of transparency in data collection: Failing to

inform users about the data being collected con-

ﬂicts with the right to be informed, as established

by the GDPR. This issue is common in educa-

tional platforms, which often do not clearly dis-

close what information is being stored or used

(Mougiakou et al., 2020).

• Lack of awareness of legal rights: While not

speciﬁcally addressing educational institutions,

(Baloyi and Kotz

e, 2017) identiﬁed the lack of

knowledge about data collection and processing

rights as a critical challenge. Only 45.7% of re-

spondents were aware of their legal rights, leaving

a signiﬁcant number of individuals without ade-

quate information to protect their data.

• Concerns about data usage: Students expressed

concerns during interviews, highlighting that they

are not adequately informed about how universi-

ties use the data they collect. This lack of clarity

fosters insecurity about the handling of personal

information (Mollick and Pearson, 2003).

• Skepticism about institutions’ use of data: Teach-

ers and students display distrust regarding how ed-

ucational institutions use their personal data (Ra-

jagopal, 2023).

• Difﬁculty understanding data security: Even

among those with technological knowledge, many

still struggle to comprehend the importance of

data security and how to ensure privacy in digital

environments. This indicates a signiﬁcant gap in

education about privacy and data protection (Mar-

tinovic and Ralevich, 2007b).

RQ2: What are the main practices adopted by

educational institutions to ensure compliance with

GDPR/LGPD in personal data processing?

Use of two-factor access controls and data encryp-

tion: However, the article mentions that these mea-

sures are insufﬁcient to adequately protect sensitive

data and ensure individual privacy (Mackenzie, ).

RQ3: What personal data is handled by educa-

tional institutions?

According to the work of (Mackenzie, ), educa-

tional institutions using the SAM Learning platform

collect and handle various personal data from stu-

dents. These include ﬁrst name, last name, enroll-

ment number, gender, date of birth, registration group,

academic year, classes, and enrollment. Addition-

ally, according to (Mougiakou et al., 2020), the Intel-

ligent Tutoring System (ITS) collects and processes

student data using advanced techniques. When stu-

dents choose to participate in the system’s exercises,

they must create an account, granting the platform ac-

cess to their email. However, it is not explicitly spec-

iﬁed what other data is collected by the platform.

RQ4: What type of data processing is carried out?

The processing involves collecting, storing, and

processing data to generate progress reports, create

produce statistical reports. Additionally, the data en-

sures that students’ information remains complete and

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

316

up-to-date, especially in cases of transfer. This pro-

cessing serves both administrative and educational

purposes (Mackenzie, ).

4.3 Discussion

The survey conducted with professors and students

from educational institutions revealed signiﬁcant in-

sights into their perceptions and knowledge regard-

ing personal data handling. The sample was predomi-

nantly composed of young adults aged 18 to 25 (58%

of all respondents), indicating a strong concentration

of students in their early stages of education. Addi-

tionally, most participants (96%) were afﬁliated with

public universities, which may limit the generalizabil-

ity of results to other types of institutions that could

have different approaches to handling personal infor-

mation.

Regarding participant proﬁles, 86.4% were stu-

dents, while professors represented 13.6%. Despite

the smaller proportion of faculty, their participa-

tion was notable compared to recent university data

(2022), indicating that professors comprise approx-

imately 7% of the academic community. The sur-

vey’s 13.6% faculty representation thus nearly dou-

bles the institutional average, reﬂecting strong en-

gagement with the topic and enriching the diversity

of perspectives analyzed.

Data Security Perception and Awareness. Com-

paring the data security perceptions of professors and

students reveals shared concerns. While 47% of pro-

fessors believe student data is secure, only 29.6% of

students share this view. This discrepancy suggests

insecurity among students and highlights a potential

weakness in implementing robust information secu-

rity policies. Both groups’ signiﬁcant lack of trust in-

dicates the urgent need for institutions to review and

strengthen their security practices to ensure LGPD

compliance and build trust among stakeholders (Fig-

ure 5).

Awareness of Privacy Policies Also Reveals

Critical Issues. While 76.5% of professors reported

being unaware of these policies, 44.5% of students

reported difﬁculty accessing them, and 51% were un-

sure. This lack of transparency contradicts LGPD

principles and undermines trust between institutions

and their members. Transparency and Training

The transparency of data collection processes

was also concerning. Only 35.3% of professors con-

sidered data collection transparent, while 42.6% of

students were unsure if consent was obtained explic-

itly and 37% disagreed entirely. The absence of clear

informed consent processes jeopardizes the integrity

of data collection practices and may further erode

Figure 5: Comparison (normalized percentage) between

Students and Teachers regarding the perception of the secu-

rity of students’ personal data at the educational institution.

trust.

Training Deﬁciencies Exacerbate the Issue.

Nearly 58.8% of professors had no training or

guidance on LGPD, and most students assessed

their knowledge as ”very limited” (34.3%) or ”low”

(30.6%). This correlation suggests that insufﬁcient

faculty training may directly impact students’ aware-

ness of personal data protection.

Data Handling and Concerns. Both groups

identiﬁed ”name,” ”enrollment number,” ”CPF,” and

”phone number” as the most commonly handled or

collected data. Among professors, ”name” was the

most handled (59%), while 88% of students believed

it was collected. However, students’ perception that

”CPF” is frequently collected (99.07%) contrasts with

professors’ practices, where only 30% reported han-

dling this data. This disparity might arise from stu-

dents associating CPF usage with academic identiﬁ-

cation.

Concerns about data sharing with online com-

panies were most pronounced, with 32% of students

expressing extreme concern. This reﬂects widespread

distrust of digital platforms.

Finally, the survey highlighted signiﬁcant gaps in

understanding data protection procedures. More

than 64.7% of professors did not know how to safe-

guard student data in academic activities, and 83% of

students did not know how to request data correction

or deletion, underscoring institutional failures in pro-

viding clarity.

Open-Ended Responses Highlighted Growing

Concerns About Data Protection in Educational

Settings. Participants emphasized issues like im-

proper use of sensitive information, such as CPF, and

a lack of transparency in data storage and manage-

ment. Some expressed interest in understanding how

data is stored, revealing a demand for greater trans-

parency and accessibility of privacy policies. These

reﬂections underscore the need for robust measures

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

317

to ensure LGPD compliance and data security for all

stakeholders.

5 CONCLUSIONS AND FUTURE

WORK

Currently, technology plays an essential role in peo-

ple’s daily lives, and the collection and processing of

personal data have become common practices. How-

ever, growing concerns about privacy and information

security emphasize the importance of protecting such

data effectively and responsibly [1].

It is crucial to ensure student privacy by avoiding

the unnecessary exposure of their personal data. This

requires well-deﬁned internal policies regarding who

can access such information and limiting its sharing to

authorized individuals only. Moreover, raising aware-

ness among students, parents, and teachers about the

importance of protecting personal data is vital. Insti-

tutions should provide clear guidance on how to act

safely in digital environments [1].

Adapting an institution and its staff to the ne-

cessity of processing personal data is a considerable

challenge, as such transformations require time and

investments in adequate awareness and training pro-

grams. These changes do not happen quickly and de-

mand ongoing efforts, such as regular training ses-

sions and educational campaigns, to integrate new

data protection practices into organizational routines

[2, p. 20].

Educational institutions must commit to under-

standing the nuances of LGPD (General Data Protec-

tion Law) and implementing policies that go beyond

information technology. By engaging all profession-

als and students in this journey of awareness and re-

sponsibility, institutions not only protect personal data

but also foster a safer and more ethical educational en-

vironment. Collaboration among stakeholders is fun-

damental to cultivating a culture of respect for pri-

vacy and information security, ensuring that everyone

is aware of and accountable for compliance with data

protection laws and guidelines [3, pp. 77-78].

5.1 Research Contributions

This research on personal data protection in educa-

tional settings provides valuable insights into the gaps

and challenges in this context. It sheds light on how

teachers and students deal with privacy and the man-

agement of their personal information.

One of the main contributions is the urgent need

for training and awareness. The survey revealed that

many stakeholders are unaware of proper procedures

for protecting their data or requesting corrections or

deletions, highlighting a critical area for improvement

by institutions. This ﬁnding reinforces the importance

of educational initiatives to enhance understanding of

privacy-related rights and responsibilities.

Another important point is the growing distrust re-

garding data sharing. The lack of transparency and

perceived insecurity in data handling jeopardizes trust

among students, teachers, and institutions. Survey

results, combined with ﬁndings from related studies,

underscore the need for more ethical and secure data-

handling practices.

The study also highlights that although educa-

tional institutions collect and store vast amounts of

data, many users do not fully understand how this in-

formation is processed. This calls for more transpar-

ent and accessible communication, ensuring that all

stakeholders have clarity about the use of their data.

There are very few studies that focus on how

personal data is handled in educational institutions,

which makes it harder to improve understanding and

create effective practices in this area. From the analy-

sis, only six articles met the inclusion criteria, show-

ing a clear gap in research that connects data protec-

tion laws, like the LGPD, with the reality of schools

and universities. This lack of studies highlights the

need for more research to better understand the chal-

lenges these institutions face, such as following legal

rules, dealing with ethical issues, and ﬁnding solu-

tions that ﬁt their speciﬁc needs. Increasing research

on this topic is important to create safer and more

transparent ways of handling personal data, helping

students, teachers, and administrators feel more con-

ﬁdent and informed.

These contributions are essential for building

a safer, more transparent educational environment

aligned with LGPD requirements, promoting more

ethical and secure personal data handling practices.

5.2 Future Work

To expand and deepen research on personal data pro-

tection in educational settings, several future direc-

tions can be pursued. Firstly, conducting more de-

tailed studies to identify the main difﬁculties faced

by educational institutions in implementing LGPD

would be valuable.

Expanding research to include data from different

educational levels, such as elementary and technical

schools, and more diverse proﬁles among stakehold-

ers would allow a more comprehensive analysis of

how data protection is addressed in varied educational

contexts.

Additionally, developing and testing technologi-

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

318

cal solutions that facilitate compliance with data pro-

tection regulations, such as automated consent man-

agement tools and personal information management

systems, would be beneﬁcial. Conducting longitudi-

nal studies to evaluate the impact of data protection

practices over time, particularly regarding the trust

that students and teachers place in institutions, is an-

other promising avenue.

Finally, exploring how data protection policies in-

ﬂuence students’ academic experiences by analyzing

the impact of data collection and processing on their

perception of privacy and security in educational in-

stitutions could provide valuable insights.

ACKNOWLEDGEMENTS

We would like to thank all subjects that participated

in the study.

REFERENCES

Baloyi, N. and Kotz

e, P. (2017). Do users know or care

about what is done with their personal data: A south

african study. In 2017 IST-Africa Week Conference

(IST-Africa), pages 1–11. IEEE.

BRASIL (2018). Lei nº 13.709, de 14 de agosto de 2018.

Lei Geral de Protec¸

ao de Dados Pessoais (LGPD). Ac-

cessed: 2024-09-09.

de A. Troncon, L. E. (2014). Ambiente educacional.

Medicina (Ribeir

ao Preto), 47(3):264–271. Accessed:

2024-10-08.

de Lucena, B. A., Neves, I. V. B. W., de Alc

antara, J. B.,

Camarago, M. E., and Neto, A. T. M. (2024). Sys-

tematic review in the implementation of the general

data protection law in brazil. Multidisciplinary stud-

ies: management and legal Sciences, page 20.

E. Mougiakou, S. P. and Virvou, M. (2020). Synchronous

and asynchronous learning methods under the light of

general data protection regulation. In 2020 11th In-

ternational Conference on Information, Intelligence,

Systems and Applications (IISA), pages 1–7, Piraeus,

Greece.

GOVERNO DO ESTADO DE ROND

ONIA (2023). Car-

tilha da Lei Geral de Protec¸

ao de Dados Pessoais

(LGPD). Accessed: 2024-09-23.

Kasunic, M. (2005). Designing an effective survey.

Kitchenham, B., Brereton, O. P., Budgen, D., Turner, M.,

Bailey, J., and Linkman, S. (2009). Systematic litera-

ture reviews in software engineering–a systematic lit-

erature review. Information and software technology,

51(1):7–15.

Lange, J., Labrinidis, A., and Chrysanthis, P. K. (2014). To-

wards automated personalized data storage. In 2014

IEEE 30th International Conference on Data Engi-

neering Workshops, pages 278–283. IEEE.

Machado, P., Vilela, J., Peixoto, M., and Silva, C. (2023).

A systematic study on the impact of gdpr compliance

on organizations. In Proceedings of the XIX Brazilian

Symposium on Information Systems, pages 435–442.

Mackenzie. A import

ancia da seguranc¸a no descarte de ma-

terial contendo dados pessoais.

Maldonado, V. N. and (Coord.), R. O. B. (2020). LGPD:

Lei Geral de Protec¸

ao de Dados comentada [e-book].

Thomson Reuters Brasil, S

ao Paulo, 2nd ed., revised,

updated, and expanded edition. Various authors, Bib-

liography.

Martinovic, D. and Ralevich, V. (2007a). Privacy issues in

educational systems. International Journal of Infor-

mation and Technology Systems, 4(2):132–150.

Martinovic, D. and Ralevich, V. (2007b). Privacy issues in

educational systems. International Journal of Internet

Technology and Secured Transactions, 1(1-2):132–

150.

Martirena, R. P. (2022). A protec¸

ao de dados pessoais e da

propriedade intelectual no ensino remoto: estudo de

caso no centro universit

ario uniprojeC¸

Ao.

Mollick, J. and Pearson, J. (2003). Effects of two infor-

mation privacy concerns on students’ feeling of alien-

ation. AMCIS 2003 Proceedings, page 222.

Mougiakou, E., Papadimitriou, S., and Virvou, M. (2020).

Synchronous and asynchronous learning methods un-

der the light of general data protection regulation. In

2020 11th International Conference on Information,

Intelligence, Systems and Applications (IISA, pages 1–

7. IEEE.

Rajagopal, K. (2023). Personal learning environments as

socio-technical systems: does decentralised data ﬁ-

nally give us the right balance? Revista de Educaci

a Distancia (RED), 23(71).

Rojas, M. A. T. (2020). Avaliac¸

ao da adequac¸

ao do insti-

tuto federal de santa catarina

a lei geral de protec¸

ao de

dados pessoais.

Rosso, O. (2023). A aplicac¸

ao da lgpd nas

universidades brasileiras. Available at:

https://posts.desaﬁosdaeducacao.com.br/lgpd-

universidades-brasileiras/.

Santos, P., Peixoto, M., and Vilela, J. (2021). Understand-

ing the information security culture of organizations:

Results of a survey. In Proceedings of the XVII Brazil-

ian Symposium on Information Systems, pages 1–8.

SERPRO (2020). Educac¸

ao e LGPD: impactos e desaﬁos

nas instituic¸

oes de ensino.

a, B. (2022). LGPD na educac¸

ao: como a protec¸

ao de da-

dos pessoais impacta o futuro das escolas. Available

at: https://www.jusbrasil.com.br/artigos/lgpd-na-

educacao-como-a-protecao-de-dados-pessoais-

impacta-o-futuro-das-escolas/1836610975.

Data Privacy in Educational Contexts: Analyzing Perceptions, Practices and Challenges in Personal Data Protection

319