We need to be aware of privacy issues with respect to students and other people whose data we may be handling.
As researchers or support staff, we process a lot of data, from student data such as exams to research data containing the details of a great number of people. If these data relate to individuals, then they can be qualified as privacy-sensitive data. Some examples of privacy-sensitive data include: people’s names, their addresses and places of residence. However, phone numbers, street addresses and zip or post codes, exam results and performance appraisals are all personal data, too. Sensitive information such as a person’s ethnicity, religion, sexual orientation and their records are considered to be extraordinary or special personal data and receive even greater protection under law.
New European (and Dutch) privacy laws (and specifically the Personal Data Protection Act [PDPA]) have set requirements for data processing aimed at preventing data leaks to unauthorised people or organisations. As a result, SBE staff and students need to be aware of the impact of these laws on their work with privacy-sensitive data.
The loss of a laptop or other storage device containing the personal data of students, for example, would represent a significant breach of data security. In such cases, the loss must be reported within 72 hours to the Dutch Data Protection Authority via the university. If the university fails to do so, it could be charged a significant fine (€800.000), compounded by the potential for significant reputational damage to both UM and SBE. Consequently, all individuals involved in handling such data, including students, need to be aware of these issues.
Working with privacy-sensitive data in the cloud (e.g. platforms such as Dropbox, OneDrive, GoogleDrive, WeTransfer) is not without its risks. The US Government can force American companies such as these to release (privacy) data, even though European laws prevent such actions. Best practice, therefore, is to opt to use European or Dutch equivalents such as SURFdrive or FileSender.
Sharing (privacy-sensitive) data with other individuals and organisations must also be strictly limited. First of all there must be a processing base to do so, and sharing this data with another organisation can only proceed subsequent to a formal operational agreement.
Working with privacy-sensitive data requires us all to exercise due care and caution: starting with a secure computer environment, keeping privacy-sensitive data at the university (not on local storage such as your mobile device or a USB stick); and, if necessary, making use of data encryption.