The university is not yet ready for the General Data Protection Regulation (AVG), which will replace the current Personal Data Protection Act (Wbp) on May 25th. However, the university is “reasonably up and running”, says Legal Services director, Saskia Voortman. When the AVG is definitely in force, the university must, among other things:
1. Be able to show what personal data is registered and where, both centrally and in faculties. Most has already been registered. According to Voortman, for faculties it is more labour intensive.
2. Have a data protection officer who supervises compliance with the AVG. For TU Delft this officer is Erik van Leeuwen.
3. Make agreements when processing personal data is outsourced to external parties. TU Delft works with Surf, the ICT collaboration organisation for education and research in the Netherlands. A contract has been made for the new R & D system.
4. Ask for permission to process personal data more often.
5. Be transparent at all times about what personal data the university collects, uses, and consults, and to what extent it legally does so.
6. Actively implement the policy to comply with the AVG. Partly because of this reason, the finger scan at Sports & Culture will be abolished, director Raymond Browne says. Data leaks must be reported by the university within 72 hours.
7. Give people the right to be ‘forgotten’ and thus remove them from databases unless legal requirements make this impossible. In addition, people have the right to access, correct and reuse their data for other organisations.
This sounds very complicated. How can we deal with it? Legal Services recommends these do‘s and don’ts:
• Only collect and use personal data that are really necessary.
• When using personal data, make sure that you only store the essential data and that you store it in as few places as possible and that it is only accessible to those who need it.
• Be very cautious and reserved about using sensitive personal information such as citizen service numbers, information about people's health and financial data.
• Lock your computer, tablet or telephone whenever you are not using them, both on and off campus (Windows button + L).
• For new projects: check that they comply with the AVG.
• When purchasing new large-scale systems: check whether a Data Protection Impact Assessment is required (DPIA).
• Get the permission of the relevant individuals before collecting their personal data in a project.
• Delete or destroy documents with personal data when they are no longer needed, including e-mails.
• Report it if you suspect a data leak.
• Do not share personal data with others, especially not before you know why they need them.
• Do not provide personal data to third parties outside TU Delft.
• Do not just use personal data from one project for another project.
• Do not leave paperwork with personal data behind, even at the printer.
• Do not store personal data in unsecured files.
• Do not store personal data relevant to TU Delft in cloud applications such as Google Drive and Dropbox. Surfdrive is allowed.
Legal Services will soon provide additional information and a video about the AVG. It will also inform specific groups like teachers, for example, about the changes.Finally, TU Delft will publish a list of answers to frequently asked questions.If you have any questions, email firstname.lastname@example.org.