While looking into TU Delft’s negligible security of shared storage locations, Delta came across a number that immediately raises questions. An apparent 1,479 users are at work in the back office of the Topdesk self-service portal. Delta editors are also included in this group, so we were told last year when we were granted authorisation to place articles on the new intranet.
But that we were then able to view staff and ICT reports and requests by colleagues and students containing information such as job codes and invoices dating back to 2017, we did not know. We also did not know that we had access to lists of suppliers’ details and personnel numbers. Is it intentional that we, along with so many other TU Delft staff members, can learn so much about our colleagues?
The Information Management Department does not see this as a problem. Topdesk appears to be set up to give users the opportunity to answer reports from the back office. “Apart from HR reports, the consensus is that we have no secrets from each other. Everyone can see everything,” explains Topdesk’s Functional Manager Tom Verschuur. “But this only applies to the reports that you have explicit authorisation for. A staff member at Communications cannot see reports from an ICT working group unless he/she is authorised for that category.”
Job codes and personnel numbers
What can users see? While navigating around the system without training is not easy, we see long lists of reports that we have nothing to do with. One is a report from a colleague at CiTG who had problems with requesting a laptop and who added the specific job code (a department’s financial code) and invoices. Another is a student at the same faculty who wants to install Qualtrics software on his laptop. Then there is a colleague at TPM who wants to know when the salaries will be transferred. We can open these and other reports. We can even answer them or forward them to colleagues.
Personnel numbers are visible all the way up to the Executive Board
Any student or staff member with a Net-ID can also submit a report on the self-service portal. This gives them access to the full name and email database of TU Delft students and employees. Net-IDs and personnel numbers are visible all the way up to the Executive Board. To make the report complete, we can download a list of suppliers that includes telephone numbers, email addresses and gender. We can then use the servicepunt @tudelft.nl account to respond to a report.
It’s not only we who can do this, but all 1,479 employees who have user rights in Topdesk. Who are all these people and, more importantly, what do they do there? According to Verschuur, more than 500 accounts are held by secretaries who only use the module to reserve spaces on campus. Of the other users, he is unable to say exactly what they do. “Some employees use the portal once or twice a year to print out reports while the Service Desk staff use it every day to answer reports.”
If we can see reports that we have nothing to do with, how many other employees can do this? According to Verschuur, not everyone can see every report. “We made different user groups in Topdesk geared to specific faculties and services. Some of these are groups that consist of dozens of employees, such as HR.”
The staff in one group can only see the reports that have been made in their own group. We will see if we can make the authorisations even tighter.”
If a report contains privacy sensitive data, can the person submitting it flag this in advance so that the information is not available for everyone and is not available for a long time? No, says Verschuur, but he will discuss this with his privacy officer though.
And what about the retention period? The oldest report that we saw was dated 18 April 2017. “The retention period of these reports is set by law,” explains Verschuur (seven years after the report is closed, eds.). Keeping old reports is important, he says. “For example, we can obtain reports about the state of a building. It could be relevant to know how many repairs were requested over the last few years.”
A list containing information about the gender of contacts in suppliers
That Delta can download a list containing information about the gender of contacts in suppliers is a concern to Verschuur. “This field is standard in the Topdesk system, but we leave it empty. That it is filled in in this case is not the intention.” Verschuur subsequently removed the information from the system.
In response to this article, Biemla Sewnandan, Chair of the Works Council, stated that the chance that someone can act with bad intent must be made as small as possible. “I always look at what a staff member needs to fulfil his/her job. This has become much tighter since the General Data Protection Regulation (GDPR) so it would be good to look at the system and, if necessary, redesign it. Even if an application offers several functions, that is not to say that these functions are relevant for and should be available to every staff member.”
- Upon our request, our access rights have been revoked. All the screenshots made by Delta and the information it saved, including personal data, have been deleted.