What are you looking for?

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.
four female students are smiling on their laptops
News

Instructure enhances privacy features in Canvas LMS in collaboration with SURF

SURF has conducted a data protection impact assessment (DPIA) on Canvas LMS. Based on our advice, institutions can continue to use this learning management system. Mitigating measures have been agreed with supplier Instructure for the risks identified. In 2026, we will investigate whether these have been implemented by the vendor.

The use of Canvas LMS is increasing and the system is used by many Dutch universities, colleges and vocational education institutions to manage and monitor learning and training activities. The group of users within the education sector is large, as is the interest in the LMS. That is why SURF has carried out a DPIA, in close collaboration with Instructure. SURF has investigated how the LMS system processes the personal data of students and staff, what central agreements have been made about the processing of this personal data and what risks there are.

Risks and measures

A total of 3 high risks and 9 medium risks were identified regarding user privacy. The high risks stem from the functions used by institutions. These include the lack of transparency (masquerading), lack of control over data processing and data transfer.

SURF has discussed these risks with Instructure and proposed measures. Instructure has committed to mitigating the high and medium risks by the end of 2026 at the latest. A number of measures have already been implemented. This leaves only minor residual risks, which institutions can mitigate themselves using the measures mentioned in the DPIA. Instructure will support institutions in this if necessary. The measures in the DPIA can be found in the link below.

Follow-up in 2026

SURF will retest and reassess the measures in November 2026. We will then publish an updated DPIA and indicate whether the mitigating measures have been implemented. Instructure has been very cooperative and transparent throughout the entire process. In addition, clear agreements have been made between SURF and Instructure about how and when the measures will be implemented. This means that institutions can continue to use Canvas for the time being. 

Full report available

Want to know everything about the investigation? Read the Data Protection Impact Assessment (DPIA) report

More information about the effects on privacy protection when using American vendors can be found in this information document

Questions?

Do you have any questions about this DPIA? Please contact SURF at vendorcompliance@surf.nl

Related topics: