What are you looking for?

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.
Studerende studenten aan een ronde tafel
News

Privacy risks Osiris addressed in collaboration with SURF

SURF has commissioned a data protection impact assessment (DPIA) on Osiris. The preliminary advice is that institutions can continue to use this student information system as long as they take a number of measures themselves. A revised report will follow in 2026 once the results of the measures to be implemented by vendor CACI are known.

Osiris is used by more than 60 institutions, including universities, universities of applied sciences and vocational education institutions (mbo). In close collaboration with CACI, Privacy Company investigated on behalf of SURF how the system processes the personal data of students and employees of the institutions, what central agreements have been made about the processing and what risks exist. In addition, the research report presents a number of measures that can limit the identified risks. 

Result: 12 high risks and 1 medium risk are largely mitigated 

A total of twelve high risks and one medium risk to user privacy were identified. Four of these high risks are related to the mobile app. The risks stem partly from the way in which institutions use Osiris and partly from the design of Osiris itself. 

The measures that have now been proposed therefore apply partly to the institutions and partly to CACI. You can find the proposed measures in the DPIA: see the link below. There will also be a webinar where SURF members can obtain more information about the findings and proposed measures. 

By implementing the measures, all high risks can be mitigated, leaving only low, residual risks. This also applies to risks related to processing by CACI's parent company and sub-suppliers based in the US. SURF has been particularly alert to this. More information on this can be found in the previously prepared general information document on the use of American suppliers

Follow-up 

SURF and CACI have made clear agreements in close cooperation on how and when CACI will implement the measures. The company has made a good start on this, as can be seen in the DPIA status table. As a result, institutions can continue to use Osiris for the time being. CACI will report the results of the implementation to SURF within the agreed timelines. SURF will publish an update on this DPIA in 2026.  

Full report available 

Download the DPIA report 

About Osiris

Osiris is a student information system, used in the Netherlands by mbo, hbo and wo institutions. The supplier, CACI, offers Osiris as a SaaS application. With the mobile Osiris app, students can register for courses and exams and view their grades. A substantial proportion of institutions offer this app to their students.

Any questions?

Do you have questions about this DPIA? Sign up for the in-depth webinar on 22 September (from 10:00-11:30 am, for SURF members only). Or contact us at vendorcompliance@surf.nl.

Related topics: