Privacy and cloud
Regulations of the Netherlands, Europe and beyond apply to cloud computing. Providers of cloud services are often based abroad. There is little legislation, regulation or jurisprudence in this area. An education institution seeking to purchase a cloud service will have to sign a contract with the cloud supplier. It is important to pay attention to the privacy agreements.
Some useful publications:
- SURF Framework of Legal Standards for (Cloud) ServicesLegal standards in terms of confidentiality, privacy, ownership and availability with regard to cloud providers.
- Report on Cloud Services in higher education and research and the USA Patriot Act (in Dutch)
Main conclusion of the research: for higher education institutions in the Netherlands, it is important to gain and maintain a good understanding of the conditions of the justice and security services' access to the data and the associated risks.
- 'The cloud in education' report (in Dutch): answers to privacy, data protection and legal questions on the use of cloud services.
- Cloud diensten in hoger onderwijs en onderzoek en de USA Patriot Act (in Dutch)
New European privacy legislation has been in effect since 1 January 2016: the General Data Protection Regulation (GDPR). This has consequences for higher education and research. A special project group has been set up on this issue: the initiative group for Higher Education Privacy. This group documents the consequences and advises institutions on how they should interpret the GDPR in order to meet the legal requirements.
Privacy and digital identity
It is important for students and scientists to keep a close eye on their image on the Internet. How should students and academics approach their digital identity and that of others in a sensible way? Some recommendations:
- Think about how you want to present yourself.
- Check regularly what you can find about you on the internet.
- Only post information about you that everyone can know at all times.
- Only post recognisable photos of others with their permission.
The report 'Image building on the Internet: keep your digital identity under control' (in Dutch) offers more information and recommendations on online identity management. Or read the flyer Cloud diensten in hoger onderwijs en onderzoek en de USA Patriot Act (in Dutch).
Lawful operations in ICT
Education institutions are responsible for the actions of their ICT staff and the handling of personal data. Employees and students are allowed to use the institution's ICT facilities and can expect their privacy to be reasonably protected. The education institution is allowed to supervise ICT traffic, but users have to know where they stand. It is therefore important that the institution has a code of conduct on ICT use. Read more in the study on Lawful Operations in ICT (in Dutch).
Students' privacy and personal data
How should institutions of higher education implement the standards set by the Personal Data Protection Act in terms of the handling of students' personal data? The general answer is: by carefully handling those data based on an organisation-wide awareness of privacy in the workplace in accordance with usable and knowable rules. Read more about students' privacy and data in the checklist privacyafspraken (in Dutch)
Lecture on Privacy 2016
In September 2016, SETUP organised a lecture on privacy in collaboration with Studium Generale of Utrecht University and SURF. Watch the lecture on privacy on the Studium Generale website or read the lecture on privacy.