Privacy

Privacy explained

Contents of this page

What is privacy and why is it important for teaching and research?
Privacy risks in education and research
Legislation and policy: GDPR and privacy rules
Privacy awareness and training
Privacy and technology: AI, social media and devices
Privacy by Design and maturity models

1. What is privacy and why is it important for education and research?

Educational and research institutions process personal data from students, staff, researchers and research participants on a daily basis. In today’s digital learning and working environment, this often includes sensitive information such as academic results, medical data, or other details that can identify an individual.

Privacy concerns the right of data subjects to retain control over their personal information. But it is more than that: privacy also relates to the trust that students and staff place in their institution.

For administrators, IT managers and policymakers, privacy is not merely a requirement, it is a core responsibility. Complying with privacy legislation is an integral part of good governance, risk management and the institution’s digital strategy.

Handling personal data responsibly

It is important to handle personal data consciously. Privacy awareness, or awareness of privacy, is part of this. It prevents a data breach, for instance. But conscious handling is also important for the following reasons:

Everyone has the right to control their own personal data.
Digital systems and AI tools are processing more and more personal data.

Privacy is not just about rules - it is about trust and a safe (learning) environment.

2. Privacy risks in education and research

Privacy issues often arise from small mistakes or unclear agreements. Common privacy risks include:

Unlawful data processing
Institutions sometimes process more data than necessary or without the right basis, such as consent or legitimate interest. This creates unnecessary privacy risks, for example storing or collecting medical data without a clear reason.
Insufficient information security
If the security of systems is flawed and not up to date, such as outdated software, weak passwords or no Multi-Factor Authentication (MFA), it can lead to a serious data breach. The reliability of the institution is thus affected.
Use of insecure digital tools
Tools that do not comply with the General Data Protection Regulation (AVG), e.g. free apps or platforms that transfer data to third parties, are sometimes deployed for e.g. education without review or Data Protection Impact Assessment (DPIA).
Limited privacy awareness in the organisation
Teachers, researchers and staff members are not always fully aware of what they may or may not do with personal data. Without structural training in privacy awareness, lack of knowledge can lead to a data breach or other privacy violation.
Insufficient control over research data
Subject data are sometimes insufficiently secured or processed without anonymisation. This means poor compliance with the GDPR, but also undermines the institution's research ethics.
Lack of transparency towards data subjects
Students, (former) staff, parents or research participants are not always properly informed about the purpose and retention period of their data. Institutions are obliged to communicate clearly about this.

These risks highlight the need for:

Up-to-date privacy policies that are understood throughout the institution.
Regular reviews of personal data processing practices.
Ongoing training and awareness at all organisational levels.
Application of the GDPR principles Privacy by Design and Privacy by Default.
Clear communication with data subjects.
Using standard instruments such as the Privacy Assessment Framework and the SURF Model Processor Agreement.

3. Legislation and policy: GDPR and privacy rules

The starting point for the privacy policy of educational and research institutions is the European Union's General Data Protection Regulation (GDPR) and subsequent Implementing Act. Specifically, this means these organisations must have the following matters in place:

DPIA: Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a mandatory privacy study if the processing of personal data is likely to involve a high privacy risk. In education, for example, this is the case when using learning analytics. This is the collection and analysis of data associated with learning.

A DPIA helps to identify risks in advance and take appropriate measures. This contributes to transparency, diligence and compliance with the GDPR.

Among other things, SURF helps with the following standards, tools and guidelines for institutions:

Privacy Expertise Centre
Privacy Assessment Framework
Annual privacy benchmark via SURFaudit
Support in drawing up privacy policy
SURF Model processor agreement and other templates
Sector-wide cooperation in the SCIPR community
Conduct DPIAs on systems and applications

Relevant external sources:

The Personal Data Authority monitors compliance with the GDPR, including for education and research.

4. Privacy awareness and training

Privacy is people work. Data breaches can occur when employees or students do not know how to handle data and personal data safely. For privacy officers, this means investing in training privacy and security awareness in all layers of the organisation.

This includes:

Training staff and students on safe handling of privacy-sensitive data.
Privacy and security awareness campaigns.
Embedding privacy in onboarding, professionalisation and quality assurance.

SURF helps with:

Ready-made awareness campaigns from Cybersave Yourself. Such as posters, videos, quizzes, e-learning modules.
SURF Privacy Expertise Centre (PEC): handouts and templates.
Privacy Assessment Framework with associated master classes.
SURF Community for Information Security and PRivacy, SCIPR.
Workshops and training courses for privacy officers.

5. Privacy and technology: AI, social media and devices

Innovations such as generative AI, digital testing platforms and adaptive learning tools bring opportunities, but also privacy risks. Many institutions struggle with questions around privacy, such as:

Can we safely use AI tools such as ChatGPT or Copilot?
Are free apps like Kahoot GDPR-compliant?
Can institutions use social media platforms such as Facebook safely for communication?
How do we prevent the transfer of personal data outside the European Economic Area (EEA)?
How do we manage non-privacy-friendly apps on institutional devices?

SURF carries out risk analyses (DPIAs) and shares advice, including on Zoom, Google for Education and Microsoft.

The Beyond Privacy Shield Taskforce has produced products and best practices for secure, responsible international exchange of personal data. The basis for this is the Taskforce's five-step plan, based on the EDPB's roadmap.

These questions of governance are increasingly important:

Who is responsible for the choice and use of each tool?
How is privacy integrated into the procurement process?

6. Privacy by Design and maturity models

The GDPR requires not only compliance, but also privacy by design. This means that:

Privacy must be considered from the start in (procurement) processes, systems, tools and management (Privacy by Design).
Default settings of systems must be privacy-friendly (Privacy by Default).

SURF provides:

A Privacy by Design framework.
Tools for self-assessment through the Privacy Assessment Framework and annual sector-wide benchmarking.
Formats, tooling and practical examples for privacy officers and data protection officers (FGs), including benchmarking information via the Privacy Assessment Framework.

Tip: Want to know how mature your institution is when it comes to privacy? Then use the Privacy Assessment Framework. This will show you where you stand, what you still need to invest in and how to set up the PDCA improvement cycle.