Legal expert Frans Pingen has been data protection officer for WUR since 1 January this year. His task is to develop policy for protecting the personal data of staff and students stored on the WUR server, and preventing data leaks. Such leaks are in the news on a daily basis these days, some caused by malicious hackers or by ignorant users. Pingen has four practical tips.
Photo: Shutterstock and Guy Ackermans
Privacy is a constitutional right which is under pressure. Facebook, Google and webshops accumulate shedloads of personal information in order to steer our media and consumer behaviour. The American security services tap our phonecalls and listen in via our TVs. And Russian hackers and Islamist terrorist organizations send us spyware in order to steal money and passport details. Even within WUR it is high time serious thought was given to privacy and data protection, says Pingen. The risks of identity fraud are increasing fast. If your personal data are leaked, someone else could easily rent a car or do something worse than that at your expense. Also, grade lists can be hacked, leading to qualifications being called in question.
There is new legislation which makes it compulsory to report any incident of data being leaked and getting into the wrong hands. From next year heavy fines will be imposed on any organization which does not protect the data it is entrusted with properly, says Pingen. So a steering committee and a project group are going to prepare WUR to fulfil the requirements. Meanwhile, Pingen offers four things students, staff, and WUR as a whole can do to protect privacy.
1: Report a data leak
We read reports of data leaks in the media every day. In November 2016, Erasmus University in Rotterdam had a data leak through which details of thousands of students may have fallen into the wrong hands. This was not just a question of addresses, email addresses and telephone numbers on the hacked website, but also of health data from forms filled in for student psychologists. Academic institutions with a lot of personal data in their systems are vulnerable. For this reason, SURF – the ICT organization for Dutch academic institutions – organized a major exercise last year involving a simulation of a data leak at Food & Biobased Research at WUR. It is important to practice emergency procedures for dealing with data leaks, says Pingen.
Staff can sometimes be the cause of a data leak too. If your private or work laptop containing WUR files and emails gets stolen, you should report it to the IT helpdesk. They will assess whether this constitutes a data leak, and whether the leak concerns personal data which should be reported to the Personal Data Authority. Sometimes, for instance, students’ course grades are still on old computers because a teacher has forgotten to delete them after saving them to the student information system. But there might also be other personal data about race, religion, sexual identity or health issues. The helpdesk can delete these kinds of files off old computers from a distance.
Pingen advises data hygiene: save as little personal data as possible and remove it as soon as it is not needed anymore.
2: Avoid using usb sticks or external drives
Do not use external drives or usb sticks to store extra data. There could be programmes on those external drives which will infect your computer. What is more, you can easily lose them, which counts as a data leak. Put information in safe places on the WUR server and only in the cloud if the IT department has done a security check on it. Don’t be naïve, says Pingen: security services and hackers can use all sorts of equipment to spy on your laptop. The camera on your laptop can be used by uninvited guests to take photos of you when you log in. So Pingen’s advice is to cover the camera while you are not using it.
3: Use services approved by WUR
Google, Facebook and Apple make their living from our data and do what they like with it because we have given them permission to do so. We do that by accepting conditions – often without reading them. We are constantly giving away data like that. So have a good look at the privacy settings and be critical. Some search engines are safer than others. You can also install ad blockers. And before you purchase IT applications or cloud services, get the IT department to carry out a security check. Pingen also suggests WUR reconsider whether it wants to pay companies for certain services in data about the surfing behaviour of visitors to our websites.
4: Store research data properly and securely
WUR researchers are obliged to keep their research data for ten years so that it can be validated. Sometimes things go wrong, for instance when a foreign PhD candidate returns home after graduating, taking their data with them. That is not on, says Pingen: we must store the data here. That will be easier now that the IT department has significantly lowered the costs of data storage. What is more, the researchers should anonymize any personal data included in their data. This approach has its uses: a few years ago a PhD researcher’s computer crashed, and he was unable to prove how he came to his scientific conclusions, says Pingen.
Any questions about privacy and data protection? Are you worried that your personal data might not be properly protected? If so, contact email@example.com.
Three student information systems
WUR has three student information systems, which for reasons of security are not linked with each other.
AIR. This is the student information system where students’ personal data, the courses they take and the grades they get are stored. These data are only used for educational purposes, says Ingrid Hijman, head of the Student Service Centre. ‘We are under no circumstances allowed to give this information to third parties, so we don’t even tell parents whether their child is a student here or how they are doing. Parents often find that hard to understand, but these are the rules with a view to protecting personal data.’
SPA. This is the course planning system in which students submit the programme of courses they want to follow for their degree. This programme has to be approved by the study advisor and the exams committee, which therefore also has access to SPA.
CORSA. Deans and student psychologists have their own system, which is not public. Not even the study advisors can access it. The privacy rules state that this information can only be shared after students have given explicit permission for that. Hijman and the data protection officer between them make sure the procedures make sense, the systems are secure and the right people have access to the systems.