GDPR (part 2 of 5): Do’s, Don’ts and Alternatives
In the first part of this series we discussed the principles of the GDPR and the inventory of the personal data used for processing. By using as little personal data as possible and removing unnecessary data, you reduce the chance and the impact of data breaches. The next step is to know how you can work responsibly with personal data and what safe alternatives you can use for this purpose.
Working responsibly with personal data starts with recognizing it. Personal data are pieces of information that can be traced back to a specific person or make this possible in combination with other data. Although a student number is a pseudonym, it can easily be traced back to a student and therefore qualifies as personal data. Publishing a grade list with student numbers is therefore not permitted; use the Grade Center in Blackboard to communicate results instead.
The anonymisation or pseudonymisation of datasets with personal data in research, if done correctly, is recommended. For questions about this, please contact the Centre for Digital Scholarship of the UBL.
There are also simple daily routines that you can adhere to, to reduce privacy risks. Think of keeping your desk tidy, locking your PC when you leave your workplace (keyboard shortcut: Windows logo key + L), using secure networks such as 'Eduroam' as much as possible and sending e-mails to colleagues and students via the University mail servers (all e-mail addresses ending with leidenuniv.nl). Especially this last point is something most people do not always think about. When you send an e-mail, it is technically speaking possible for all digital checkpoints between sender and receiver to view the content of the mail. Think of a postcard where all postmen who handle the card can read the personal message that is written on the back. By using University mail, the university's secure servers are the only digital checkpoints and its contents cannot be viewed from external servers.
The 'don'ts' are a little bit more complicated and sensitive to address. Under the GDPR, the university is required to formalize data processing agreements with external parties that 'process' personal data (for example: viewing, storing or transporting). Such a data processing agreement includes how the external party must deal with our personal data. Think of services from external parties such as the cloud services of, for example, Google, Dropbox, Apple, Microsoft and WeTransfer. The university is obligated to formalize a data processing agreement with these parties to uphold the lawful and safe processing of personal data. At this moment, the university has not formalized these agreements with the above-mentioned parties, which makes the use of these services unlawful and unsafe for the storage of personal data. It is therefore strongly advised to consider the following alternatives to replace these services. Using Google to look up something remains possible of course.
Alternative services to the examples described above are provided by SURF. SURF is the ICT-cooperation for the education and research sectors of the Netherlands, and also has a data processing agreement with Leiden University. The SURFdrive cloud storage service and the SURFfilesender data transfer service are considered to be safe to the extent that they can be used freely after the GDPR comes into force.
Another alternative is to work from the 'Remote Workplace'. This allows you to always work remotely in the same digital environment of the university and simultaneously prevents multiple versions of a file being stored in different directories.
Exceptions and more alternatives
In the exceptional case that none of these alternatives offer a solution, you can also choose to protect files with a password. It is possible to set passwords for specific PDF, Microsoft Office and zip files. This ensures that you also guarantee the protection of personal data in exceptional cases. By doing this, you ensure the protection of personal data as much as possible; even in the most exceptional cases.
There are many more tools and tips on the university's website to work more safely digitally.
By being aware of the do's, don'ts and alternatives, you build a strong starting point to actually get started with the GDPR. Next week’s piece will be about two very important and at the same time the most talked-about aspects of the GDPR: 'Principles for processing personal data & Consent'.