Universiteit Leiden

nl en

Tools and tips for working securely

Curious to find out how you can contribute to a safe working environment? Then keep reading to discover our tips for working securely. They will help you to work more safely in specific situations. This section contains tools and tips to promote safe working habits in specific situations.

Tools for working securely

If you want to send larger files by e-mail securely, use SURFfilesender. SURFfilesender enables you to share a message securely with the recipient. You can also use it to invite the recipient to send you a secure message.

If you are not using the University’s eduroam network, make sure your connection is secure. Give your home router a strong password, or use your own mobile hotspot (4G/5G data bundle). Public networks, such as those at hotels or in trains, are not secure unless you connect via a VPN – so make sure you install one. The University has one that you can use for free.  A VPN connection encrypts your connection to the internet, so no one can see when you visit websites or share data. It also hides your IP address and location, so hackers can’t locate you. 

Tips for working securely

When it comes to protecting the University’s data, employees are the first line of defence. It is therefore important that, as an employee, you know what is expected of you and how to go about it in your day-to-day activities. Leiden University has access to a platform that offers several modules dedicated to privacy and security; you can work through these modules to improve your knowledge of these two topics.

Log in to the Service Portal by clicking on this link. Under ‘Training portal’, you will find the link to Awaretrain (the learning platform). Log in using your ULCN account; you will then see the relevant modules. Work through the various modules to improve your knowledge of privacy and security.

Wat zijn persoonsgegevens

Persoonsgegevens zijn alle gegevens die terug te leiden zijn tot een persoon. Het gaat bijvoorbeeld om naam, adres en woonplaats, maar ook om bankrekeningnummers, telefoonnummers en postcodes met huisnummers of minder voor de hand liggende informatie. Gegevens zoals IP-adressen, MAC-adressen en browserinstellingen zijn in bepaalde gevallen ook persoonsgegevens. Dat is het geval als je iemand kan identificeren op basis van deze gegevens. Gevoelige gegevens zoals iemands ras, godsdienst of gezondheid worden bijzondere persoonsgegevens genoemd. Die zijn door de wetgever extra beschermd.

Omgaan met persoonsgegevens

Werken met persoonsgegevens is onderdeel van ons dagelijks werk. Hoe er met persoonsgegevens moet worden omgegaan om te voldoen aan de AVG, is voor de reguliere werkzaamheden binnen de Universiteit door je leidinggevende geborgd. In de gevallen waarin dit niet zo is, zijn er basisregels waar je rekening mee moet houden. De vragen hieronder kunnen je hierbij op weg helpen:

  • Heb je een duidelijk doel voor het verzamelen van persoonsgegevens?
  • Worden er alleen persoonsgegevens verzameld die voor dit doel noodzakelijk zijn?
  • Is er nagedacht over bewaartermijnen? Persoonsgegevens mag je niet eeuwig bewaren, maar kunnen gehouden zijn aan wettelijke bewaartermijnen. Te vroeg verwijderen kan net zo min als te laat.
  • Is er heldere informatie beschikbaar gemaakt over wat je met de persoonsgegevens gaat doen? Bijvoorbeeld in een privacyverklaring?
  • Zijn er contracten met afspraken over de uitwisseling van persoonsgegevens met een leverancier of een samenwerkende partij?
  • Ga je niet onbedoeld met de bijzondere persoonsgegevens, BSN nummers of gegevens van kinderen onder de 16 jaar aan de slag? 

Je hoeft niet de hele AVG uit je hoofd te kennen om toch alert te zijn als het om verplichtingen rond privacy gaat. Bij de onderwerpen uit de onderstaande lijst moet je zeker alert zijn op privacy vereisten en op tijd hulp inroepen. 


Mogelijke verplichtingen


Incidenten waar persoonsgegevens bij betrokken zijn, zoals het klikken op een phishingmail of persoonsgegevens doorsturen naar de verkeerde ontvanger. Informeer of raadpleeg de functionaris voor gegevensbescherming en/of maak melding bij de Autoriteit persoonsgegevens. Helpdesk ISSC. De helpdesk neemt vervolgens contact op met de Privacy officers.
Aanschaf van software of techniek.

Data Protection Impact Assessment uitvoeren (DPIA), controle door Functionaris Gegevensbeschermer (FG) en verzorg communicatie met betrokkenen.

Privacy officers
Overdragen van persoonsgegevens aan een nieuwe partij. Contracten waarin privacy en security geborgd worden. Privacy officers
Versturen van persoonsgegevens buiten de EU. Contracten waarin privacy en security geborgd worden  Privacy officers
Uitvoeren van onderzoek. Invullen van een DMP en DPIA  Privacy officers


  1. Use strong passwords
    Long, unpredictable passwords are the best. On the Strong passwords page, you can find tips for creating strong passwords that are easy for you to remember. Good to know: ULCN occasionally sends messages about the status of your account and password, but never asks you for your password.
  2. Be aware of suspicious e-mails
    Chances are that, at some point or another, all employees will receive a phishing e-mail containing a dangerous link or attachment. On the Phishing page, you will find tips on how to recognise and report suspicious e-mails.
  3. Install the latest security updates on all devices
    The first step towards good digital security is to make sure you always have the latest updates installed on your device. If you have outdated versions of programmes on your computer, hackers or other malicious people can use them to launch an attack. So make sure you update your programmes at least every month.

Work laptop

If you have a work laptop, updates are usually installed when you connect at the University. The software installed at your workstation (desktop or laptop) is automatically updated as long as you are in the University’s buildings regularly. If you use the workstation laptop outside the University buildings for longer than a few weeks, you can update the software yourself. For optimum security and to ensure that you have the latest updates, we recommend doing this once a month, preferably at the end of a working day (this will take about 5 to 20 minutes). 


  1. Save and share files with OneDrive or SURFdrive
    If you want to save and send files, use OneDrive or SURFdrive. This is safer than using USB sticks or external hard drives. Send work e-mails using your University account, and not via other services such as Gmail or Hotmail. On the page about saving and sharing files you will find more information about SURFdrive and SURFfilesender.
  2. Lock your computer when you leave your desk
    Whether you have a long meeting or are just popping out for a cup of coffee, it is important to lock your computer. It is also advisable to keep your digital folders and your desk tidy. This reduces the chance of anyone accessing your data. To lock a Windows computer, simply press the Window key + L; on a MacOS computer, press control + command + Q.
  3. Use a secure internet connection
    If you are not using the University’s Eduroam network, make sure your connection is secure. Give your home router a strong password or use your own mobile hotspot. Public networks, such as those at hotels or in trains, are not secure unless you connect via a VPN. Watch the instruction video on how to install eduVPN. 
  4. Make sure you have good antivirus software
    This helps prevent you from downloading malicious files. It also keeps hackers out of your network and prevents you from visiting unsafe websites. So make sure you are using a good antivirus programme that works effectively. And don’t forget to keep this updated, too!

ISSC work laptop

Your work laptop already has an antivirus programme installed. Type ‘virus and threat protection’ in the Windows search bar (the magnifying glass in the bottom left corner of the screen); there you will see the installed antivirus programme. 

Antivirus software on your own computer

If you work on your own computer, Surfspot has a wide range of antivirus programmes that you can purchase at a discounted price. Log in to Surfspot using your ULCN account.\

  1. Report suspicious activity and incidents
    Report (potential) incidents, data breaches and malware, etc. to the ISSC helpdesk (tel. 8888). If you lose your device, you should also report this to the helpdesk as well. You must also notify your supervisor of any loss of confidential data. 

The University’s information systems are designed to allow you to work flexibly. These days, we don't just work at a desk in the office. But working while while travelling is not without risk. The above tips on being digitally safe at work will certainly get you a long way, but here are a few additional dos and don’ts. On the dos: you will find more information about some of the tips under the relevant section above.


  • Only take the devices you really need.
  • Make sure mobile devices always have the latest (security) updates.
  • Make sure you have antivirus software.
  • Use a secure internet connection (such as a VPN connection).
  • Make sure others can't read your screen.\
  • Make sure your device is always secured with a strong password. 
  • Never leave your device unattended and prevent physical access to your devices. Keep it in the safe in your hotel room or take it with you. This helps to prevent theft and the potential installation of malware on your device.


  • Don’t use public Wi-Fi networks.
  • Don't carry confidential information on an unsecured USB stick or other type of removeable data carrier. Store this information securely in the cloud.
  • Never provide a copy of your passport or identity card for no reason.
  • Do not leave printed documents unattended.
  • Be prudent when using public charging stations such as in cafes and airports and on public transport; they may have malicious software installed on them. Use your own wall sockets or your own external portable battery.

Protecting the security of information is the responsibility of all of us. We at the Security Office keep  a close eye on social developments in this area and we provide the necessary advice and guidelines so that the university can handle information securely.

List of banned hard- and software
In that light, it is sometimes necessary to prohibit the acquisition of particular products or to ban certain software from being installed. We will keep you informed of these products here. This list is not exhaustive. If you have any doubts about whether a product from a particular supplier is secure, you can ask the Security Office for advice.

Please note: you are never permitted to process non-public information or personal data via (free) services that are not offered by the university. You may, of course, make private use of these services as  you see fit on university devices (within the terms of the Regulation on ICT and Internet Use), as long as the services are not on the list of banned hard- and software.

Exception procedure

It may be that you need to use services for your work that are on this banned list. In that case, you can submit a request for an exception via our exception procedure. We can then work out together how best to handle the risks.   

This website uses cookies.  More information.