Universiteit Leiden

nl en

Tools and tips for working securely

Curious to find out how you can contribute to a safe working environment? Then keep reading to discover our tips for working securely. They will help you to work more safely in specific situations. This section contains tools and tips to promote safe working habits in specific situations.

Tools for working securely

If you want to send larger files by e-mail securely, use SURFfilesender. SURFfilesender enables you to share a message securely with the recipient. You can also use it to invite the recipient to send you a secure message.

If you are not using the University’s eduroam network, make sure your connection is secure. Give your home router a strong password, or use your own mobile hotspot (4G/5G data bundle). Public networks, such as those at hotels or in trains, are not secure unless you connect via a VPN – so make sure you install one. The University has one that you can use for free.  A VPN connection encrypts your connection to the internet, so no one can see when you visit websites or share data. It also hides your IP address and location, so hackers can’t locate you. 

Tips for working securely

When it comes to protecting the University’s data, employees are the first line of defence. It is therefore important that, as an employee, you know what is expected of you and how to go about it in your day-to-day activities. Leiden University has access to a platform that offers several modules dedicated to privacy and security; you can work through these modules to improve your knowledge of these two topics.

Log in to the Service Portal by clicking on this link. Under ‘Training portal’, you will find the link to Awaretrain (the learning platform). Log in using your ULCN account; you will then see the relevant modules. Work through the various modules to improve your knowledge of privacy and security.

What are personal data?

Personal data are any data that can be traced back to an individual. This includes, for example, names, addresses and places of residence, but also bank account numbers, telephone numbers and postcodes in combination with house numbers, as well as less obvious information. Information such as IP addresses, MAC addresses and browser settings may also be considered personal data if they can be used to identify someone. Sensitive data such as someone’s race or religion, or information about their health, are called special personal data. This type of data is granted extra protection by law.

Handling personal data

We handle personal data in the course of our day-to-day activities. For regular work activities at the University, the way in which personal data are handled in order to comply with the GDPR is safeguarded by your supervisor. In situations where this is not the case, there are a number of basic rules that you need to consider. The questions below can help you get started:

  • Do you have a clear purpose for collecting personal data?
  • Are only personal data collected that are necessary for that purpose?
  • Have you checked the retention periods? Personal data cannot be kept forever but may be subject to legal retention periods. Deleting data too early is just as unacceptable as deleting data too late.
  • Has clear information been made available about what you will do with the personal data? For example, in a privacy statement?
  • Are there contracts in place with a supplier or collaborating party that include agreements for the exchange of personal data?
  • Check that you are not inadvertently handling special personal data, BSN numbers or data relating to children under the age of 16. 

You do not need to know the entire contents of the GDPR by heart to be vigilant when it comes to privacy obligations. The table below provides a list of topics for which you must be aware of the privacy requirements and seek help in a timely manner. 

Topic Possible obligations Contact details

Incidents involving personal data, such as clicking on a phishing email or forwarding personal data to the wrong recipient.

Inform or consult the Data Protection Officer and/or report the incident to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). ISSC helpdesk. The helpdesk will then contact the privacy officers.

Purchasing software or technology

Carry out a Data Protection Impact Assessment (DPIA), this must be checked by the Data Protection Officer (DPO), and communicate with data subjects. Privacy officers

Transferring personal data to a new party

Contracts that guarantee privacy and security. Privacy officers

Transferring personal data outside the EU

Contracts that guarantee privacy and security. Privacy officers

Conducting research

Draw up a DMP and conduct a DPIA Privacy officers


  1. Use strong passwords
    Long, unpredictable passwords are the best. On the Strong passwords page, you can find tips for creating strong passwords that are easy for you to remember. Good to know: ULCN occasionally sends messages about the status of your account and password, but never asks you for your password.
  2. Be aware of suspicious e-mails
    Chances are that, at some point or another, all employees will receive a phishing e-mail containing a dangerous link or attachment. On the Phishing page, you will find tips on how to recognise and report suspicious e-mails.
  3. Install the latest security updates on all devices
    The first step towards good digital security is to make sure you always have the latest updates installed on your device. If you have outdated versions of programmes on your computer, hackers or other malicious people can use them to launch an attack. So make sure you update your programmes at least every month.

Work laptop

If you have a work laptop, updates are usually installed when you connect at the University. The software installed at your workstation (desktop or laptop) is automatically updated as long as you are in the University’s buildings regularly. If you use the workstation laptop outside the University buildings for longer than a few weeks, you can update the software yourself. For optimum security and to ensure that you have the latest updates, we recommend doing this once a month, preferably at the end of a working day (this will take about 5 to 20 minutes). 


  1. Save and share files with OneDrive or SURFdrive
    If you want to save and send files, use OneDrive or SURFdrive. This is safer than using USB sticks or external hard drives. Send work e-mails using your University account, and not via other services such as Gmail or Hotmail. On the page about saving and sharing files you will find more information about SURFdrive and SURFfilesender.
  2. Lock your computer when you leave your desk
    Whether you have a long meeting or are just popping out for a cup of coffee, it is important to lock your computer. It is also advisable to keep your digital folders and your desk tidy. This reduces the chance of anyone accessing your data. To lock a Windows computer, simply press the Window key + L; on a MacOS computer, press control + command + Q.
  3. Use a secure internet connection
    If you are not using the University’s Eduroam network, make sure your connection is secure. Give your home router a strong password or use your own mobile hotspot. Public networks, such as those at hotels or in trains, are not secure unless you connect via a VPN. Watch the instruction video on how to install eduVPN. 
  4. Make sure you have good antivirus software
    This helps prevent you from downloading malicious files. It also keeps hackers out of your network and prevents you from visiting unsafe websites. So make sure you are using a good antivirus programme that works effectively. And don’t forget to keep this updated, too!

ISSC work laptop

Your work laptop already has an antivirus programme installed. Type ‘virus and threat protection’ in the Windows search bar (the magnifying glass in the bottom left corner of the screen); there you will see the installed antivirus programme. 

Antivirus software on your own computer

If you work on your own computer, Surfspot has a wide range of antivirus programmes that you can purchase at a discounted price. Log in to Surfspot using your ULCN account.\

  1. Report suspicious activity and incidents
    Report (potential) incidents, data breaches and malware, etc. to the ISSC helpdesk (tel. 8888). If you lose your device, you should also report this to the helpdesk as well. You must also notify your supervisor of any loss of confidential data. 

The University’s information systems are designed to allow you to work flexibly. These days, we don't just work at a desk in the office. But working while while travelling is not without risk. The above tips on being digitally safe at work will certainly get you a long way, but here are a few additional dos and don’ts. On the dos: you will find more information about some of the tips under the relevant section above.


  • Only take the devices you really need.
  • Make sure mobile devices always have the latest (security) updates.
  • Make sure you have antivirus software.
  • Use a secure internet connection (such as a VPN connection).
  • Make sure others can't read your screen.\
  • Make sure your device is always secured with a strong password. 
  • Never leave your device unattended and prevent physical access to your devices. Keep it in the safe in your hotel room or take it with you. This helps to prevent theft and the potential installation of malware on your device.


  • Don’t use public Wi-Fi networks.
  • Don't carry confidential information on an unsecured USB stick or other type of removeable data carrier. Store this information securely in the cloud.
  • Never provide a copy of your passport or identity card for no reason.
  • Do not leave printed documents unattended.
  • Be prudent when using public charging stations such as in cafes and airports and on public transport; they may have malicious software installed on them. Use your own wall sockets or your own external portable battery.

Protecting the security of information is the responsibility of all of us. We at the Security Office keep  a close eye on social developments in this area and we provide the necessary advice and guidelines so that the university can handle information securely.

List of banned hard- and software
In that light, it is sometimes necessary to prohibit the acquisition of particular products or to ban certain software from being installed. We will keep you informed of these products here. This list is not exhaustive. If you have any doubts about whether a product from a particular supplier is secure, you can ask the Security Office for advice.

Please note: you are never permitted to process non-public information or personal data via (free) services that are not offered by the university. You may, of course, make private use of these services as  you see fit on university devices (within the terms of the Regulation on ICT and Internet Use), as long as the services are not on the list of banned hard- and software.

Exception procedure

It may be that you need to use services for your work that are on this banned list. In that case, you can use Sharepoint We can then work out together how best to handle the risks.   

Is this online tool safe?

Check the tool picker to quickly know what apps and online tools you can use.

Tool picker
This website uses cookies.  More information.