Seven ways the privacy laws will affect you

Do we need all that information? Artan Jacquet, officer for data protection at the UU, says that should be the main thought when saving data. The European Union has implemented a law that’s meant to protect people against the unnecessary spreading of personal information. Companies and organizations especially will be checked on whether they’ve taken care of their privacy regulations. A lot of work goes into that. Small things, big things. “But the basis is a new way of thinking,” Jacquet says.

“We want to prevent personal information from ending up with just anyone. That requires a huge cultural change. In anything you do, you need to think: ‘is this actually necessary?’.” A small example: you can only have a birthday calendar in the pantry if everyone whose name is on it, agrees to that. “That’s not a theme we’ll be taking action on for now, but it shows the way of thinking. You don’t know whether everyone’s happy to share their birthday with the whole office.”

To help make the issue more tangible, we’re listing five topics students and employees at the UU will come in contact with.

Grades aren’t for everybody
If you were a student twenty years ago, you had to go to a bulletin board to check your exam grades. It was a matter of pushing your way around other people there. And of course you didn’t just check your own grade, you’d also check to see how the others did. Who did well, and who failed the test? There are still teachers who want to share grades with the entire class, as it can motivate students. But it’s no longer allowed. Do you want to be made an example of with that 3/10 grade you got? It also means a teacher isn’t allowed to let lists of grades lie around, and that they need to put the grades into the system themselves. You can still, however, make a comparison, by showing the anonymized data of a class.

Unwanted email
As faculty or study program, you’re allowed to inform your students and staff by means of a newsletter. It’s a part of the study program. But you cannot share those lists of email addresses with third parties. That could lead to students and staff receiving all sorts of other emails they didn’t sign up for.

You also need to be careful when sending emails to a large group of people. Some people put all addressees in the CC field, which shows everyone who receives the email a beautiful, long list of all email addresses in that group. That’s usually unnecessary. The rules say you should put the names and email addresses in the BCC instead, which is invisible to others. And if you want to make your mass emails even safer, you can also use the Surf file sender.

Profile without timetable or PhDs
Of course it can come in handy to be able to see who’s employed by the UU, in what room they work and when they’re present. Still, the privacy laws affect that information, too. If the information isn’t required to be visible to non-UU people, we shouldn’t publish them. This information doesn’t come without risk. Think of employees at the Animal Laboratory, who have been threatened by animal rights activists in the past. Or an abusive ex-boyfriend who can easily find out his ex’s place of work, and when they’re going to be there. The UU is allowed to force employees to share this information on the university’s intranet.

Scientists are required to create a profile, which helps the research be more transparent. There’s still some discussion about what you can and cannot state on your profile. The Faculty of Science, for instance, faced a discussion about whether professors are allowed to mention which PhD candidates they’ve supervised, if those PhDs haven’t explicitly consented to it. Jacquet says this concerns publicly available information, and for transparency’s sake, it’s good to mention it.

Forbidden to Google in job applications
Imagine you have a vacancy for a function or committee, and you’ve done a preselection. It’s tempting to Google the candidate, check their Facebook to see if they’ve posted drunk party pictures, and see whether they have any curious hobbies. That’s not allowed. In principle, you need the candidate’s consent before you’re allowed to Google them, unless it’s relevant for the job – for instance if a prospective sustainability manager spends his days off as president of a local car enthusiasts club. But even then, you need to inform the candidate you’re Googling them, and you need to offer the candidate the opportunity to defend themselves.

No freshmen addresses for study associations
In the past, the university provided study associations with a list of all the names of people who had applied for a specific study program. That’s no longer allowed without the first-years’ consent. That’s a setback for the associations, but the reasoning is that the study association isn’t necessarily a formal part of the UU, and you can’t automatically assume all freshmen want to join the association. Now, the study program itself will send an email to the students to notify them of the existence of these important associations.

Privacy signature in research applications
In the setup phase of any research project, the scientists involved will already have to take the privacy laws into account. You can use personal information for a study, but you need to be able to justify the necessity of using the information. Again, you need to minimalize the use of personal information, and you need to look at the security of the data you’re saving. It requires a different way of creating a research setup. And to check whether all is done well, every single research application for a European research grant (ERC) needs to be accompanied with the signature of the officer of data protection, who needs to check whether the research setup has sufficiently taken into account the minimalized use of personal data. More and more research organizations are adopting this same requirement.

Horses’ data gets pseudonyms
It makes sense that the hospital needs to be extremely careful not to let patient files lie around, or use personal information in classes. The faculty of Veterinary Medicine has animals as patients, and for those, the privacy laws don’t count. But sometimes the owners’ information does. Until recently, the horses’ stables mentioned the horse’s name, the owner, and his/her address. Now, the faculty only mentions the name of the horse and its owner. At the faculty council, one person asked whether the names of the horses shouldn’t be anonymized either, or to have only a file number mentioned. It could theoretically be possible that a horse with a high value is in the vet’s stables, and that’s something to be avoided.

Call for stories: Do you have any examples of things of which it remains unclear whether or not they’re allowed according to the new privacy laws? Then please, comment below. We collect them and will check. Employees can find more information and examples on the intranet.

Tags: privacy