Questions arise about UU's participation in the Cultural Diversity Barometer
By law, Utrecht University is not allowed to register whether an employee with Dutch nationality has a migration background or not. However, in order to improve its diversity policies, the university would like to know just how diverse its workforce is. That's why the UU, alongside several other Dutch universities, has decided to take part in the Cultural Diversity Barometer, a project looking to link university employees' data to the CBS files. The Dutch Parliament has debated extensively about the desirability of this initiative.
The personal data UU plans to share with the CBS comprises employees' date of birth, gender, job title, pay grade, whether they have a permanent or temporary contract, and their faculty. The reference date will be December 31st, 2020. According to the UU, this information will be sent to the CBS using a highly secure method. CBS can then link this information to its files by using zip codes, house numbers and additional address details, which they will also receive from the UU. After the link has been made, the data will be immediately deleted, so that further processing takes place in pseudonymised form and the results cannot be traced back to individual employees.
UU has chosen not to ask for employees' permission to do this, but rather to give them the opportunity to object. The university justified the decision by arguing that the public interest of providing equal opportunities on the labour market outweighs the privacy interests of individual employees.
However, after the university's first letter on March 17, a significant number of questions arose. First, many employees state that the letter isn't clear about how the data will be linked to CBS' files, and to what extent it will be traceable. Many also feared that their personal details could end up in the hands of hackers. The university then expanded the explanation in a second letter sent on March 30, in addition to extending the period for objections from April 1st to April 9.
UU's Data Protection Officer Artan Jacquet is the person in charge of overseeing the process. He explains that the General Data Protection Regulation (AVG in the Dutch acronym) does allow for the university to pass the data on to the CBS in this manner. There are, however, certain conditions that must be met, such as carrying out a risk analysis to assess where things can go wrong and how those scenarios can be prevented. For example, what are the chances that the data ends up in the wrong hands when transferred? The university should also verify the minimum amount of data required to achieve the desired effect. According to Jacquet, UU's investigation was not entirely conducted according to the rules determined by law.
The law requires the institution to inform its staff well about the data that will be provided to third parties and why – but this information only came after the university's first e-mail was criticised. Additionally, Jacquet argues that it would have been better if the university had discussed the project with the University Council first, and then approved it with the Data Protection Officer and his team. “If this had been discussed with us first, we could have indicated the legal obligations to cooperate correctly in this project. Instead, the letter said that people with privacy-related complaints could come to us, while we ourselves had criticism to make. That is so strange”.
Diversity Dean Janneke Plantenga reacted by stating that a risk analysis was carried out beforehand. According to her, the university did examine whether the data could be passed on to the CBS in a sufficiently secure manner. She guarantees that Statistics Netherlands will not be able to trace back any sensitive information to a specific person. The processing will be done in clusters of at least 250 people. In addition, the university has decided not to send employees' social security numbers (BSN in the Dutch acronym). “We're only going to send them the information that's absolutely necessary to serve this purpose", promised Plantenga.
The other universities participating in the project are Leiden, VU Amsterdam, Erasmus Rotterdam and the University of Amsterdam. The procedure has been approved by the data administrators of all the universities. Plantenga: “It is just a pity that something went wrong in the coordination with the Utrecht official about the questions they might get”.
The university decided not to go too much into details in the first e-mail, making more information available on the Intranet instead. When several employees replied with questions, they decided to send a second e-mail.