Protecting personal data and preventing data leaks
What should you do if you lose a USB stick containing confidential information? Or if a copy of a passport goes missing? New legislation demands the reporting of losses and a crackdown on data leaks. The university is calling on its employees and students to be extra careful with confidential data.
Jan-Willem Brock, Head of Information Management at Leiden University, answers five questions about data leaks.
‘The revised Data Protection Act (1 January 2016) now includes an article on data leaks. A data leak has occurred if confidential personal information has unintentionally ended up in the hands of a third party and this could lead to serious abuse. This could pertain to research data which can be traced to specific people and could be used against them. The university is now obliged to report data leaks to the Personal Data Authority. If we fail to do this, we could be fined up to 820,000 euros. So please report data leaks as quickly as possible to the ISSC helpdesk (tel. 8888) or via firstname.lastname@example.org. If in doubt, first contact the information manager at your unit.'
‘The current range of communication platforms such as Whatsapp, iCloud and Dropbox means that it is easier for information to fall into the hands of a third party, especially if this information is stored on a mobile device like a smart phone or tablet. So please consider carefully before choosing a device with which to communicate sensitive information. Without exception, employees must always lock their devices with a security code. Please also take extra care when printing and photocopying. Do not leave any copies of identification documents lying around near the printer: any lost copies must be reported.’
‘Prevention is better than cure. Before you start, ask yourself whether it is really necessary to make a note of names and dates of birth. Treat other people’s data just as you would want them to treat yours. This applies to all departments within the organisation: administration maintains personal details such as students’ ‘time to degree’. Even just the link between a name and a course is confidential. HR advisers work with copies of employees’ identity documents. Researchers and students might carry out research among the prison population and may ask questions about the most intimate of details. This is all information that must be protected to the very best of our ability.’
‘This depends on which ones are being used. The Survey Monkey programme, for instance, does not meet the new, more stringent requirements and must therefore not be used. Researchers must also refrain from placing research data on Google Drive, as Google can sell this information for advertising purposes. The university is currently in the process of negotiating new deals with programme suppliers. We are currently working on a summary page giving a list of those programmes that are trustworthy. The page will be online during the spring. If you have any doubts or questions, get in touch with the information manager of your unit.'
‘I can give a few concrete examples. It often happens that someone from a trade association asks for the email addresses of all the Law students, for example. Do not give out this information, but if the topic is relevant, send the mail yourself with all the students in the BCC. Also be alert when computers or separate hard disks are replaced. Always check first whether there is any confidential information left on them and ask the ISSC to dispose of them.’
Professor Gerrit-Jan Zwenne works at eLaw@Leiden, the research facility for law in our digital society. He has advised policymakers about the tightening of the law concerning data leaks. Zwenne: ‘We need to pay a lot more attention to the protection of personal details. A data leak could have massive consequences and particularly for those the data apply to, such as survey respondents, students, teachers and others. Identity theft in particular can be very damaging.’