How will the GDPR affect your work as an educator?
Questions?
If you have any questions about this course, please contact us at info@cybersaveyourself.nl.
Purpose and overview
The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and is the same across all EU member states. It has replaced and superseded the Personal Data Protection Act (PDPA) as of that date. The Dutch name of the GDPR is Algemene Verordening Gegevensbescherming (AVG).
What will change?
The GDPR will, among other things:
strengthen and expand privacy rights;
expand the scope of responsibilities for organisations;
provide the same robust powers for all European privacy regulators, such as the power to impose fines of up to € 20 million.
The GDPR also has significant consequences for the work of educators. This online module will help you learn about the changes the GDPR will bring but also the opportunities it offers.
Purpose
The purpose of this module is threefold:
you will learn what the GDPR is all about;
you will learn the specific aspects of the GDPR that are relevant to you as an educator;
you will learn the steps you need to take to comply with the GDPR.
Target audience
This module has been developed for educators who are associated with a university or a university of applied sciences.
Summary
This online module consists of three sections:
They involve three education-related cases, each accompanied by a short quiz to test your current knowledge of the GDPR.
You will learn about various aspects of the GDPR, such as Privacy by Design and the six rules of thumb.
Using three scenarios, you will learn about the criteria that determine an important part of the measures to be taken within a given situation.
Duration
The entire module takes about 45 minutes to complete.
Three cases
What is your current knowledge of the GDPR? How well can you determine what technical and organisational measures need to be taken within the context of a given situation? To test yourself, we offer you three introductory cases. Please read the cases carefully before trying to answer the questions.
Every year, a completely new group of students. How will you remember the names of each and every person? A 'student directory' is still a common method used for this purpose. Just print out the names and photos of the students and, voilà, you will always have everyone 'at hand'.
What is the situation?
In this case, an educator has created a student directory. Not only has he included the names of the students, but he has also penned some notes about each student, e.g. study results, specific details and interests. The educator hopes that this information will help him get to know the students faster and better.
What happened?
The educator loses the student directory while travelling on public transport. Because he had written his name and email address on the first page, he was fortunate enough to have it returned to him by an alert finder later that week. As the student directory was only 'lost’ for a relatively short period of time, he decides not to report the incident internally or to inform the students about it.
What does the GDPR say about this?
See if you can answer the questions below. This will show you how much you already know about the GDPR:
Oefening: Student directory
0%
Which measures should the educator have taken in this case to ensure that the personal data are properly protected? Take the test to find out how much you already know about the GDPR. Good luck!
After completing the exercise, click the arrow at the bottom right to go to the next page.
Case 2: Live streaming
Why attend lectures when you can also watch everything online? More and more universities and universities of applied sciences are using video solutions to make lectures available online. Usually, there are also some students who will record lectures and post them online.
What is the situation?
One of the students streams a 'live' lecture for a roommate who is unable to attend. The student has propped his mobile phone on a small tripod to ensure stable footage. The student shares the lecture with all his followers, including his roommate, on Instagram. The educator has no idea that the student is recording the lecture.
What happened?
After class, one of the other students informs the educator that his lecture has been posted on Instagram. The educator is not happy about this and says as much to the student. The student asserts that he has the right to record the educator, since the university always posts the lectures online during the following week.
The educator says that while he has indeed given the university permission to post his lectures online, he has not given the student permission to do so on social media.
What does the GDPR say about this?
See if you can answer the questions below. This will show you how much you already know about the GDPR:
Oefening: Live streaming
0%
Which measures should the educator have taken in this case to ensure that the personal data are properly protected? Take the test to find out how much you already know about the GDPR. Good luck!
After completing the exercise, click the arrow at the bottom right to go to the next page.
Case 3: Exam results
Not too long ago, printed exam results were put up on the bulletin board in the central hall. Today, however, this process is carried out digitally in almost every educational organisation, allowing students to see their results in an app.
What is the situation?
One of the educators has difficulty working with the internal system that stores study results and makes them available to students. He always manages it in the end, but students are impatient and want to see their results right away. For that reason, the educator always shares the results directly in the Whatsapp group, informing everyone as soon as they become available.
What happened?
Inadvertently, the educator shares the results in the wrong Whatsapp group. It takes a while before someone in the group mentions this. The educator deletes the message and shares it in the right group. This way, the students also see each other's results and usually save an image of the results on their phone.
What does the GDPR say about this?
See if you can answer the questions below. This will show you how much you already know about the GDPR:
Oefening: Exam results
0%
Which measures should the educator take in this case to ensure that the personal data are properly processed? Take the test to find out how much you already know about the GDPR. Good luck!
After completing the exercise, click the arrow at the bottom right to go to the next page.
Privacy in education
The GDPR
The GDPR applies to personal data. Therefore, the first question to ask is always: for what activity (activities) in your courses do you process personal data? The GDPR only applies to these activities. Watch the GDPR video below before reading the key points for a correct implementation of the GDPR in your courses.
Familiarise yourself with the GDPR, and follow this link for the complete text of this regulation. No time to read all 88 pages? The five key points of the GDPR that every educator needs to know are:
WORK SAFELY
There are various (often simple) measures you can take to maximise student privacy in your courses. An overview of these measures is available on the 'Quick wins' page.
LEGAL BASIS
A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed. You can view the six possible legal bases in this figure.
PRIVACY BY DESIGN & PRIVACY BY DEFAULT
Build maximum privacy and data protection safeguards into your course plan from the earliest stages of development. This is referred to as Privacy by Design. And where possible, set all default settings in apps or other software, for example, to the most privacy-friendly option. This is referred to as Privacy by Default.
COMPLY WITH THE PRIVACY PRINCIPLES
Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the course. You can view the six privacy principles in this figure.
EXTERNAL APPLICATIONS ARE YOUR RESPONSIBILITY
As long as you are working within the internal systems provided by the organisation, you are fine. The organisation is responsible for these systems and, as an educator, you can rest assured that the organisation has good agreements in place with its suppliers. You will be held accountable if you share the personal data of students or employees outside these systems. So, think carefully about which system you are working in.
Would you like to know more?
In this module, we will discuss in more detail what you, as an educator, must (and should) do under the GDPR. If you would like to learn more about the GDPR, we recommend you visit hulpbijprivacy.nl. This is the website of the Dutch Data Protection Authority and it provides clear general information about the GDPR.
This SURF website also provides a Wiki containing helpful information about, and interpretation of, the regulation, plus a comparison with the Personal Data Protection Act.
Six rules of thumb
The GDPR is based on six principles, also referred to as the rules of thumb. It is important for educators to keep these rules of thumb in mind in every phase of the course. Applying these rules of thumb consistently reduces the risk of errors in handling personal data.
A brief explanation
Below, you will find the six rules of thumb, each with an associated question. If during the course the answer to one of these questions is 'no’, you will need adjust your course. For instance, by informing students more clearly ('Transparency'), destroying the personal data ('Retention period') or asking for a 'nickname' instead of their real name in a certain app (‘Data minimisation').
Read the six rules of thumb before trying to answer the questions below:
Oefening: Six rules of thumb
0%
Always start by reading the descriptive summary before answering the question. Good luck!
Privacy by Design and Privacy by Default. The two key starting points for the proper handling of personal data. In short, the terms mean that you are building data protection safeguards into the design of your course from the earliest stage of development and setting by default the settings of products and services to the most privacy-friendly option.
Watch the video below before trying to complete the exercise:
Privacy by Default
Like Privacy by Design, Privacy by Default is really a mindset. Every time you use a new product or service or adjust an existing service or product, ask yourself: how can I minimise the sharing of personal data through this service or product?
Setting the service or product settings to the most privacy-friendly option enables you to approach your work with a privacy-by-default mindset. Examples of this include:
Choose, if possible, digital applications in which students do not have to create a new account, but can be identified by a number or nickname of their own choosing.
Where possible, store student data only within digital applications that have been made available by the educational institution.
When using a new digital application, disable all unnecessary tracking systems (e.g. location, IP address, device type, etc.) where possible.
'Privacy by Design'
Every course is different, so the exact measures to be taken for every step in your course to safeguard student and employee privacy may also differ. Therefore, Privacy by Design mainly involves cultivating a mindset of focusing on privacy throughout your course.
Below, you will find a fictional series of lessons divided into six steps. Try to discover the technical and organisational measures that you could take with every step.
Quick wins
In the three cases, you see that each situation requires specific measures to ensure proper handling of personal data. However, there are also a number of general quick wins: simple adjustments to your learning activities that ensure a great deal of added security. This page contains a brief overview.
What can you do now?
Below, you will find seven relatively simple actions that significantly reduce the risk of data breaches. We advise each educator to implement them where possible.
Privacy filter: a special type of foil that can be used on any laptop or desktop screen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for 'privacy filter laptop' to find a suitable type.
Webcam cover: prevents unauthorised viewing from your webcam. A webcam cover is a 'small lock’ that is easy to install and can cover the webcam completely, if desired, making unauthorised viewing a thing of the past. search for 'webcam cover' to find a suitable type.
Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.
Terms of service (ToS) reader: many online services have included provisions in their ToS as to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.
Anti-virus software: good anti-virus software and regular system updates are essential to prevent malicious attacks and unauthorised access to your computer or laptop. This software keeps your computer clean and secure.
Anti-tracking and anti-cookie software: web browser software that analyses cookies and provides information on what these cookies do and blocks harmful cookies. This software also checks whether a party is ‘tracking’ and collecting information about you, which it may pass on to third parties.
Ask yourself these questions
The GDPR is not a checklist that tells you exactly what you can and cannot do with personal data in any given situation. It is a set of guidelines that can lead to different measures in different contexts. In this chapter, we will offer you a number of questions per 'educator role', which will help you understand what you need to take into account within the GDPR guidelines.
Four roles
To give you the questions on the GDPR in a structured manner, we have divided the daily activities of educators into four roles. These four roles are:
Click ‘Next' again to see the most important questions per role that an educator has to ask about the handling of personal data.
Develop
Every educator develops his or her own course plan to a greater or lesser extent. This may be a PowerPoint presentation, or a complete series of lessons, assignment, activity or workgroup. Whenever personal data comes into play within the developed materials or activities, you must take appropriate measures. On this page, you will find the questions you need to ask in each case.
Course content
1. Are you going to develop your own teaching materials or will you use teaching materials from a publisher?
If you are working with a publisher, make sure you have good privacy agreements in place. Your organisation must enter into a data processing agreement with the publisher. If you develop your own teaching materials, you are responsible for the proper handling of personal data.
2. Where will you store the teaching materials you have developed and who has access to them?
Work from 'Privacy by design' and make sure that the data are securely stored in each phase.
Learning activities
1. Can you offer a safe environment online and physically in terms of privacy at any given time?
Examine all steps in the series of lessons before determining how privacy can be ensured in each step. This applies to personal data storage, communication between you and the students and issues such as notes, results and monitoring.
Software
1. Do you use software purchased by the organisation?
If so, a 'data processing agreement' is in place and privacy is guaranteed.
2. Do you also want to use software that is not purchased by the organisation?
Determine whether this software meets the privacy guidelines of your organisation. And enter into a data processing agreement directly or via the organisation.
3. What influence do you have on the privacy settings of the software to be used?
When the course plan has been developed, students will take the course. This may be done in a lecture hall or workgroup, but courses are increasingly provided online. Also during all face-to-face and online activities, you should think about the moments and the way in which your personal data, and that of students and colleagues, play a role in this regard. The questions on this page will guide you in determining this.
Course content
1. Do you use external teaching materials, including software, for monitoring students?
If so, check whether this environment meets the privacy guidelines of your organisation.
Learning activities
1. Can you guarantee a safe environment in every learning activity for yourself and the students?
Make sure, for example, that personal data (such as photos/film recordings, study results) are not shared outside the classroom. And for online learning activities, use software that meets the privacy guidelines of the organisation.
2. Who has access to personal data during all the learning activities?
Determine whether this person or party has taken the appropriate measures to ensure privacy.
Software
1. Do you use software purchased by the organisation in certain learning activities?
If so, a 'data processing agreement' is in place and privacy is guaranteed.
2. Do you also want to use software that has not been purchased by the organisation?
If so, determine whether this software meets the privacy guidelines of your organisation. And enter into a processor’s agreement directly or via the organisation.
3. What influence do you have on the privacy settings of the software to be used?
An important part of the course plan is student assessment. This can take the form of a final mark, a portfolio, interview or interim report. Every form of assessment you record involves sensitive personal data, which requires that both you and the student handle this with due care. The questions on this page will help you achieve that.
Results
1. What 'results' will students receive during the series of lessons?
Not only a final mark, but also assignments, papers, essays and other products by students can be regarded as study results. All these results as a whole can say something about the student's progress and should therefore be stored in a secure way.
Publication
1. In what way or ways are the different results published?
Publication does not only involve recording marks in the tracking system, but also the possible sharing of resulting via online platforms/apps, such as social media. Ensure that not only the final results, but also all intermediate results are only shared in safe environments.
Storage
1. Where are the results stored?
Are the results stored using the software purchased by your organisation? If so, a 'data processing agreement' is in place and privacy is guaranteed. If you are using other software, consult internally as to whether results may be stored (and possibly published) in it.
2. For how long will the results be stored?
Critically examine the necessity for storing certain results. Destroy them, if possible.
Coach
Most educators coach one or more students in one way or another. Coaching may be provided during a thesis or final paper, or during interviews or digital communication about general study progress. Students often share sensitive personal data during coaching. Not only about their progress, but also about more personal matters. Protecting their privacy is essential.
Reporting
1. How and in which setting do you report on the coaching of students
Assess all forms of reporting for protection of privacy. Do you make notes in a notebook, which may get lost? Do you share reports over an unsecured server? Do you save your reports in a private mailbox? Etc. Make sure that all reports and notes on student coaching are stored in a secure environment.
Sharing
1. Who has access to the reports or notes?
Chances are that not only you and the student, but also external parties, such as a student psychologist or student counsellor , have access to the notes or reports. Determine in advance how you and the others can share and jointly store the desired information in a secure manner.
Storage
1. Where do you save the reports and notes?
Are they saved using the software purchased by your organisation? If so, a 'data processing agreement' is in place and privacy is guaranteed. Take additional measures if you make notes on paper, travel extensively for work (and others may be able to view the data while travelling) and share the notes or reports with several (external) parties.
Congratulations!
You have reached the end of this online module on Privacy in Education! We hope it has given you a clear idea about the various sections within the GDPR and what role the GDPR plays within your course plan.
If you have any questions or comments after having taken this online module, please do not hesitate to get in touch with the privacy expert within your organisation or Cybersave Yourself at info@cybersaveyourself.nl.
Other/Dutch modules
SURF also offers e-learning courses about privacy for various other target groups. On this page you will find an overview of all Dutch and English modules in the series.
Ook voor diverse andere doelgroepen biedt SURF een e-learning over privacy aan. Op deze pagina vind je een overzicht van alle Nederlands- en Engelstalige modules in de reeks.
English e-learning modules:
Privacy in Research
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 45 minutes
Privacy in Research Light
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 20 minutes
Privacy in Education
target group: English speaking teachers in research and education in The Netherlands
duration: approx. 45 minutes
Nederlandstalige e-learning modules:
Privacy in Onderzoek
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten
Privacy in Onderzoek Light
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
duur: ca. 20 minuten
Privacy in Onderwijs
doelgroep: docenten in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten
Het arrangement Privacy in Education is gemaakt met
Wikiwijs van
Kennisnet. Wikiwijs is hét onderwijsplatform waar je leermiddelen zoekt,
maakt en deelt.
Dit lesmateriaal is gepubliceerd onder de Creative Commons Naamsvermelding-GelijkDelen 4.0 Internationale licentie. Dit houdt in dat je onder de voorwaarde van naamsvermelding en publicatie onder dezelfde licentie vrij bent om:
het werk te delen - te kopiëren, te verspreiden en door te geven via elk medium of bestandsformaat
het werk te bewerken - te remixen, te veranderen en afgeleide werken te maken
voor alle doeleinden, inclusief commerciële doeleinden.
The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and is the same across all EU member states. It has replaced and superseded the Personal Data Protection Act (PDPA) as of that date. The Dutch name of the GDPR is Algemene Verordening Gegevensbescherming (AVG).
What is your current knowledge of the GDPR? How well can you determine what technical and organisational measures need to be taken within the context of a given situation? To test yourself, we offer you three introductory cases. Please read the cases carefully before trying to answer the questions.
: 
: 
: 
Every year, a completely new group of students. How will you remember the names of each and every person? A 'student directory' is still a common method used for this purpose. Just print out the names and photos of the students and, voilà, you will always have everyone 'at hand'.
Why attend lectures when you can also watch everything online? More and more universities and universities of applied sciences are using video solutions to make lectures available online. Usually, there are also some students who will record lectures and post them online.
Not too long ago, printed exam results were put up on the bulletin board in the central hall. Today, however, this process is carried out digitally in almost every educational organisation, allowing students to see their results in an app.
The GDPR applies to personal data. Therefore, the first question to ask is always: for what activity (activities) in your courses do you process personal data? The GDPR only applies to these activities. Watch the GDPR video below before reading the key points for a correct implementation of the GDPR in your courses.
Privacy by Design and Privacy by Default. The two key starting points for the proper handling of personal data. In short, the terms mean that you are building data protection safeguards into the design of your course from the earliest stage of development and setting by default the settings of products and services to the most privacy-friendly option.
In the three cases, you see that each situation requires specific measures to ensure proper handling of personal data. However, there are also a number of general quick wins: simple adjustments to your learning activities that ensure a great deal of added security. This page contains a brief overview.
Privacy filter: a special type of foil that can be used on any laptop or desktop screen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for 'privacy filter laptop' to find a suitable type.
Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.
Terms of service (ToS) reader: many online services have included provisions in their ToS as to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.
Every educator develops his or her own course plan to a greater or lesser extent. This may be a PowerPoint presentation, or a complete series of lessons, assignment, activity or workgroup. Whenever personal data comes into play within the developed materials or activities, you must take appropriate measures. On this page, you will find the questions you need to ask in each case.
When the course plan has been developed, students will take the course. This may be done in a lecture hall or workgroup, but courses are increasingly provided online. Also during all face-to-face and online activities, you should think about the moments and the way in which your personal data, and that of students and colleagues, play a role in this regard. The questions on this page will guide you in determining this.
An important part of the course plan is student assessment. This can take the form of a final mark, a portfolio, interview or interim report. Every form of assessment you record involves sensitive personal data, which requires that both you and the student handle this with due care. The questions on this page will help you achieve that.
Most educators coach one or more students in one way or another. Coaching may be provided during a thesis or final paper, or during interviews or digital communication about general study progress. Students often share sensitive personal data during coaching. Not only about their progress, but also about more personal matters. Protecting their privacy is essential.
