Key terms

Reading time
8 minutes

What will you learn?
You will become familiar with several key terms in relation to the ICT facilities offered by your employer.

Summary
A processing agreement is always needed (in addition to a licence agreement) if you are going to work with new software in which personal data is processed. If you are going to post personal data yourself, for example on social media, be aware that, usually via the conditions you have agreed to, you are also giving the social media platform a ‘licence’ to use your content. But no matter which software or hardware you use, making sure you update all applications, encrypt your hard drive and your connection and practise good overall digital hygiene are still the most important steps you can take to guarantee the safe handling of privacy and security.


 

Personal data is worth money (in some cases, a lot)

Yes, even yours! A huge number of online platforms are now profiting off of your personal data. Even if you don't use a few of the popular social media platforms, they often still know a lot more about you than you might think:

The more detailed your profile is on a given platform, the better the advertisements displayed on your personal page can be tailored specifically to you. And those in turn generate more income for the platform.

To protect your personal data, we as an education institution conclude so-called processing agreements with our ICT suppliers. In this agreement, we lay down exactly what they are and above all are not allowed to do with our students’ and employees’ personal data. So it is a good idea to understand the importance of such an agreement in case you yourself want to use new software for your work.

Take a look at this example:

 

A lecturer hastily copies notes taken by a few Political Science students, including their first and last names, into a Google Doc and accidentally leaves the document settings on ‘public’. The education institution itself uses Microsoft 365, as a result of which no processing agreement with Google exists. Years later, the student (who has since graduated) is told that notes of theirs, which clearly reveal their political preference, can be found online. The lecturer who manages the Google account no longer works at the education institution, as a result of which the document cannot simply be removed, either.

 

This situation, which is a very unpleasant for the student, could have been avoided if the lecturer had made use of their own education institution's ICT applications. The same applies to the use of personal equipment; that can also go terribly wrong as illustrated by the example below...

 

For the sake of convenience, an employee of an education institution had synchronised her business OneDrive account with her personal laptop, in order to also be able to immediately edit all business files locally and offline on her own laptop. Following a journey by train, she found that her laptop had been stolen; the password protection on the laptop proved inadequate. A few days later, it emerged that various files containing personal data that were saved on the laptop had been published on the internet, resulting in considerable damage being suffered by all parties involved.

 

So you must always be extremely cautious about using software and/or hardware that is not part of the range of applications offered by your education institution!

Carefully read through the following information first in order to learn what the various terms mean. On the next page, you will find out what the most important do's and don'ts are when it comes to working within the parameters of the ICT facilities provided by your education institution.

 

What do you have to hide?

Nothing, right? So why would we worry about privacy? Good question. Perhaps this video clip can provide a preliminary answer:

Oops, so you actually do indeed have something you want to hide... Much of the information about people that is discussed in this video clip is referred to as ‘personal data’. Personal data includes all information which can be directly or indirectly traced back to you as a unique individual. And why is it important to know this? Because you can also do some very unpleasant things with other people's personal data.

Have a look:


Personal data

OK, so it's important to refrain from carelessly scattering your personal data all over the place. But what exactly is ‘personal data’ anyway? Basically, it is any data which on its own, or in combination with other personal data, can be traced back to you as a unique individual.

Do you remember the game ‘Who am I?’ on the right? In this game, you combine various kinds of personal data, so you can eventually guess the identity of the person concerned correctly. It works the same way with your own personal data. The mere fact that you have brown hair is not personal data, but it is considered personal data if you are the only person in your class with that colour hair. On its own, your first name is in many cases insufficient to be able to identify you, but it is enough if your last name and house number are also known.

Examples of personal data: your name, address/email address and place of residence. But also telephone numbers, bank account numbers, study results and postcodes together with house numbers are considered personal data.

Special categories of personal data

And yes, ‘special’ personal data exists, too! The law provides for additional protection of this special category of data; not a single organisation is allowed to retrieve this data about you, unless an exception applies under the law. One of these exceptions is ‘consent’: as soon as you give your consent for an organisation to save your special personal data, the organisation is legally permitted to do so.

Special categories of personal data concerns:

What now?

What use is all this information about personal data? Read the text from the Dutch Data Protection Authority below:

Every time you use personal data, that constitutes an infringement of the privacy of the people whose data you are using. You are therefore only permitted to use personal data if that is truly unavoidable, i.e. if you cannot fulfil your purpose without this data.


This means that if an organisation such as your education institution wants to use personal data, it must have a good reason for doing so. Such a reason is referred to as a ‘lawful basis’. There exist six different lawful bases on which you can legally use personal data, for example if someone has given you their consent, if there is a legal obligation to do so or if the personal data is necessary for the performance of a contract (e.g. an employment contract).

The legal rules regarding the use of personal data are laid down in the General Data Protection Regulation (GDPR). The essence of this is:

Processing agreement

An employee or student shares a few pieces of their personal data with the education institution. The education institution proceeds to use some of this personal data in order to be able to offer certain services, teach lessons or satisfy certain legal obligations. The personal data which the education institution shares with external parties does not fall under the agreements you reached with the education institution. For this purpose, the education institution will have to enter into a new agreement with the external party (the ‘processor’ of your personal data). This is referred to as a processing agreement and it is mandatory for both the education institution and for the external processor of the personal data.

Want to learn more about what exactly a processing agreement is? Watch the video clip at hulpbijprivacy.nl, read about it on the website of the Dutch Data Protection Authority or check the page [insert page url] of our intranet.

Licensing rights

A licence is also referred to as a right of use. The conditions under which a licence (and thus the right of use) is granted, are always stated in the licence agreement. You would enter into a licence agreement for example if you were going to use new software (everyone is familiar with the ‘I agree to the licence agreement’ box, but who actually reads this text...?), but it could actually concern the use of any type of content, digital or analogue, including photos and video clips. If you want to make use of new software at our education institution, then you must always request permission for this first via [contact details of relevant department].

When you decide to use social media such as Facebook and WhatsApp, you must also agree to their general terms and conditions. You agree to this straightaway; you cannot negotiate the terms with these parties. In many cases this will also involve giving the social media platform a ‘licence’, i.e. a right of use, that allows it to use your photos and video clips, for instance. This does not mean the platform becomes the owner of the content (you yourself remain the owner), but under the agreement others are allowed, for example, to share your photos and video clips. As such, it would be very difficult to have all content you ever posted on the platform fully removed, should you ever decide that you want that done.

 

Do you have any questions about any of these topics? Then you can always contact [contact information ICT / Helpdesk]. Thank you for your cooperation!