Reading time
11 minutes
What will you learn?
In this component you will learn how you can make sure that only the right people are able to access the right data, both in situations in which you need data from others and in which others need data from you and how you can handle data from your organisation in a secure manner.
Summary
As soon as you use someone else's data/personal data in your work, you must ensure there is a sound basis for doing so, i.e. that you have a good reason for using that data, that you don't use more data than strictly necessary for your purposes and that the data subjects know that their data will be used for those purposes. If you are going to share other people's data/personal data, make sure that what you are sharing and with whom you are sharing it is in keeping with the original purpose for which the data was collected, that the data subjects know with whom their data will be shared and that you only share it with the right people.
In order to be able to work with data in a secure manner, it is important that you are aware of the classification of information and that for each type of data, you know the rules which are relevant to your position. In this context, remember that handling data in a secure manner not only pertains to digital documents, but also, for instance, a whiteboard covered with notes, a cupboard in an office or documents lying in a rubbish bin.
And if you do accidentally cause a data breach, it is very important that you report this immediately to [insert name/contact details of individual/department].
Sharing data with people who are not authorised to access it constitutes a data breach. The potential impact of a data breach on all data subjects is huge; just have a look at the discussion about a possible app for tracking the spread of the coronavirus:
Just because data breaches which occur at our education institution impact fewer people than a data breach in a coronavirus app, does not necessarily make them any less serious for those who are directly affected by it. Fortunately, you can minimise the risk of a data breach occurring in the course of your own work in a relatively simple manner, and thus guarantee that the handling of your own data and that of others takes place in as secure a manner as possible.
For each scenario, can you work out what the most important actions are for preventing a data breach?
Everyone needs to use other people's personal data from time to time in their work, for example because, as a researcher, you are required to film people or as a confidential advisor, you must compile a concise report of a discussion with an employee or simply because you want to put up a birthday calendar for your department.
You are definitely not automatically permitted to collect personal data, not even if the collection will take place in the context of one's formal duties. The collection of research data which consists – at least in part – of personal data must conform to the same principles as the student facebook put together each year by a lecturer. Those principles are not complicated, but they are of tremendous importance if you want to use other people's personal data.
What do you think are the six most important principles if you want to use someone else's personal data?
The basic rules for collecting personal data are that you must:
Have a legal basis. Do you have valid a reason for collecting the data? There are six lawful bases for the collection of personal data, including the performance of a contract, a legal obligation (e.g. the data must be transferred to the Tax and Customs Authority) or consent. If the basis is ‘consent’, you must ensure that the consent was given freely and on a properly informed basis and that the person can also withdraw their consent at any time. In addition, you must be able to demonstrate at all times that you have obtained consent for the collection of the personal data. Therefore, consent does not remain valid indefinitely, as it can always be withdrawn again.
Not collect more data than is necessary to fulfil the intended purpose. Any purpose could be legitimate, but you must be able to account for why you are requesting the data. For example, if a student is going abroad, you might also ask for the parents’ data in order to have a backstop in case of an emergency. However, you cannot for example request all kinds of arbitrary personal data from prospective students at an open day: that is not a legitimate purpose.
Only use the personal data for the purpose for which it was collected. For example, if students start working as a student assistant at their own institution, you may not use the data from the student administration for this purpose. The student must resubmit their own data to the personnel administration. Email addresses from work placement companies are another example: you are not automatically permitted to use these to inform them of all kinds events, conferences, etc.
Always arrange for the appropriate security/protection features, such as access restriction, encryption, 2FA, etc., in order to prevent data breaches wherever possible.
Always inform the data subjects (the people whose personal data you are processing) in advance why you need the data, with whom you are going to share it and how long you will store it. That will not always happen in a particularly formal way (such as when including your colleagues in a birthday calendar or adding people to a WhatsApp group), but be aware that it is your responsibility to inform the data subjects about how you will handle their data. You must also always inform them of any changes that will be made in the usage of their personal data (and perhaps also request their consent again if the purpose will change, as well).
Actually have the personal data archived or deleted if you no longer need it. If there is no legitimate storage limitation, you must delete the data immediately after achieving your purpose.
As soon as you have gathered the personal data that serves your purpose, you may want to share it, for example by including it in the birthday calendar, publishing it in a research report, using it in a new app for students or sending the requested medical files to the occupational physician. But what rules apply in these cases? In what way are you actually allowed to share data?
It seems so obvious: creating a WhatsApp group, sending a file to an external party so you can quickly move forward with your project. But the effects of sharing personal data should not be underestimated. In our digital era, one false move can have big consequences. That does not mean that we should share less data with each other, but it does mean we should be fully aware of the risks if things go wrong.
What do you think the three most important items for consideration are when sharing personal data with others?
If you are going to share the personal data with others, ask yourself whether the purpose of the distribution of personal data is (still) in keeping with the original purpose for which the data was once collected. The list of student email addresses was probably not originally compiled in order to be uploaded to the latest fun app. And the facebook is probably not intended for the purpose of coming up with questions for the Friday afternoon pub quiz. This also applies to any documents you want to share with external parties: if the document containing personal data is not in principle intended to be shared with external parties, then you are not simply permitted to do so.
If you want to share personal data with others (internally or externally), make sure that the data subjects whose data you are going to share are aware of why, where, with whom and for how long you will to share this data.
It sounds so obvious, but this often goes wrong accidentally. That one email which goes to the wrong external recipient or letter that goes to the wrong postal address, the forgotten document containing personal data in the printer or the Excel file from HR on your laptop which you leave open while going to the toilet. If you work with personal data, pay particular attention to handling that data in a secure manner. And if things do still go wrong, always report this to [insert contact details].
Information has varying degrees of confidentiality at every organisation. Certain information is publicly available on the website, other information is only accessible on the intranet and still other information is only available to the management board; so each type of information has a specific ‘classification’. The information you have access to depends on your position and it is important that you know what the rules are for each type of classification.
With whom are you allowed to share certain information? What are the requirements for sharing that information? And what are the potential risks if you share certain information with unauthorised individuals? These questions not only relate to digital documents, but to all information within our organisation, in fact. A whiteboard which is covered with notes after a meeting, the content of your rubbish bin and that open cupboard with archive folders in your office also fall into this category.
What do you think the four most important items for consideration are for guaranteeing information is handled in a secure manner?
Each employee has access to certain information in the organisation. An HR employee can inspect personnel files, a controller is aware of the current financial situation and a lecturer knows about the students’ study progress. Our organisation has various types of information: public information, internal information, confidential information and restricted information [insert the classifications yourself here]. The rules for handling each type of information are described in the protocol [insert title and location of document with classification rules]. Read this protocol thoroughly so you know how you can guarantee that the information you have access to in your position will be handled in a secure manner.
By practising proper ‘hygiene’ in the handling of all information within our education institution, you can avoid most of the risks of data breaches. The basic principles in this respect have already been discussed in the various modules of this course: always ensure your software is up to date, encrypt your hard drives, avoid syncing your business cloud storage with your personal equipment and avoid using public WiFi networks, unless you make use of a VPN connection. This also applies to analogue information, such as whiteboards and flip charts, open cupboards and desk drawers, unlocked laptops, etc.
Especially not at home. It seems so easy to just give your housemates your laptop so they can watch that great Netflix film. But precisely at that moment, you receive a message from work, someone clicks on it and suddenly your housemate is in the middle of an email conversation. Or your children download that new game on your business telephone, with all the associated risks of ransomware being installed. Or the adolescents in your house, who send a ‘funny’ text message back to your manager just for fun with all the associated consequences. When it comes to business equipment, follow this simple principle: never lend it to anyone.
And of course, everyone makes mistakes from time to time. You may unintentionally and inadvertently forward information to the wrong person, click on a suspicious link or forget your laptop on the train. We can search for the best solution together, but then it does need to be clear what exactly has transpired. Report every suspicion of a data breach to [insert contact details]. You are better off making one too many than too few reports. Privacy and security are, after all, a human effort.
All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below: