What are the risks and how can you avoid them?

Reading time
11 minutes

What will you learn?
In this component, you will become familiar with all of the actions which will enable you to make as much use as possible of the ICT facilities offered by your employer.

Summary
The education institution you work for supports you in your work by providing both hardware and software. Most of the time, these resources should be sufficient for performing your work. However, it can happen that employees wish to use additional software and/or hardware. Keep in mind that for new software, in addition to a licence agreement, you may also need a processing agreement and that if you use your own hardware that you must take security measures, such as encryption. And with a view to security, lending your equipment to others, even to friends or acquaintances, is not a good idea.



The ICT facilities offered by your employer

Everyone tries to do their work in the best way possible. Some people need two laptops, while others require a special software program and still others will perhaps only require a mobile telephone. There was a time when you hardly had to think about this – those were the days...

Now, 30 years on, we have seen how rapidly the developments have occurred. A mobile telephone and a laptop are standard equipment for most employees and students. But what risks are involved in expanding the standard set of ICT facilities offered by your employer to include your own hardware and software? Can you imagine what the most important do's and don'ts are for each subject?


 

Using software of your own choosing

We've all been there: you want to quickly organise something for work or you have a nice idea for a new working format with students, for instance. But you do not succeed in achieving your goal using the programs on your laptop. So what do you do? You quickly start Googling to see if a solution exists. And sure enough, a website you had never heard of offers exactly the right little program!

Fortunately, it is hardly ever necessary anymore these days to download programs, because then you always run up against the restrictions imposed by systems administration. On the website you found, all you have to do is create an account and agree to the terms and conditions. After that, you can get started right away. You are willing to accept the fact that the students must also create an account. After all, they will get a lot in return. Right..?

What do you think are the four key items for consideration when it comes to using software that is not part of the standard range offered by the education institution?


1. Personal data? Then a licence alone is not enough

Will personal data be processed in the new software you want to use? Then you will need a processing agreement in addition to a licence to the software. If the software does not make use of personal data, then a processing agreement is not necessary. If the new software is just a program that carries out calculations locally on your computer without processing any personal data, for instance, then having a licence to the software is sufficient.


2. Need a processing agreement, as well? Arrange it together with the licence agreement

Want to use new software in which personal data is processed? Then you must conclude a processing agreement immediately when entering into the licence agreement. Make sure the Procurement department is immediately involved in monitoring this process and arranges for the licences/agreements on your behalf. If you take out a licence first and you want to conclude a processing agreement later, then not only will personal data have probably already been used in the application, but you will also be in a bad negotiating position to properly arrange for the processing agreement.


3. Both at home and at work

More and more software runs on the cloud and is thus unmanaged; the software runs on the servers of the provider itself, so that you as an organisation do not have to think about it anymore. While that is definitely convenient, it also means that you have direct access to the software both from home and at work. As a result, your passwords and all kinds of trackers which may be used by the software are stored on both your personal and your business equipment, which brings with it the risk that malicious parties may be able to access your business data in that specific application via your personal equipment, too.


4. Who is the product?

Is the application you want to use free? If so, there's a good chance that you are the ‘product’. For example, the information you post about yourself on a social media application may be interesting to advertisers. They pay the social media platform to obtain access to your data. With every free application, you should carefully consider who or what the product really is, so you can make a well-considered decision about whether or not you actually want to use the application.


The use of personal equipment

You probably use equipment you yourself own, such as a telephone, tablet or laptop, from time to time for business purposes. That's understandable, because working on the cloud means you can actually work anytime and anywhere. In itself, there's nothing wrong with that, provided that you ensure your personal equipment is properly protected.

Because under the ‘right’ circumstances, a malicious person can also easily gain access to your business files and applications via your personal equipment. And that can be just as (if not more) damaging for the organisation as if someone hacks into your business equipment. So it is extremely important to have a good understanding of how you must handle your personal equipment if you also use it for business purposes.

What do you think the three most important items for consideration are when it comes to using personal equipment?

 

1. Do not synchronise

If you use a personal device, make sure you always work on the cloud. Do not copy any business files to your personal equipment and do not synchronise any cloud services (e.g. OneDrive) with your personal laptop, telephone or tablet. That way, you can prevent files ending up on equipment other than your business hardware.


2. Passwords

Do not save passwords for business applications in the browser on your personal equipment. Doing so will mean that anyone who has access to your personal equipment will also immediately be able to access your business applications, and thus may also be able to gain access to your business files and communication.


3. Digital hygiene

If you still want to use your personal equipment, ensure you practise good digital hygiene when doing so. Encrypt your hard drive, make sure all applications and operating systems are up to date, use a password manager and always work on the cloud when using your business applications on your personal equipment.

 


Social media use

A simple rule actually applies when it comes to using social media (with which no processing agreement exists) in your business activities: avoid it. This does not even only concern the popular social media such as WhatsApp, Facebook and Instagram, but all applications whereby employees and students are connected with each other online and exchange data without agreements having been reached with that application concerning the processing of the data.

Does that mean that all applications are forbidden? Not at all. At the education institution, we make use of the application [fill in name of application] which enables employees to maintain contact with each other and to share files, among other things. We use [fill in name of application] for the communication and file sharing between students. These applications can be used safely: if you still want to make use of another application with which no processing agreement exists, you must always contact [fill in name of contact person/information manager] first.

What do you think the four most important items for consideration are when it comes to using social media?

 

1. Consent alone is not enough

According to the privacy legislation, if someone gives their consent for the use of personal data in a social media application such as Facebook or WhatsApp that means that they must also be able to withdraw it. However, when accepting the terms and conditions of Facebook or YouTube, for instance, the user transfers the licensing rights to any images and video clips they post within the application to Facebook or YouTube.

That means that Facebook, WhatsApp or YouTube can use all photos and video clips posted by the user on their platforms for other purposes, too. The tourist who suddenly spotted her Facebook profile photo in a Facebook advertisement hanging in a Japanese bus shelter is a well-known example of this. So if you withdraw your consent, that does not mean that all content is then removed from the platform: that content simply remains available to the social media platform itself under the licensing rights.


2. Students have a right to a secure learning environment, including online

Making mistakes is part of the learning process. Inside a closed online environment offered by the education institution itself and with which a processing agreement exists, you can guarantee the security; in principle, none of the student's work is shared publicly outside of this platform.

But let's say the lecturer asks students to do an assignment for a lecture on a public blog platform; in that case, the student's work will be available outside of the education institution's platform. And, as such, it can potentially also be found by future employers and business contacts. A student (and also an employee) has a right to a secure, closed online working and learning environment where mistakes can be made and in which is not possible – either now or in future – for external parties to access the data.


3. Always offer an alternative

It is not forbidden to use social media. If you as a lecturer just want to inform your students of certain organisational changes (i.e. not personal data), then that can in principle be done via a Facebook group. However, you are also required to offer an alternative for students who do not have a Facebook account or who do not want to be part of the Facebook group. Students must be able to find all available information about their study programme using only the software offered by the education institution.


4. Take hierarchical relationships into account

Suppose you are a manager and you ask all your employees whether they would like to temporarily become members of a WhatsApp group in order to be able to make preparations for a colleague’s birthday celebration in secret. Do you think an employee who does not want to be part of this would dare say no? Is the consent to be given then truly voluntary? And would that one colleague who only works two days per week dare go against a group of full-time employees if a social Facebook group is created for the entire department? Or let's say one student from a tutorial is the only one who does not want to take part in an assignment on a popular new chat app. Would they dare refuse?

Always take any hierarchical relationships into consideration when asking others to make use of certain social media! Consent must be able to be freely given. In a hierarchical relationship (e.g. a relationship between an employee and a manager or a student and a lecturer), this is often not the case for the subordinate individual because they are more likely to feel obliged to give their consent.

 


All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'