The General Data Protection Regulation is a European law that serves to protect persons with regard to the processing of their personal data and the movement of such data. It imposes obligations onto organizations that collect and process personal data of EU citizens or residents. The GDPR is designed to strengthen individuals’ fundamental rights, especially the right to privacy. In order to guarantee the protection of those rights, the GDPR imposes obligations for the collection and processing of personal data to be carried out in line with its principles: e.g., safely and securely.

Personal data is described as all information about an identified or identifiable natural person (the data subject).
A person is considered identifiable if he or she can be identified directly or indirectly based on one or more items of personal data, for example:

• student number,
• name and address,
• email address,
• date of birth and,
• IP-address.

In general, it can be assumed that personal data include all data relating to a living person that makes it possible to identify such a person or to distinguish them uniquely from other persons

Sensitive data is a type of data that requires a higher level of protection. Depending on the type of data, personal data can be regarded as sensitive data. Some personal data or a combination of data can be more sensitive in nature and therefore requires specific safeguards. These include, for example, data relating to children or other vulnerable groups, biometrics data, and health data.
Sensitive data in Education may include:

• Information regarding an individual’s health. For example, students' request for special needs requirements detailing disability and psychological assessments;
• Information regarding political opinions, and religious and philosophical beliefs.
• Biometric data, especially where this is used for identification purposes;
• Information relating to vulnerable individuals or groups, such as children.

When it is not possible to log in to an external application with a netID, there is a general tendency to use the TU Delft email address and password to create an account for the application. Unfortunately, it is almost impossible to guarantee the security of third-party applications. Using your TU Delft email address and password on an unsafe application may risk a serious data breach. For example, if a malicious party gets access to your TU Delft email address and password, access to the TU Delft digital infrastructure will be compromised. Also, your login information might be sold, used to perform phishing or spread ransomware.
The benefit of using the TU Delft Single Sign-On is that your login information will remain on the TU Delft servers which is safer. This reduces the risks of misuse, data breaches and hacks.

The GDPR requires parties to agree in taking measures to ensure the protection of the personal data they handle. When outsourcing certain data processing activities, organisations must be able to demonstrate that the processing of personal data is carried out in a GDPR compliant manner. This can be achieved by signing a Data Protection Agreement.

A DPA serves to regulate the particularities of (personal) data collection and processing – i.e., scope and purpose, and the rights and obligations between the parties. For the TU Delft, it is a way of ensuring that all data of TU Delft employees and students are collected, processed and stored by an external supplier according to the GDPR. By signing a DPA, TU Delft assigns data handling obligations including:

1. the requirement to comply with the GDPR;
2. the application of security and privacy measures according to the TU Delft standards and
3. the implementation of the TU Delft data breach notification procedure.

Suppliers who store data within the EEA (European Economic Area = EU + Norway, Liechtenstein, Iceland) need to comply with the data storage regulations of GDPR. Suppliers outside of the EEA can only exchange data when their country offers the same level of protection as the GDPR. Not knowing where data are stored increases the risk of uncontrolled distributions of that information to third parties which might not apply the same privacy and security rules and controls. Handing our sensitive data to a third party without a degree of control over the distribution of these data might increase the likelihood of data breach incidents, which might have an impact on the affected individuals.

Example
A data breach results in accidental disclosure of students’ special needs requirements detailing disability records, psychological assessments and financial information. This is likely to bring a significant impact on the students due to the sensitivity of the data and their confidential information becoming known to others. In addition, these data might be used maliciously. Some of these data breach incidents can have a damaging impact on individuals.

The short answer is yes. The GDPR requires data minimization. This means that a supplier shouldn’t require the collection of data more than they need to provide their services. Any supplier we sign a DPA (Data Processing Agreement) with, will generally have a description of the data they collect and the purpose of the collection.
Some suppliers (especially those which offer free services) have a business model that relies on collecting all sorts of users’ data – hence, more than required. Some of these data might be sold to other parties or advertisements agencies. Some may construct users' profiles which may bring harm to individuals or even a society (for example, Cambridge Analytica). By applying data minimization, we process personal data according to the GDPR and ensure the protection of TU Delft employees and students.

Encryption is a way of protecting data against unauthorised or unlawful access/ processing of data. It is one of the appropriate technical measures to secure the processing of personal data. In simple terms, encryption is a mathematical function that encodes data so that it remains hidden from or inaccessible to unauthorised users. Encryption is important in helping protect information stored on static devices (e.g., mobile phones, laptops) and during transmission. Encrypting personal data whilst it is being transferred will effectively protect data against interception.

There are great open-source educational tools out there. Someone with some IT skills can easily set up a server and host open-source tooling. However, you should be aware that there are some serious risks involved in using self-hosted software:
First, there is no guarantee for uptime of the tool. With self-hosted software, it is usually one person that is hosting and supporting the tool. What will happen if this person gets sick, or leaves the TU Delft for another job? What will happen when a tool goes offline, and this person has no time to fix it?
Secondly, installing a tool is not so difficult, but supporting the tool and servers is the tricky part. Is the tool installed in the best possible way? Who will update the tool, but also the servers? Who will monitor if the tool (or servers) has security issues? Who will make sure that the data is stored long enough (in some cases seven years) and in a safe and secure way?
Finally, who is responsible if something goes wrong? What will happen when the tool is hacked and there is a data breach? Who needs to act and report to the authority? Who needs to pay the fines?
To sum it all up: There are some serious privacy and security risks with using self-hosted tools. If you want to use self-hosted software, make sure to be aware of the risks it may cause you.