Determining the appropriate retention period for personal data is not always easy. This is due to the following:

• The GDPR does not specify specific retention periods, and
• Some other laws (such as the Tax Act and the Archives Act) do specify how long we must retain certain (personal) data. Therefore, you need to know many laws.

General principle: do not retain personal data longer than you need it for the purpose for which it was collected.

For more information, refer to the Selectielijst Universiteiten en Universitair Medische Centra 2020.

If the selection list provides insufficient leads, please contact privacy.gw@uu.nl or privacy.rebo@uu.nl.

Good protection of personal data naturally begins with a secure way of working. On the intranet, you will find everything about information security. Be sure to also keep an eye on information regarding new forms of identity fraude, phishing and ransomware. Unfortunately, there are many negative developments in these areas.

A special warning applies to the use of USB flash drives. Use them only if there is absolutely no other option. While they are certainly very convenient, but in addition to the many drawbacks already mentioned on the intranet, these drives are also a source of extremely dangerous malware infections, such as infostealers.

Refer to: Informatiebeveiliging bij de UU (Intranet)

Yes! If you suspect that a data breach has occurred, report it immediately by sending an email to datalek@uu.nl. The reason you must report this immediately is that the university has only 72 hours to (provisionally) handle the data breach. The longer you wait, the less time remains.

In your email, provide as many details as possible about what happened:

• What situation led to the data breach? Provide a detailed description.
• When did the breach occur and when did you find out?
• Which categories of individuals were affected by the data breach, and how many people are involved? (e.g., 25 students and 1 instructor)
• What types of personal data may have been leaked? (e.g. names, student numbers, information about private circumstances)
• What might the potential consequences be for those affected? (e.g., they might be bullied; there is a risk of identity theft)
• Do the people involved know each other?

Emailing is a very error-prone activity. Many data breaches are caused by one of the following errors:

• An email is not addressed to the right person.
• There are too many recipients in the CC field. In emails to multiple people who do not necessarily know each other, the BCC field must be used.
• You have added an attachment, but it is intended for a different recipient.
• The content or attachment of the email is too sensitive to be sent via regular email. If you wish to send such an email to external recipients (i.e., outside the UU email system), you can use SURFfilesender. When doing so, enable encryption.
  N.B. For emails sent from one UU email address to another, the UU email system is in principle secure enough.

Possible solutions:

• Try to withdraw the incorrect email using the Outlook options.
• For future mailings, set a delay for sending emails. This gives you some time to cancel the sending of erroneous emails.

It is a well-known problem that students check their UU mailboxes only once in a while. This is in contrast to their private mailboxes, which are usually checked daily. Consequently, emails sent to the UU mailbox are often not noticed by the student, with all the associated negative consequences.

There is a tendency to therefore send emails from the university to the student’s private mailbox. For everyday emails, this may do no harm, but for emails containing sensitive information (such as exam results or appointments with the student psychologist), the private mailbox is unsuitable, at least if no measures are taken.

Possible solutions:

• Use SURFfilesender to send the sensitive data to the student’s private mailbox. This is quite cumbersome, because a password must also be sent via another channel to open the file.
• Do send the sensitive email to the student’s UU mailbox and simultaneously send a notification to their private mailbox. In that notification, simply state that an important email has been sent to the student’s UU mailbox and that the student is therefore kindly requested to check their inbox. Many government services also work this way.

A common mistake is saving a document from one student/employee in the file (or dossier) of another student/employee.

Possible solutions:

• Work with a naming protocol. For example, ensure that the name of the person a document concerns is prominently featured in the name of the document itself.
• Ask employees and students to check periodically whether the documents in their files are (still) correct. The latter is not only important in connection with data breaches. The GDPR stipulates that we must ensure, in any case, that the personal data we hold is correct.

When colleagues leave the organization or take on another job within the UU, it is often forgotten to revoke their access rights to certain Teams groups or other formal or less formal groups. If someone leaves the organization, they automatically lose access to certain groups because a UU user account is required for such access. However, if someone takes on another job within the UU, this does not apply.

Possible solutions:

• It must be a habit to immediately and critically review all access rights of people leaving a team.
• Sometimes that is difficult. Therefore, it is wise to formally appoint an administrator for each group, who checks the access permissions at least once every three months.

Teams groups are ideal places to work on documents and files together with a team. This invites the use of such spaces as a parking lot for all files that you might need within the team. However, especially when it comes to sensitive documents or files, this is not a good practice. After all, such documents or files should only be accessible to people who need to be aware of their contents (“need-to-know”).

Therefore, do not put sensitive files in a Teams group where not all members have a need-to-know, but share them—if necessary—with specific people.

You must always report the loss or theft of a phone or laptop via datalek@uu.nl. However, the fact that a phone or laptop has been stolen or otherwise lost, does not automatically mean that a data breach has occurred. The laptops provided to employees by UU are end-to-end encrypted. This means that a thief cannot even use the built-in storage device if it is removed and installed in another laptop.

A data breach does occur in the following cases:

• The laptop was stolen while it was turned on and unlocked.
• The device contains UU-related personal data that is not stored anywhere else, including on any of the UU systems. This includes graded student assignments.
• Not only has a laptop or phone gone missing, but also an unsecured external storage device (USB drive, external hard drive, memory card) containing personal data. “Unsecured” means that no password has been set for the storage device itself.

Partly due to the rise of AI, phishing is on the rise. Phishing occurs when unauthorized individuals use trickery and deception to try to get you to do something that allows them to obtain information or gain access to the systems you use. Phishing often takes the form of emails or other electronic messages that appear authentic and in which you are asked or enticed to click on something or follow a specific link. If you do so, spyware is often installed on your system, or you are lured to a well-crafted fake site where you enter your login credentials for the real site, such as your bank’s.

Until recently, phishing was usually easy to spot because hackers sent clumsy emails. Everyone is familiar with those poorly worded emails supposedly sent by tax authorities, banks, or princes from faraway lands. The hackers gave themselves away with their poor language skills. But with the rise of AI, writing emails that look authentic is now within everyone’s reach. As a result, it has become much harder to spot them.

General guidelines:

• Be especially careful with emails from addresses you don’t recognize.
• Never just click on a link; instead, hover your mouse pointer over it and check the bottom of the screen to see where it leads.
• If you’re unsure or have accidentally clicked on a phishing link, please send an email immediately to phishing@uu.nl.

Yes, that’s true. The data we need for administrative work is usually stored in official UU systems such as SAP, Blackboard, and Osiris. But when it comes to the total amount of data that an organization like the UU handles, these systems represent only the tip of the iceberg. To work efficiently and effectively, it is often necessary to work with data outside those official systems, whether in the form of copies of “official data” or in the form of unique data such as emails.

Some guidelines:

• Try to operate within the official systems as much as possible and limit your use of shadow systems to what is strictly necessary.
• Delete “temporary files” immediately, that is, as soon as the work is done. By temporary files, we mean files that are only needed, for example, to perform a calculation.
• Clean up your temporary files regularly (for example, once every six months during a quiet period). This also applies to files you’ve shared within your team.

Most of the processes within our faculty are well-organized. That’s true for now, but our organization isn’t standing still. Sometimes there’s room for improvement in our processes. For example, a process can be made “lean” by streamlining it. And at other times, we need to introduce entirely new processes because the world is simply changing. The first thing that might come to mind here is working with AI.

If personal data (such as information about students, staff, or alumni) is processed within these new or modified processes, it is important to involve the faculty privacy officers in the change or implementation process from the very beginning. They can then contribute their expertise, ensuring that the protection of personal data is, so to speak, “built into” the entire process. This is known as privacy by design. It is a legal requirement under the GDPR (Article 25).

Is there a possibility that the new or modified process poses a real risk to the rights, freedoms, and/or interests of anyone? If so, we will likely need to conduct a data protection impact assessment (DPIA). Although this process is overseen by the privacy officer, the process owner is responsible for carrying it out. The obligation to conduct a DPIA is set forth in Article 35 of the GDPR.

You can contact the privacy officers at privacy.gw@uu.nl and privacy.rebo@uu.nl.

Solution: Have the administrative office contact the student and ask if it is okay to share their contact information with the teacher. Or better yet: have the office ask the student if they would like to contact the teacher themselves.

Solution: Suggest to the researcher that they include a link to the survey invitation in the syllabus for the relevant course. Students can then decide for themselves whether to click on the link and provide their information.

Solution: There are other ways for the researcher to connect directly with alumni (e.g., social media). The information on social media has been made public by the alumni themselves.

Solution: The student association must handle its own recruitment. Our mailing list may not be used for spam. However, we can send first-year students a list of student associations in Utrecht so that they can contact them directly.

Solution: Often, this kind of information is already circulating within the sick colleague’s team. The sick colleague’s supervisor can then decide whether to share the information. But let’s not forget to be considerate!

Unfortunately, instances of exam cheating are occasionally detected among students, for example because a student has committed plagiarism or used AI when it was not permitted. In such cases, our systems record that the student has not met the course’s exam requirements, and in certain cases, the reason for this as well.

The fact that the student failed the course due to cheating must not be disclosed to third parties. The teacher in question is also prohibited from doing so. In the case of international exchange students studying at Utrecht University, their “home” university must not be informed about the exam cheating, but only about the fact that the student did not meet the course requirements.