Privacy legislation
Our privacy has been in the news a lot lately though when it comes down it only a few of us know what data are gathered by businesses and government bodies, where they are kept and what they are otherwise used for. The Netherlands has set up the Dutch Data Protection Authority to take and keep control of matters concerning the protection of personal data. The authority is responsible for the proper implementation of the Dutch Data Protection Act (Wet Bescherming Persoonsgegevens - Wbp), a piece of legislation deemed necessary because stricter rules were needed in the wake of rapidly changing circumstances in the digital world.

As of 25 May 2018 the Dutch Data Protection Act has been replaced by the European General Data Protection Regulation (GDRP).The new legislation sets additional and more demanding requirements in dealing with personal data. A number of things are regulated differently in the new European regulation than in the current privacy laws, the main ones being:

  • Citizens acquire more rights;
  • Supervision of privacy has been improved;
  • Much more has to be arranged regarding the use and holding of personal data.

Personal data, in brief
Reports appear in the news quite regularly about the leaking of personal data or a personal data breach. Passwords, email addresses, user names are then in the public domain with all the distressing consequences. If we are talking about personal data this is general information about a person such as name, date of birth and gender. The law also speaks of special categories of personal data including but not confined to passport photos, Dutch Citizen Service number (BSN), religion and health.

The new privacy legislation, the first steps!
The Executive Board, as the ultimate body responsible for arrangements for the security of information and privacy, has drawn up a step-by-step plan comprising three main elements:

  • Organisation of Information Security and Privacy policy (ISP);
  • Arrangements for the implementation of Information Security and Privacy policy measures;
  • Launch of the communication process with students, teachers, members of staff, parents and external parties about how we deal with personal data securely and responsibly.

1. Information Security and Privacy policy (ISP)
The information security policy plan was drawn up and worked out in detail in 2017. The plan deals with our technical digital security measures, our relationship with the Data Protection Authority (the body that supervises compliance with the privacy laws) and how we deal with data breaches and suppliers that hold personal data from the University of the Arts The Hague.

A privacy policy plan was drawn up in 2018 determining the shape of the privacy policy at the University of the Arts The Hague. An external data protection officer has been engaged in order to comply with the requirement of external supervision.

2. Implementing ISP policy: what needs to be arranged by law
There are a number of aspects of ISP policy that the University needs to arrange by law. The date of 25 May 2018 introduces a number of importance issues such as organising the rights of those involved ( including the right to be forgotten, the right to data portability, the right to subject access), stricter reporting obligations in the case of data leaks and the provision of guidance about dealing with personal data in an aware way.

A data breach involves unintentional access to, erasure of, amendment to or release of personal data by the University. A data breach includes the release (leaking) of data but also the illegal processing of data. Examples of data breaches are: a lost USB-stick with personal data, a stolen laptop or breach by a hacker into a computer file system.

A data breach must be reported immediately to Marcel Beijer – head ICT

3. Dealing properly with personal data
Dealing properly with personal data is not just the job of the University as an organisation but it is a responsibility of us all as individuals. Whether you are a members of staff, teacher or student these days we all have to be aware of the digitals dangers. A few tips:

  • Update all your software regularly; this makes you less vulnerable to viruses. Don’t just click off notifications, but take time (e.g. at lunch etc.) to implement them;
  • Don’t use separate hard disks or USB sticks to store information if you can help it; this helps prevent loss of confidential information;
  • Lock you screen if you’re absent for any length of time to prevent unauthorised access to information;
  • NEVER disclose your password, don’t click on unknown hyperlinks in emails and don’t open any unfamiliar files: this helps prevent infection from viruses;
  • Protect your laptop from theft or loss; if your laptop is lost or stolen report this immediately;
  • Surf securely: make sure you’re using a secure network. Check to see that the website you’re visiting displays a green lock. Look at the top in the url bar.

More information?

The undersigned are of course ready to answer any questions you may have. From now on we will be regularly getting in touch about all kinds of privacy aspects. You can go to the intranet to find documents to help you protect personal data. Here you will shortly find more specialised information about the University’s Information Security and Privacy policy. We will keep you informed via the newsletter and by email.

Information can be found about Information Security and Privacy policy on the website .

Marcel Beijer – head ICT

Arthur Gieles – secretary Executive Board