The University of Twente has appointed Privacy Contact Persons (PCPs) in each faculty and service department. The PCPs advise their own unit about privacy and information security and are the first point of contact within their unit. PCPs thus are the link between the DPO team (see below) and University of Twente staff. The PCPs and the DPO team meet regularly to bring each other up to date on policy developments and to initiate actions in order to comply with current legislation. If a faculty does not appoint a PCP, the portfolio holder takes on this role. The PCPs’ main duties are the following:
- supporting the data processing custodian in reporting this to the DPO team;
- acting as adviser, trainer and privacy expert within the unit;
- conducting a Privacy Impact Assessment (PIA) for new data processing;
- being involved with the handling of data breaches and other security incidents.
The law stipulates that a Data Protection Officer (DPO) must be appointed to protect personal information. At the University of Twente this role is carried out by a multidisciplinary team of Data Protection Officers, known as the DPO team. The team of data protection officers supervises the application of and compliance with privacy legislation in the entire organization. The DPO team’s duties include the following:
- issuing advice and information to responsible managers and processors about privacy obligations and processing personal information;
- monitoring data processing within the University of Twente to ensure it meets the statutory requirements;
- advising staff, research scientists and students on any questions about privacy;
- dealing with complaints about the use of personal data;
- monitoring the reports on privacy violations and reporting these where necessary to the Dutch Data Protection Authority and to the parties involved.
The Information Security Officer (ISO) is part of University Information Management (which in turn is part of Strategy & Policy) and functions on a strategic and tactical level. The ISO, together with the Head of Information Management, advises the Executive Board. It formulates the information security policy and assists in a correct translation to institutional components. In addition, the ISO monitors the uniform compliance with the policy and reports on gaps, inconsistencies and shortcomings.
The IT Security Manager is part of LISA and plays an important role in translating the strategy and policies into tactical (and operational) plans. He does this in consultation with the Information Security Officer.
The IT Security Manager is coordinator of CERT-UT. He also advises on specific information security measures in projects, varying from standing projects to acquisitions of, for example, software or hardware. Every quarter a management report is drawn up for the LISA Management team, the Information Security Officer, the head of Information Management and the Executive Board.
In addition, the IT Security Manager is the point of contact for HR when conducting crisis exercises at the UT if they contain an IT component.
The Computer Emergency Response Team of the University consists of IT professionals from LISA. They investigate all reports in the field of computer security and privacy and engage the necessary (technical) specialists to solve the incident. When a report has a privacy aspect, CERT-UT works directly with the FG team. Incidents relating to employees' workplaces or devices are relayed to the LISA ICT service desk. For reports about workplaces or devices of students, CERT-UT contacts the SNT helpdesk.
CERT-UT also maintains contacts with teams from other educational institutions and with SURFcert, SURF's overarching, coordinating team.
The ICT Service Desk is part of LISA and the first point of contact for incidents that are not related to security or privacy. If an incident reported to the ICT Service Desk appears to contain one of these components, they will contact CERT-UT.