Privacy concerns information about people. This includes any information that can be traced back to a person. The protection of privacy is aimed at securing personal information and protecting the private life of individuals. The persons in question here are all parties connected in some way to the University of Twente. That includes staff, students, guests, visitors and external relations (hired/outsourced) but also people whose personal information is processed by the University of Twente, such as participants in scientific research.
Privacy is a distinct component of information security because personal information is always highly confidential. For that reason, specific requirements and obligations have been laid down to protect personal information above and beyond those for other forms of information.
The law stipulates that a Data Protection Officer (DPO) must be appointed to protect personal information. At the University of Twente this role is carried out by a multidisciplinary team of Data Protection Officers, known as the DPO team. The team of data protection officers supervises the application of and compliance with privacy legislation in the entire organization. The DPO team’s duties include the following:
- issuing advice and information to responsible managers and processors about privacy obligations and processing personal information;
- monitoring data processing within the University of Twente to ensure it meets the statutory requirements;
- advising staff, research scientists and students on any questions about privacy;
- dealing with complaints about the use of personal data;
- monitoring the reports on privacy violations and reporting these where necessary to the Dutch Data Protection Authority and to the parties involved.
The University of Twente has appointed Privacy Contact Persons (PCPs) in each faculty and service department. They support the DPO team in their duties. The PCPs advise their own unit about privacy and information security and are the first point of contact within their unit. PCPs thus are the link between the DPO team and University of Twente staff. The PCPs and the DPO team meet regularly to bring each other up to date on policy developments and to initiate actions in order to comply with current legislation. If a faculty does not appoint a PCP, the portfolio holder takes on this role. The PCPs’ main duties are the following:
- supporting the data processing custodian in reporting this to the DPO team;
- acting as adviser, trainer and privacy expert within the unit;
- conducting a Privacy Impact Assessment (PIA) for new data processing;
- being involved with the handling of data breaches and other security incidents.
All data registrations of personal information must be recorded across the University of Twente. These registrations (systems, forms) are referred to as ‘processing’. The responsible custodian must report the processing to the DPO team. Processing in the course of scientific research also falls under this obligation. In that case, the research scientist is the processing custodian.
The DPO team draws up a processing overview. The PCP of the faculty or service department can assist with processing registration. A registration tool is available to make it easier for the custodian to comply with the statutory requirements set for this purpose.