Privacy: personal data

FAQ: GDPR and education

GDPR and education: frequently asked questions


Can I use a private device to send and receive e-mail relating to the University of Twente?

Yes, but the device must be properly secured. It must be properly password protected, it should not be shared with others and your laptop’s hard disk must be encrypted.

What should I do if I lose my device containing personal details of the University of Twente (through loss or theft)?

You should immediately report this to Specify whether the hard disk was encrypted and whether the device was properly password protected.

Do students have to grant permission for registration of their data?

No. As long as the registration is limited to the data necessary for the purpose for which the University of Twente was provided with that data (enrolment and education), no specific permission is required. If data is used for another purpose, explicit prior permission is required.

How can/should documents be dealt with during education evaluations?

Explanatory notes:
The Programme Committee deals with the education evaluations, a process that may involve serious (but always respectful) discussion about a specific education component. Within the university community, a link to a certain teacher can easily be made.
Students also want to share the information with other students/future students and include the reports on information carriers not managed by the university.

Try to work with aggregated data as much as possible.
Agree in advance with all those involved about the confidentiality of the documents.

Are there guidelines for students who carry out surveys within the framework of research?

Explanatory notes:
Sometimes students carry out a survey as part of their graduation assignment without having implemented the education methodology.

The supervisor is responsible for making sure students comply with the privacy policy.

More information is available on the Cyber Safety website, under Privacy, including the Privacy Rules Guideline.

What is the position of a student assistant?

Explanatory notes:
Student assistants complete all kinds of assignments as ‘temps’. Sometimes they check interim examinations because they have specific expertise.

Students who are hired as student assistants, who work through UT Flex or who are granted a temporary contract are comparable to an employee of the University of Twente and are covered by the collective labour agreement. The codes of conduct of the University of Twente also apply to them. It is not a problem if they come into contact with personal details, but they are expected to deal with such information in a professional manner. Student assistants should be given instructions to ensure they know what is expected of them when carrying out the assignment.

Can I, from BOZ, provide a list of addresses of parents of students to the study association for the purpose of sending an invitation for 'parent’s day' for the relevant study program?

Yes that is allowed. Organizing a parent's day is an extension of the activities that are organized from the study program around education. We assume that the study association in this service supports the study program. Requesting permission from the parents of students would require disproportionate efforts in relation to the importance of sharing their data. The impact on the privacy of the parents is very small. The data must be protected. The study association may not store the relevant data for longer than necessary for the organization of the parent's day and may not use it for other purposes.


How should paper files (paper application forms) be dealt with?

Take a critical look at the documents to determine which ones should be kept and store these in JOIN. The paper forms need not be archived and can be destroyed.

Student guidance

May I communicate with colleagues of the University of Twente within the chain to discuss student guidance?

Do so only if necessary and only share information that is relevant.
Information exchange with those involved within the chain is part of talks with students. Be transparent about the communication with others. Medical data may never be exchanged, unless the student has given express permission.

May I communicate with third parties or colleagues of the University of Twente outside of the chain to discuss student guidance?

If the communication is anonymous, this is allowed.
If the communication cannot be anonymized, the student’s permission is required. When the student is younger than 16, his/her parents must give their consent.

How do we deal with medical certificates and diagnostic reports within the framework of student guidance? Hoe can we register proof of circumstances?

Medical certificates and diagnostic reports may be viewed but never copied or stored in OSIRIS. The viewed information is only registered when necessary, using a PO coding system.
If the contents of the medical certificates or diagnostic reports are essential to student guidance, it can be stored in OSIRIS following the student’s express permission. Only designated and authorized persons may then have access to it.
Medical certificates may be assessed by designated persons. They can document their consent on the checked certificates without storing the documents themselves.

How should I deal with personal notes of other people?

Personal notes (or work notes) are not covered by the General Data Protection Regulation. You may never share personal notes with others. The person involved is not entitled to inspect these personal notes.

How should I deal with notes in OSIRIS?

Notes in OSIRIS are shared with colleagues within SACC and are therefore not personal notes. The person involved is entitled to inspect these notes.
In OSIRIS you can specify who can consult these notes; keep access as limited as possible.

How should I deal with personal details in the ‘Planzelf’ tool?

Access within ‘Planzelf’ is limited to the planners themselves. The appointment will be adopted in the Outlook agenda of the Study Advisor in question. The Study Advisor should therefore limit access to his/her agenda to only those employees who have a need to know on the basis of their position. Only data necessary for the appointment should be obtained.

Study progress

May Excel files containing study progress data be shared?

Internal: summary lists may be shared within the University of Twente through e-mail where necessary to pursue education or to make the necessary arrangements. Key consideration: the retention period of data in the e-mail should be no longer than necessary.

External: study progress data may not be shared with third parties (outside of the University of Twente) without the students’ permission.

May grant/exchange providers receive course results of students where continuation of the grant/exchange is concerned?

Yes, this permission is included in the grant provider’s contract.

What information can/cannot be shared among teachers?

Explanatory notes:
Example: a teacher has a graduation assignment and is looking for a student who is a good communicator, who can hold his/her own in a complex organization or who has gotten high marks for a subject that is essential to the graduation assignment.
Another example: teachers must determine who has/has not passed a module. Guidelines apply, but it may be necessary to share information in cases of doubt.

Information related to the purpose of registration of that information may be shared among teachers. Where the examples are concerned, looking for a student who ‘matches’ a graduation assignment fits that purpose, as does sharing information about a student’s results. Exchanging (relevant!) information in cases of doubt is not a problem because that is necessary to provide good education, proper student support and a high-level certificate.
But as always: be transparent, be careful and only exchange necessary personal details.

How should personal details on websites be dealt with?

Explanatory notes:
The university makes some websites – such as the portfolio website – available to students where everyone can see everything.

Personal details may not be included on a website, unless the person involved has given prior permission.

How should we deal with personal details in peer-to-peer reviews of students?

Peer-to-peer review is an accepted teaching method and will remain available under the General Data Protection Regulation. However, make sure that the exchanged personal details have a clear purpose and are necessary for the review. You should therefore provide as little data as possible and be transparent (up front) about this method and the data concerned.

May a teacher post a list of student numbers and interim test results on Blackboard/Canvas?

Explanatory notes:
Not all information is provided through the official student administration; interim tests of module components cannot be included in OSIRIS.

No, publication of these types of lists is never allowed and the information may not be posted on Blackboard/Canvas.
Anyone with a University of Twente account could determine the owner of an s number within seconds. Use the Grading Center instead.

If your question is not in the FAQ, please contact the Data Protection Officers team (