Can I use a private device to send and receive e-mail relating to the University of Twente?
Short answer (explanation below): Yes, but the device must be properly secured. It must be properly password protected, it should not be shared with others and your laptop’s hard disk must be encrypted.
Explanation: Most mail clients store mail, temporarily or not, on your laptop or phone. A password, or pin code, is the first protection if someone steals your device or it gets lost.
If you do not encrypt your hard drive, criminals can still access your data. They can remove the disk from your laptop and connect it to another system. If that disk is encrypted, the data is still inaccessible.
All modern phones encrypt internal storage. With a pin code or password, that data is therefore safe.
If you work with flash drives, we also recommend encrypting them. You lose them more easily than a laptop or phone, and it can also contain sensitive information. LISA recommends Kingston encrypted USB drives or, if you need more storage, the Samsung Portable SSD T3.
What should I do if I lose my device containing personal details of the University of Twente (through loss or theft)?
You should immediately report this to email@example.com. Specify whether the hard disk was encrypted and whether the device was properly password protected.
What is the difference between anonymization and pseudonymization?
When personal data is pseudonymized, you secure the data in a way that the data is no longer directly retraceable to an individual. Certain elements from the personal data may be deleted or the data can be coded, in which case the key can be stored in another location. Pseudonymization is a security measure. When personal data is pseudonymized, they are still personal data. The data may no longer be directly retraceable, but indirectly you can still identify an individual with the pseudonymized data. Therefore, you have to comply with the GDPR.
When personal data is anonymized, you can no longer trace back to an individual, even in case you would have additional data. In this case, the data are no longer personal data and the GDPR does not apply.
IMPORTANT NOTE: the anonymizing of personal data is a way of processing personal data; until the moment the data is fully anonymized, it still is personal data. Only after anonymizing, the GDPR no longer applies.
How can I anonymize PDF documents?
Be careful when anonymizing PDF documents. Drawing tools, used to draw a box over the sensitive information, don't usually hide the information. These boxes are easily removed to reveal the original information. The University advises to use Acrobat Pro. Acrobat Pro has the Redact tools to remove or redact sensitive images and text. Redacted and removed information will not be retrievable in the saved document.
More information is available on the Adobe site.