You should immediately report this to email@example.com. Specify whether the hard disk was encrypted and whether the device was properly password protected.
For more information on how the UT handles data breaches, please see our procedure for handling data breaches.
When personal data is pseudonymized, you secure the data in a way that the data is no longer directly retraceable to an individual. Certain elements from the personal data may be deleted or the data can be coded, in which case the key can be stored in another location. Pseudonymization is a security measure. When personal data is pseudonymized, they are still personal data. The data may no longer be directly retraceable, but indirectly you can still identify an individual with the pseudonymized data. Therefore, you have to comply with the GDPR.
When personal data is anonymized, you can no longer trace back to an individual, even in case you would have additional data. In this case, the data are no longer personal data and the GDPR does not apply.
IMPORTANT NOTE: the anonymizing of personal data is a way of processing personal data; until the moment the data is fully anonymized, it still is personal data. Only after anonymizing, the GDPR no longer applies.
Be careful when anonymizing PDF documents. Drawing tools, used to draw a box over the sensitive information, don't usually hide the information. These boxes are easily removed to reveal the original information. The University advises to use Acrobat Pro. Acrobat Pro has the Redact tools to remove or redact sensitive images and text. Redacted and removed information will not be retrievable in the saved document.
More information is available on the Adobe site.
The University has agreements with SURFnet for the use of SURFdrive, with Google about the use of G Suite, including Google drive, and with Microsoft for the use of OneDrive for Business. They all comply with the GDPR and can therefore be used for storing data.
The employee can therefore make a choice from the various solutions, taking into account the reason he wants to use the storage for. In all cases, pay attention to how synchronization is handled. All providers offer the possibility to synchronize files with the workplace. Therefore, that computer must also be adequately secured with, at minimal, encryption of the storage media in and connected to the workplace.
Please note that the above only applies to the G Suite and OneDrive variants for which the university has a contract with Google and Microsoft. If in doubt, do not use it and contact the Service Desk ICT.
You can also use G Suite and OneDrive -the correct variants- for sharing data with third parties. Keep in mind all other requirements for sharing with people outside of our organisation. If you need help, contact the Service Desk ICT.
We advice against the use of physical media. There is a great risk of losing those media. If that is the case, that will be a data breach. Even if the media is encrypted, there is a chance of a data breach. All this depends on the strength of the password.
An additional problem with the use of physical media is that it is not certain whether the other computer is safe. If it is infected, the media may also be infected, after which the infection is transferred to your computer.
To securely send files to one or more people, we recommend using SURFfilesender. SURFfilesender offers end-to-end encryption and has the possibility to send very large files. Remember to enable encryption when sending a file.
When third parties want to send you a file with personal data, SURFfilesender is also the best choice. If you know the person who wants to send you the data, you can send an invitation via SURFfilesender.