Privacy Statement – UT Learning Management System
Version 1.6, last update: 19 October 2018
The UT Learning Management System (LMS) is provided for free by the University of Twente (also referred to as UT, we/us/our). The LMS facilitates and enriches UT educational processes, allows you to co-operate and communicate with other users and to access and share (course) content. The LMS is designed to make teaching and/or learning easier for you. You can read more about your rights and obligations with regard to your use of the LMS in our Acceptable Use Policy.
When you make use of our LMS, we will process various personal data of you. UT is the data controller for the processing of your personal data under the applicable Dutch data protection law.
This Privacy Statement applies to all users of the LMS and informs you on our privacy practices and security measures concerning the personal data we may collect from you when you make use of the LMS. This Privacy Statement does not see to the processing of personal data that is not related to your use of the LMS. We may change this Privacy Statement from time to time.
1.1. Your personal data is any data that is directly or indirectly attributable to you. The personal data we collect from you when you register and use the LMS is used for the basic working of Canvas, but is also used for product development and security of the environment (including fraud detection).
For the basic working of Canvas and safeguarding of the environment we collect your name, e-mail address, unique identification number (UT ‘ICT-account’ number), IP address, browser details, and any information included in your communication with us or uploaded by you through the LMS (including but not limited to inquiries and input on the discussion forum and documents provided).
In Canvas it is optional to add multiple mail addresses, title(s), gender, phone number or other information or links which you are able to add and remove in your own Canvas profile. It is not necessary to add this information in your Canvas profile for a proper working of Canvas, but it can improve your communication experience with other UT Canvas user
1.3 Your personal data in Canvas will not be used for automatic decision making (study-performance) purposes. All final decisions will be made by a person.
1.4 For product development purposes we also collect Canvas search history, Canvas click patterns and logging information which is anonymous and can’t never be connected to a person.
2.1. UT and Instructure (supplier of Canvas) will only process your personal data, as described in paragraph 1, for the basic working of Canvas and security of the environment in the context of the use of the LMS, more specifically for the following purposes:
- Access control and safeguarding of your account and the Canvas environment, including fraud detection.
- Enabling you to use the features and services of the LMS;
- For maintaining contact with you in relation to your use of the LMS and - if you are a student - for your course program with UT;
- For the handling of your requests reported via Canvas or the app, any complaints or disputes, and the investigation in this respect;
- For performance of audits;
- To meet with our statutory obligations.
We don’t use your personal data to follow you as an individual.
3.1. Your personal data may be accessed by our employees or other persons engaged on our behalf on a need-to-know basis only, such as lecturers, study counsellors, policy makers and administrative personnel. Also, you may make certain information available within the LMS and for certain participants, for example by participating in group discussions. Next to that, we may also instruct trusted third parties to perform services in respect of processing your personal data on our behalf. With such service providers we have concluded data processing agreements in order to secure the processing of your personal data.
3.2. As one of our data processors, we have involved Instructure Global LTD, located in London, United Kingdom, being the hosting provider of the LMS. As Instructure is also located outside the European Economic Area (EEA), in Salt Lake City, Utah, United States of America, we have not only concluded a data processing agreement with Instructure, but also a data transfer agreement based on the Standard Contractual Clauses (controller / processor) validated by the European Commission, to safeguard the transfer of your personal data to Instructure. For the delivery of the LMS, Instructure may involve its affiliates or third parties as sub-data processors in accordance with the data processing agreement that has been concluded between UT and Instructure. These subcontractors also have to process your personal data under the same data processing agreement and Standard Contractual Clauses as Instructure and may only use your personal data for the service they deliver to Canvas.
Permitted Key Subcontractor
Description of Key Subcontract
AWS is Contractor’s data hosting and storage provider. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client (UT), the extent of which is determined and controlled by the Client (UT) in its sole discretion. This uses S3 in their EU (Ireland) Region. ISO 27001.
(Redwood City, USA)
Box provides a third-party integrated tool (Crocodoc) that enables document preview (mainly for ‘.pdfs’) within the Service. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client (UT), the extent of which is determined and controlled by the Client (UT)in its sole discretion.
(San Francisco, USA)
Twilio is a provider of cloud based telephony and messaging services. The objective of this subprocessing/subcontracting is the performance of the Services pursuant to the Agreement or in connection with instructions from the Client (UT), the extent of which is determined and controlled by the Client (UT) in its sole discretion.
3.3. When you make use of our external plug-ins or social media buttons within the LMS environment, your personal data may be shared with the respective provider of such plug- in. You may find an overview of possible plug-in providers here. Please note that the plug- in providers may process your personal data for their own purposes and may therefore qualify as data controllers. Neither UT nor Instructure is responsible for the data processing activities carried out by these parties when acting as a data controller. We advise you to check out their respective privacy policies.
Currently installed Canvas plug-ins on the UT Canvas instance are:
- YouTube (no personal data is transmitted, only a search option to embed YouTube video’s)
- Vimeo (no personal data is transmitted, only a search option to embed Vimeo video’s)
- MyTimeTable (Internal UT, and only available in Canvas if you already use the MyTimeTable application at the UT)
- Urkund (plagiarism detection, the UT has a processor agreement with Urkund)
- Google Drive (only available if you login with your personal Google drive account and the terms you accepted by creating this account)
- Office 365 (only available if you login with your personal Office 365 account and the terms you accepted by creating this account)
4.1. Appropriate technical and organizational measures to secure Personal Data against loss or any form of unlawful processing are taken. Taking into account the state of the art and the costs of the implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing. The Processor shall record the measures in writing and shall ensure that the security as referred to in this paragraph meets with the security requirements under the Personal Data Protection Act.
5.1. We will process your personal data for as long as this is necessary for the purposes as stated in this Privacy Statement. Once you will no longer be connected to the UT, either as a student or as a lecturer, student counsellor or policy maker, we may retain your personal up to two years in accordance with the applicable data protection laws, unless you have submitted a reasonable and valid request to delete your personal data.
6.1. If you have any questions on the processing and protection of your personal data, please contact us. You also have the right to do a request to review, correct or change any personal data we may process of you. If you want to make use of this right, please contact us using the following contact details:
University of Twente
Attn: Functionaris van de Gegevensbescherming
P.O. Box 217
7500 AE Enschede
6.2 File a complaint
If you are not satisfied with the way we handle your personal data and you do not agree with the Data Protection Officer, you can file a complaint to the supervisory authority. This is the Dutch Data Protection Supervisor (in Dutch: Autoriteit Persoonsgegevens). On the website http://www.autoriteitpersoonsgegevens.nl you can find how to submit a complaint.