Educational Tooling: Questions related to privacy and security
The workgroup Educational Tooling is working on an overview of all the different tools that are currently being used abd which are not all centrally procured and supported. The goal is to give advice on potential privacy and security risks, how to mitigate these and/or what possible alternative tools can be used.
The list of all collected tools and their first assessment is published here. The workgroup is aiming to update the list weekly.
In these assessment a few criteria are used, see below why they are important, or click on the link to quickly jump to a topic
What is the GDPR and why is it important?
The General Data Protection Regulation is a European law that serves to protect persons with regard to the processing of their personal data, and on the movement of such data. It imposes obligations onto organizations which collect and process personal data of EU citizens or residents. The GDPR is designed to strengthen individuals’ fundamental rights, especially the right to privacy. In order to guarantee the protection of those rights, the GDPR imposes obligations for the collection and processing of personal data to be carried out in line with its principles: e.g., safely and securely.
What is personal data
Personal data is described as all information about an identified or identifiable natural person (the data subject).
A person is considered identifiable if he or she can be identified directly or indirectly based on one or more items of personal data, for example:
- student number,
- name and address,
- email address,
- date of birth and,
What is sensitive data
Sensitive data is a type data that requires a higher level of protection. Depending on the type of data, personal data can be regarded as sensitive data. Some personal data or a combination of data can be more sensitive in nature and therefore requires specific safeguards. These include, for example, data relating to children or other vulnerable groups, biometrics data, health data.
Sensitive data in Education may include:
- Information regarding individual’s health. For example, students request for special needs requirements detailing disability and psychological assessments;
- Information regarding political opinions, religious and philosophical beliefs.
- Biometric data, especially where this is used for identification purposes;
- Information relating to vulnerable individuals or groups, such as children.
Why is it important that an application is connected to the Single Sign On (to login with your netID) of the TU Delft?
When it is not possible to login to an external application with a netID, there is a general tendency to use TU Delft email address and password to create an account for the application. Unfortunately, it is almost impossible to guarantee the security of third party applications. Using your TU Delft email address and password on a unsafe application may risk a serious data breach. For example, if a malicious party gets access to your TU Delft email address and password, access to the TU Delft digital infrastructure will be compromised. Also, your login information might be sold, used to perform phishing or spread ransomware.
The benefit of using the TU Delft Single Sign On is that your login information will remain on the TU Delft servers which is more safe. This reduces the risks of misuse, data breaches and hacks.
Why do we need a DPA (Data Processing Agreement) before we can use a tool?
The GDPR requires parties to agree in taking measures to ensure the protection of personal data they handle. When outsourcing certain data processing activities, organisations must be able to demonstrate that the processing of personal data are carried out in a GDPR compliant manner. This can be achieved by signing a Data Protection Agreement.
A DPA serves to regulate the particularities of (personal) data collection and processing – i.e., scope and purpose, and the rights and obligations between the parties. For the TU Delft, it is a way of ensuring that the data of all data of TU Delft employees and students are collected, processed and stored by an external supplier according to the GDPR.By signing a DPA, TU Delft assigns data handling obligations including:
- requirement to comply with the GDPR;
- the application of security and privacy measures according to the TU Delft standards and
- the implementation of TU Delft data breach notification procedure.
Why does it matter that data is stored inside the European Union?
Suppliers who store data within the EEA (European Economic Area = EU + Norway, Liechtenstein, Iceland) need to comply with the data storage regulations of GDPR. Suppliers outside of the EEA can only exchange data when their country offers the same level of protection as the GDPR. Not knowing where data are stored increases the risk of uncontrolled distributions of that information to third parties which might not apply the same privacy and security rules and controls. Having our sensitive data to a third party without a degree of control over the distribution of these data might increase the likelihood of data breach incidents, which might have an impact on the affected individuals.
A data breach results in an accidental disclosure of student’s special needs requirements detailing disability records, psychological assessments and financial information. This is likely to bring a significant impact on the students due to the sensitivity of the data and their confidential information becoming known to others. In addition, these data might be used maliciously. Some of these data breach incidents can have damaging impact on individuals.
Does it matter when an application collects more data then they need?
The short answer is yes. The GDPR requires data minimization. This means that a supplier shouldn’t require the collection of data more than they need to provide their services. Any supplier we sign a DPA (Data Processing Agreement) with, will generally have a description of the data they collect and the purpose of the collection.
Some suppliers (especially those which offer free services), have a business model that relies on collecting all sorts of users’ data – hence, more than required. Some of these data might be sold to other parties, or advertisements agencies. Some may construct users profiles which may bring harm to individuals or even a society (for example, Cambridge Analytica). By applying data minimization, we process personal data according to the GDPR and ensure the protection of TU Delft employees and students.
Encryption: What is it, and why is it important?
Encryption is a way of protecting data against unauthorised or unlawful access/ processing of data. It is one of the appropriate technical measures to secure the processing of personal data. In simple terms, encryption is a mathematical function that encodes data so that it remains hidden from or inaccessible to unauthorised users. Encryption is important in helping protect information stored on static devices (e.g., mobile phones, laptop) and during transmission. Encrypting personal data whilst it is being transferred will effectively protect data against interception.
What are the risks of using self-hosted open source tools?
There are great open source educational tools out there. Someone with some IT skills can easily set up a server and host open source tooling. However, you should be aware that there are some serious risks involved in using self-hosted software:
First, there is no guarantee for uptime of the tool. With self-hosted software usually one person is hosting and supporting the tool. What will happen if this person gets sick, or leaves the TU Delft for another job? What will happen when a tool goes offline, and this person has no time to fix it?
Secondly, installing a tool is not so difficult, but supporting the tool and servers are the tricky part. Is the tool installed in the best possible way? Who will update the tool, but also the servers? Who will monitor if the tool (or servers) has security issues? Who will make sure that the data is stored long enough (in some cases seven years) and in a safe and secure way?
Finally, who is responsible if something goes wrong? What will happen when the tool is hacked and there is a data breach? Who needs to act and report to the authority? Who needs to pay the fines?
To sum it all up: There are some serious privacy and security risks with using self-hosted tools. If you want to use self-hosted software, make sure to be aware of the risks it may cause you..