"We have a good idea of 80 to 90 percent of what needs to happen,” tells Martin Romijn, Chief Information Security and Privacy Officer at TU/e. “But to get beyond 95 percent, we'll need more time. And it will never be entirely finished anyway because this is an ongoing process.”
Romijn mentions various causes. “It is all very complex. In addition, we have been basing our efforts in part on information received from SURF (the ICT cooperative organization for education and research in the Netherlands, ed.) and we received a revised version of their documentation in March. Moreover, the internal processes at TU/e aren't always that fast.” Romijn, who is in regular contact with other universities, has the impression that TU/e is not lagging far behind its fellow institutions.
TU/e has established two pathways, Romijn explains, one in the field of research, and the other on the business side and in education. “From now on, a privacy impact analysis will be made of every research study and the end-responsibility for this rests with the professors. We have also created a new position, namely that of the data steward. This person will help researchers learn new ways of handling data, not just in relation to privacy but more broadly. Think of issues like where and how you archive personal data, how long you can archive it for, and the options for its reuse.”
Two ethics committees will also be set up, says Romijn. One will focus on medical matters and one will concern itself with non-medical matters. It will be up to researchers to judge whether their research proposal should be seen by an ethics committee, because grant providers will sometimes ask for the committee's assessment.
In the field of business operations and education, persons with data responsibility have been appointed. They carry full responsibility for what is done with data. Romijn gives an illustration, “Imagine an HR director who must make sure it is clear how long job applications can be stored.” This list of responsible persons will be posted online.
To identify all those who are involved, the Privacy steering group has created various categories of visitors. Romijn: “Think of prospective students, alumni, people doing sports, and campus visitors. How do you handle camera surveillance data and what do you do with the loan data held at the library? It is all about making clear what happens with the information and communicating that clearly."
The awareness is there, says Romijn, "and it is clear what needs to happen with these groups, but the communication about this is still ongoing. And some practical questions are still unanswered. An interesting group, for example, is the secretaries because all their job descriptions differ.”
In the ICT field too, this and that still needs to be done; various suppliers, for example, still need to deliver new versions of software. At any rate, by this coming Friday, confirms Romijn, the authorizations for the largest and most important of TU/e systems will have been checked.
A TU/e-wide general privacy document will be in the hands of the Executive Board next week, and will soon be submitted to the University Council. And TU/e is being required to appoint a data protection officer who will have a TU/e-wide role carrying out inspections and checking on progress.
The new privacy legislation has other consequences too. At the end of May, for example, the results of the National Student Survey (NSE) were supposed to be released, but this has been postponed by a month.