In compiling his report, Schellekens – who has since left TU/e – focused on the maturity of data handling at the university. While this is currently below par, he can see progress is being made, as he writes in his foreword of the report (only accessible via intranet). In his report he commends the various actions taken to increase privacy awareness, all of which will hopefully create a culture of privacy. He also notes that the advice of privacy professionals is being sought more frequently, and that the advice given is good. But despite this progress “TU/e's mastery of data and privacy protection still isn't sufficient to enable compliance with the EU's General Data Protection Regulation (GDPR).”

Data leak at ID-Ware

The report also mentions the major data leak that occurred at ID-Ware, the company that produces TU/e campus cards. This incident, in which the personal details of thousands of campus card holders were released into the public domain, illustrates the importance of checking, also with external partners, the necessity of exchanging data in the first place, that this process complies with the GDPR, and that everything is laid down in a data processing agreement. Schellekens: “Although the university handled the data leak correctly, the data processing as agreed between TU/e and ID-Ware was revealed not to comply with the GDPR. The huge scale of the incident was attributable to the immaturity of data protection at TU/e. Much of the data involved should not (or no longer) have been held by the supplier. The data leak illustrates perfectly why TU/e must increase the maturity of its data protection.”

This immaturity, according to Schellekens, can be traced back to the research side of the university. “It's the academic departments that are keeping the organization's general level of maturity substandard, even though plenty of high-risk data-processing activities have been carried out in the research domain. The most significant shortcomings are the lack of oversight of the data being processed, the low awareness of privacy, and the absence of any research-specific privacy policy.”

The data protection officer states that it's essential that TU/e takes action to improve its handling and command of data protection. “If the university is to become a reliable partner in the high-tech innovation ecosystem, and if the fundamental rights and freedoms of students, employees and respondents are to be respected, the situation at the university must improve. The maturity of data protection across the university cannot be raised without improvements being made within the research departments.”

Surfaudit

In response to written questions from the University Council, the Team Privacy Operations announced that TU/e will use the Surfaudit Privacy 3.0 Assessment Framework at the end of 2023 to assess the privacy maturity level of the organization. The model now in use, the CIP model, is a more generic model that can be used by a wide range of organizations, according to the privacy team. 'The CIP model is quite strict and as such not always the best model to use at a university, because maturity levels can vary from one part of the organisation to another. The design does not take into account the complexity and diversity in departments and services,' reads the privacy team's response. The entire privacy team will receive professional training on Surf's Assessment Framework later this year.

Yesterday, the University Council also gave a favorable opinion on the memorandum 'TU/e Privacy and Data Protection Policy' (only in Dutch and only accessible via intranet), which explains how the university intends to raise the privacy maturity level from 1.3 to 3 in the coming years. The aim is to reach the latter level by the end of 2025. According to Robert-Jan Smits, president of the Executive Board, a lot still needs to be done to reach this level 3 and a lot of work will have to be done in the coming years, especially at the departments.