It became clear yesterday that much remains unclear about the data breach at TU/e that affected thousands of people. In first instance, TU/e refers those affected to a FAQ, which contains some information that can be of relevance to the community as a whole. It shows that the breach was reported to the Dutch Data Protection Authority, which is an obligation under law. However, it remains unclear when the breach was reported. According to the law, this needs to be done 72 hours after the breach was discovered. A failure to do so could result in a fine.
TU/e’s FAQ states that ID-Ware requires private email addresses of TU/e staff members and students in order to ‘get in touch in case of incidents or questions.’ The question remains why the company can’t just contact TU/e directly with these kinds of questions. After all, it says on the card that finders are requested to return misplaced cards to TU/e. Also, it says that in case of an emergency, people should contact TU/e’s security desk, not ID-Ware. Another question answered in the FAQ is why ID-Ware requires a campus card owner’s home address: to send it to a staff member or student. Executive Board vice-president Nicole Ummelen has the following to say about this: “Students and staff members need their card on their first day here at TU/e. That’s why we submit a request well in advance, so that there’s enough time to create and send these cards. We provide ID-Ware with some information, including people’s private email address, which the company needs in order to communicate with cardholders. We send the card to people’s home address, so that students and staff members receive their cards well in advance of their first day on campus. That is why we share this information with ID-Ware.”
Place of birth
There is no mention in the FAQ about why place of birth is required information for a campus card. This too was put to TU/e and ID-Ware. Ummelen acknowledges that this raises questions. “It’s true that place of birth may raise a few eyebrows. The independent regulatory authority has launched an investigation into the data breach, in collaboration with TU/e. It will not only look into every category of personal data of campus card holders that ID-Ware has access to, but it will also assess how necessary and reasonable it is to process and store this information. This specific bit of information, place of birth, will be taken into account too. The regulatory authority will issue a set of recommendations.”
An organization that collects and processes personal data needs to have a good reason for doing so. You need to properly substantiate that reason, in this case in a so-called processing agreement, since ID-Ware is a third party that processes data from staff members and students at TU/e. Cursor wanted to know how cardholder’s personal data was substantiated in the processing agreement that was signed with ID-Ware. The FAQ contains the following passage pertaining to this topic: ‘TU/e is currently investigating every category of personal data of card holders that have been submitted to ID-Ware, as well as the necessity and reasonability for processing and storing this data. Next, TU/e will, where necessary, take measures to ensure that only data that is strictly necessary for creating, sending and managing the campus card will be processed, and that personal data will not be stored longer than necessary.’ A processing agreement covers these matters in advance. Cursor also asked whether such an agreement with ID-Ware was signed, as is required by law. Vice-president Ummelen’s answer to that question was ‘yes, such an agreement with ID-Ware exists.’ She also says that the necessity and reasonability for processing different categories of personal data have been subjected to judicial review in said agreement between TU/e and ID-Ware.
So far, ID-Ware has not responded to any of Cursor’s questions.