"Privacy awareness continues to be important in personal data protection"
As a data protection officer at Tilburg University, it is Moswa Herregodts’ job to take care of privacy matters with respect to students, staff, and third parties. It is a job that is growing in scope and importance, especially since digitalization has become one of Tilburg University’s strategic spearheads. Moswa: “The more everyone is aware of the importance of privacy, the better we will be able to do the right things to protect our data.”
Moswa monitors online and offline privacy within the university. He also monitors compliance with EU privacy laws and the policy rules of the Dutch Data Protection Authority relating to the handling of the personal data of students, staff, and other stakeholders. He studies issues, conducts consultations, gives advice, sets things in motion, answers questions, and raises (more) awareness.
Online privacy can be about big as well as about little things. Moswa illustrates this with an example. “A few years ago, a mother and son turned up here on campus. They had just flown in that day and wanted to surprise the daughter/sister with a visit. However, they couldn’t remember the address. This information was shared with the best of intentions. An hour later the daughter called us in a panic: it was an extremely unwelcome visit. It was a potential honor-based violence case. The daughter had to be moved to a safe place immediately. Things turned out alright, but it only goes to show that a small, kind gesture can have an unforeseen impact.”
Online privacy can be about big as well as about little things.
Moswa works in a team that is involved in all aspects of privacy and security, the protection of which is a major priority to us as a university. A driver of innovation, we cannot imagine our lives without digitalization. Care in handling the enormous amounts of data available to us is therefore crucial.
“Within an educational institution like Tilburg University, huge amounts of data are collected, increasingly online,” Moswa explains. “It is about personal data, which often constitutes sensitive information. This information must be handled carefully and securely to protect the privacy of the people involved. With so much data to take care of, it is a challenge to keep a good overview: where do you store what data? Better overview provides better control. Another challenge is posed by the document retention periods, which means that non-essential data are removed from our systems in time and in the correct, safe way.”
It is about personal data, which often constitutes sensitive information. This information must be handled carefully and securely to protect the privacy of the people involved.
Script kiddies and professional hackers
Securely processing and protecting data is becoming more and more important, Moswa states. “We increasingly see that non-experts, ranging from ‘script kiddies’, i.e., youngsters with little or no technical expertise using existing automated tools or scripts to launch attacks on computer systems or networks, to criminal organizations try to capture our data. Almost on a daily basis. We are not the only target, mind you. All kinds of organizations are attacked, but fortunately we are well prepared. To that end, we work together with professional partners. It is no use if you carefully process personal data unless your systems, networks, and applications are adequately protected against digital attacks. No privacy without security.”
At the beginning of 2020, during the Covid crisis, Tilburg University was one of the first three universities in the Netherlands to introduce online proctoring for online tests, Moswa recalls. “The application signaled unusual behavior. If the system gave multiple signals, the proctor afterwards watched the relevant intervals to check for any irregularities. This raised questions and objections. ‘What about our privacy?’ students asked. Beforehand, we had checked all processes, conducted risk assessments, made proper arrangements with the supplier, and made the necessary data security arrangements, so we thought we had everything under control.”
“In hindsight, we should have involved students much earlier in the process,” Moswa recalls, “we should have given them more information right from the start. That was a useful lesson. When the questions started coming in, we immediately invited a delegation of students, sat down with them, and explained in an open and transparent way what we were doing, why we were doing it, and how we were taking care of their privacy. In the end, we even received a compliment about our approach from the Dutch Data Protection Authority!”
There are many developments in the field of online privacy, Moswa states. “Artificial Intelligence is on a steep development curve; it will affect everyone’s lives. It offers opportunities but also poses risks. For instance, what happens with the data you feed into tools like ChatGPT and DeepL? According to the terms and conditions of the free applications, all your input is used for Machine Learning. But what exactly does that mean? The Dutch Data Protection Authority will publish rules and guidelines in this context very soon.”
According to the terms and conditions of free applications like ChatGPT and DeepL, all your input is used for Machine Learning. But what exactly does that mean?
In Moswa’s experience, there is growing awareness in the field of online privacy. “Privacy is a very topical issue, increasingly so. Students and staff themselves are increasingly impacted by it and they are more aware of the risks and dangers if things go wrong. The more people are aware, at all levels of the organization, the better we will be able to do the right things to carefully process and protect our data. We will continue to work to further increase that awareness.”
Online privacy - three tips from Moswa
- Use different passwords for all your accounts; the more complicated the better. You do not need to remember them all: store passwords in a safe password manager, for instance, Keeper. You can use this application, that has been purchased by the university, free of charge.
- Mind what you share with free online tools like DeepL or ChatGPT, as all your data will be stored for Machine Learning purposes, from sensitive documents that you want DeepL to translate to personal data in an e-mail that you want ChatGPT to compose. So never share any personal data in these kinds of free tools or only use the safer (free) tools made available by the university. We have made good arrangements with these suppliers.
- Is your data processing subject to the GDPR? Please do not perceive this as a limitation, but as a careful and safe help in gathering, processing, or storing personal data.
Safely handling personal and other data is something we do together... Be your own hero!
Written by: Hilde Gilissen
Photos: Simone Michielsen