Collecting, storing and using data on students

What is allowed and what is not?

Photo: Anne Reinke

What kind of things does the university know about you and what is it not allowed to know? Students are increasingly asking questions about what information and data on them the university collects, stores and shares. WUR is serious about Data invited Fernando, a student, to grill privacy officer Tim van Loon.

Fernando Gabriel (25) comes from Mexico and is doing a Master’s in Biosystems Engineering. As he is specialising in Information Technology, he has a good idea of where the limits are in terms of data collection. That is why he would like to know what the university does with the data that is collected on students. Tim van Loon (39) is a privacy officer for Education & Student Affairs (ESA), among others, and he advises the university on how to deal with privacy issues. He constantly has to weigh up the ethical considerations against the rules, and he knows the challenges that parties within and outside the organisation face when collecting, storing and processing data.

Fernando Gabriel Biosystems Engineering student

Fernando: As an agricultural university, WUR has a tradition of working closely with the private sector. How can I be sure as a student that my data won’t be sold to those companies?

Tim: “What matters here are the ethical considerations and what the legislation and regulations such as the GDPR say. Both factors essentially mean that within WUR there can be absolutely no question of sharing personal data with a third party without the student’s express permission. The university is transparent about that. Of course, there are always grey areas, and those end up with me. Recently, a municipality located close to the university wanted to compare the data in its population register against the data on students enrolled at WUR. However understandable the request, I recommended rejecting it as we don’t simply share data if there are no legal grounds for doing so and no agreements have been made about such data sharing.”

Fernando: How independent is the university in these decisions? Isn’t there a hierarchical situation where at some point you have to hand over the data?

Tim: “No, our framework is the legislation and regulations. You need a legal basis on which to request and share that data. Or you need a clear-cut, explicit statement of consent from the student or member of staff — and not in the form of a cookie statement where people often click ‘yes’ without thinking. If data is going to be shared, the parties involved must make clear agreements. In this particular case, I thought there was no legal basis, and that this was also a matter between the students and the municipality; WUR is not involved as a party.”

Tim van Loon Privacy officer

Photo: Anne Reinke

Fernando: What will the university do with my data after I have graduated?

Tim: “We only keep data that is relevant for future purposes. For example, if you start work somewhere, you may have to prove your degree qualification is valid. So we always keep that data. All the non-essential personal data is deleted within the stipulated deadlines. There are overarching guidelines for this that have been agreed with all the Dutch universities. “The retention period for information about exams is much shorter, as is the period for information about payments. There are extra safeguards for medical data and data on race and ethnicity. That kind of data is not recorded unless (for example) a student gets help from a student psychologist, but even then only certain people are allowed access to the data. And if you take the example of the passport copy that we use for identification, we are legally allowed to record it but we have to do so as securely as possible. In the past, the approach to storing personal data was very different. Then people had no troubling noting down: has dyslexia and therefore needs extra time for exams. Now we only record the fact that someone needs extra time in such cases. “The days when everyone saved as much data as possible for as long as possible are long gone, thank goodness. You can see that too with Big Tech companies like Twitter and Facebook. WUR is doing a lot on privacy protection: across the university, 14 people work on this topic plus one independent Data Protection Officer.”

Fernando: But data about me is still stored while I’m at the university, isn’t it? And data that’s stored can be analysed too. That means there is an opportunity to manipulate the data. How do you prevent that?

Tim: “There is certainly a risk that more is done with the data than you would wish from a privacy perspective. The volume of data about students’ studies has increased immensely since education moved entirely online due to the coronavirus crisis. That starts before people even begin their degree. Take the open days, which have been entirely online since the Covid outbreak last year. You want to monitor whether secondary school pupils who are interested in our university were helped in the right way. You also inevitably collect data when they are searching for the right degree programme. Do you use that data just to help people or also for your own objectives to fill up degree programmes that still have room for more students? It is easier to steer that process in online open days than offline. We want to analyse thoroughly how this works and this is an issue we are very alert to. “In other areas too, the coronavirus crisis has created privacy issues. Examples are how we deal with MS Teams, class recordings or remote proctoring where students are monitored online to make sure they don’t cheat in their exams. This tool is only permitted for that specific purpose, but other things are inevitably recorded at the same time that are not directly related to the exam. How should you deal with that appropriately? For example, does it matter if someone has a bong in the corner of their room, or a poster of a particular political party? You are not allowed to record anything about that. But other things were noted in the past year where you might wonder whether you could or should take action for student welfare reasons. That is a slippery slope. Let’s say you see someone who might be at risk — at what point should or shouldn’t you do something about it?”

Need to know or nice to have? The privacy officers draw the line at nice to have

Photo: Anne Reinke

Fernando: I find privacy during proctoring a really important issue. I don’t like the thought of showing strangers my room, let alone being spied upon like that by an external proctoring company. But I think there will always be extreme cases where the university really has to intervene, for example if someone’s life is in danger.”

Tim: “The digitalisation of education is a disruptive force in all respects and will give rise to many questions in the years to come. We are on the lookout for these issues as privacy officers.”

Fernando: When it comes to deep learning techniques and artificial intelligence in particular, the question is what information still belongs to you.

Tim: “The university is only allowed to store data that we need to help you with your degree studies. That is why we always have to consider whether it is data we need to know or whether it’s just nice to have. We draw the line at nice to have. I usually give a negative recommendation in those cases.”

Fernando: Students see the university as an authority and an organisation they want to be part of. I wonder whether everyone thinks about what information about themselves they are prepared to give away and what their rights are when they start university. Of course, you can find information if you search online, but it is usually written in legalese. My suggestion would be to use simpler language to explain things.

Tim: “I accept your point about the legalistic language. I think that is mainly because we want to keep to the law and you have to find a balance between clear language and the legal interpretation of certain terms. Our goal is to be more transparent and become better at explaining clearly to students what data we have, what data we use and how we make sure we treat it carefully. This conversation confirms my ideas about this. I’d like to thank you for that.”