Agreement between TU and police analysed: ‘Opens the door to intrusive data processing’

Why is this agreement in the news?

Last February, Delta discovered an email from 2024 from the TU Delft’s Integral Safety (IV) department to the police. It contained the names of five climate activists from End Fossil. That action group had announced a protest to take place during the Delft Career Days. Before the demonstration took place, IV decided to give their names to the police. According to them, this was necessary for a risk analysis, as protests elsewhere in the country had sometimes led to problems.

In the email that Delta obtained, the names were blacked out. Behind one name was a note stating that it concerned an employee of the ME Faculty. It turned out to be Bob van Vliet, a former columnist for Delta, because he had written columns and had occasionally attended peaceful demonstrations. Amnesty International, the Dutch Data Protection Authority, the Delft branches of GroenLinks and PvdA, the NVJ journalists’ union, and the Higher Education Media Circle all responded with strong criticism.

Is the covenant also under discussion within TU Delft?

Yes, it is. The internal trade unions have asked the Executive Board questions about it on 23 February. On 2 March, the Executive Board stated that the provision of personal data in the End Fossil case in 2024 was incomplete. ‘Agreements on registration and information have not been properly implemented; our working method is therefore not sufficiently verifiable,’ wrote the Executive Board. More on this later.

On 11 and 12 March, the agreement will be discussed again with the Executive Board, this time by the Student Council (SR) and the Works Council (OR) respectively. As far as we know, they will mainly ask informative questions about the content and functioning of the agreement.

Is the agreement not public?

TU Delft has now shared the agreement with the OR. Delta has also received this document, together with an appendix (both in Dutch) Initially, TU Delft claimed that it was a confidential document, but there is no mention of this in the document itself.

Incidentally, everyone could have known that an agreement existed, as it is briefly mentioned in TU Delft’s 2015 annual report (in Dutch), the year in which it was signed. An update followed in November 2020. That is the document that Delta and the OR have received. At the time, it was signed on behalf of the Executive Board by the Integral Safety Manager. On behalf of the police, it was signed by the team leader of the Delft base team.

The appendix, entitled (translatad) ‘Decision on the structural provision of police data to third parties on the basis of Article 20 of the Police Data Act in the context of Safety at TU Delft’, dates from April 2021. It was signed by the Chief Public Prosecutor and the Mayor of Delft, although the latter’s actual signature is missing. As this document concerns how and when the police may share data with TU Delft, and not vice versa, this article will not discuss it further.

What does the agreement contain?

The six-page document describes why TU Delft and the police are collaborating, when and whose personal data they may share, and how the transfer of information works.

Vehicles with registration numbers, details of relevant incidents and camera images

In it, both parties agree that they have ‘an interest in promoting the safety of persons and property and the buildings and grounds of TU Delft, such as in the case of demonstrations and suspicious persons and objects, if and insofar as there is a threat to public order and safety’.

Further on, it states that ‘for both parties, the prevention and detection of criminal offences, the maintenance of public order and safety, the provision of assistance and the supervision of compliance with laws and regulations are central’.

Under the covenant, TU Delft may only share personal data ‘if and insofar as there is a legitimate interest or other basis for disclosure’ and ‘if and insofar as privicay legislation and related laws and regulations do not preclude disclosure’.

The agreement describes four categories of people whose personal data TU Delft may share with the police: TU Delft students, TU Delft employees, visitors/passers-by on TU Delft premises and employees of other parties.

A lot of information can potentially be shared about students, employees and visitors/passers-by: first and last name, date of birth, home or residential address with postcode, contact details such as telephone number, email address, means of transport with registration number, details of relevant incidents and camera images.

What went wrong in 2024?

In its statement of 2 March, the Executive Board wrote that agreements on registration and information were not complied with in 2024 and that the working method was insufficiently verifiable.

Those involved should have been able to object, but knew nothing about it

The agreement gives a general idea of what the Executive Board must have meant. It states that TU Delft should have weighed the interests of the individuals concerned – in this case Bob van Vliet and the four others – in protecting their privacy against the security policy. It also states that those involved must be given the opportunity to object. However, IV did not inform them, which made it impossible for them to do so.

Furthermore, the agreement stipulates that TU Delft must record shared personal data in its ; own internal systems’. It also states that TU Delft and the police are jointly responsible for measuring results, monitoring and controlling activities within the framework of the agreement. However, in its initial response to Delta, IV reported that no overview had been kept.

Is such an agreement common practice?

Amnesty International is not aware of any other universities that have such a covenant, according to Vera Prins, senior policy officer for technology and human rights.

The independent media outlets of other universities and several universities of applied sciences made internal inquiries, but none of the institutions specifically asked about this said they had a agreement with the police. They say they only share the names of staff and students if there is (or may be) a criminal offence.

However, a source did point to an agreement between the police and University College Roosevelt in Middelburg. In terms of educational quality, this institution falls under Utrecht University, but it manages its own operations. The institution has informed the Utrecht university newspaper DUB that it has not shared any names with the police.

What does Amnesty International think of the agreement?

Prins writes: “Amnesty is very concerned that the police and the university do not limit data exchange to situations involving a criminal offence. With this agreement, police and TU encourage each other to exchange information about students, employees and visitors to the university. According to the agreement, this could involve a wide range of personal data, such as home address, car registration number, camera images (which may be biometric data) and a broad residual category of ‘details about relevant incidents’. In the current situation, university staff and students can end up in police systems without their knowledge and without having done anything criminal. We know that once you end up in police systems, it is extremely difficult to obtain information about it and even more complicated to get out of it.

‘The covenant proposes broad data exchange without a specific purpose or definition’

Because the processing of personal data can have major consequences, strict rules apply under human rights law for the protection of privacy and data protection. An important basic principle is data minimisation: ‘as little as possible’. This means that an organisation may not process more data than is necessary for a specific (legitimate) purpose. That is missing here. The agreement proposes broad data exchange, without a specific purpose or definition. With this agreement, the police and the university are opening the door to all kinds of intrusive data processing.

The police and the university even explicitly create the possibility of exchanging data in the event of demonstrations. In doing so, they seem to view demonstrators as a risk, rather than as concerned citizens who want to peacefully express their opinions. Amnesty fears that this will have a chilling effect. If you hear that your university will report you to the police when you demonstrate, you will think twice about it.

Amnesty emphasises that protesting is a right and that the government should facilitate this in the first place. People can also protest at a university (more on this in this statement). Amnesty calls on the university to give students and staff who express themselves through protests as much space as possible and to view their protests, as long as they are peaceful, as part of the academic debate.”

What can Amnesty say about what the police actually do with the names of demonstrators for the purpose of risk analysis?

Prins: “The police collect personal data from demonstrators in various ways: through ID checks, monitoring social media, using advanced cameras at demonstrations and home visits. The police can then make notes in the police systems.

‘It’s not that you are suspected of a criminal offence: you are registered as a person of interest’

These notes may be linked to a project code. An example of such a code is ‘CTER05’ for so-called ‘animal and environmental extremism’. The method used for this analysis is not disclosed. It is not that you are suspected of a criminal offence: you are registered as a ‘person of interest’. Police analysts can search for that project code to see all related records.

All this data processing usually takes place without the person being monitored being aware of it. The police do not inform you about what personal data they process about you and what analyses are made of it. Amnesty has investigated various police surveillance methods and concluded that these practices violate human rights (read more here – in Dutch).”

What now?

That is up to the Executive Board of TU Delft, which is almost entirely new. Nick Bos started last summer as interim Vice President Operations, Hester Bijl has been Rector Magnificus since January, and Ingrid Thijssen took office as Chair on 1 March. Perhaps they will provide more clarity during the aforementioned consultation meetings with SR and OR.