Is our assessment review data safe with Amazon?

The data relating to TU Delft staff assessment reviews is stored on Amazon servers. For this reason, some staff are reluctant to complete their assessment forms digitally.

(Screenshot digital R&D form)

Nederlandse versie

An additional TU Delft privacy statement about the digital assessment review (the Result & Development – R&D – cycle) reveals that supplier Lumesse uses Amazon services to store data. The data is on Amazon servers in Frankfurt, according to the statement that staff receive if they have questions about their privacy.

Speaking in his personal capacity, ICT staff member Mulderij says that he and several colleagues are not happy about ‘so much personal information being placed so far away’. His main objection is that Lumesse is British and Amazon American. “Because of Brexit, there are doubts about how privacy legislation will be affected there. American President Trump is in the process of passing legislation that enables data to be requested from American servers wherever they are located.”

Staff member Kloosterman has similar concerns. She is glad that the division she works in, Education & Student Affairs, has not yet transferred to the digital system because of restructuring. Kloosterman and Mulderij met with the Human Resources (HR) Director Ingrid Halewijn and ICT Director Paul Hillman to discuss their concerns. According to Halewijn, Mulderij will be permitted to complete his R&D details on paper for personal reasons on a once-only basis, providing that his supervisor agrees to this. It is and will remain ICT policy for the forms to be completed digitally.

On the issue of potential privacy risks after Brexit, Halewijn says that the contract with Lumesse complies with European privacy legislation. “It includes sufficient safeguards to ensure this is properly regulated. We were transparent with the privacy statement in it: before you start, the system asks you whether you have read it. Besides, TU Delft has a business relationship with the Dutch branch of Lumesse.

Asking for consent

Asking if you have read a statement is not the same as asking if you agree. Anyone who clicks on his or her own name in the R&D form will see underneath the term ‘privacy statement’ that he or she has agreed to it. On this issue, Halewijn refers Delta to the TU Delft data protection officer, Erik van Leeuwen. He points out that the University does not ask for consent to process data because there is an agreement (contract of employment) with the employee.

According to Van Leeuwen, the data processing is necessary to implement that agreement. He compares it to calculating salary. “That data is sent to an external party. It has to be, otherwise the salary cannot be calculated. This also applies to the R&D. The legal basis for this can be found in Article 6.1 b of the General Data Protection Regulation (AVG), which will apply from 25 May 2018. Currently, Section 8 of the Data Protection Act applies, which includes that same basis.” According to the AVG, organisations have a duty to inform. They have to inform new and existing customers about what happens with their personal data. In its privacy statement, the University does not state that the data is stored on Amazon servers. When confronted with this issue, Halewijn wonders what the problem is. “It’s an American company, but these servers are in Germany, on European territory. The Dutch branch of Lumesse has a contract with it in which all privacy safeguards are properly regulated.”

American legislation

Halewijn says that American legislation that would enable data to be requested from American servers wherever they are located was not yet an issue at the time of the tendering procedure. “If that means that our contract no longer complies with the privacy safeguards that TU Delft wishes to have, we will need to respond to that. Lumesse is obliged to guarantee privacy according to European legislation and will certainly do so. Otherwise, Lumesse will lose customers.” Van Leeuwen adds that if data is requested, it will be encrypted data. “A jumble of numbers for which you do not have the key.”

Lumesse says that it is not permitted to provide information about customers to people who are not contacts. For this reason the supplier gave the following response via Halewijn: TU Delft has a contract with the Dutch Lumesse limited company, not the British one, and the Amazon Web Services (AWS) data centre is on EU territory (in Frankfurt), which means that both Lumesse and AWS must comply with Dutch and EU legislation on privacy and security. This is contractually guaranteed. The data is stored in encrypted form, the data centres are ISO-certified and all software already complies with the AVG. Delta has so far received no response from Amazon.

Halewijn does not wish to provide Delta with any contracts, but says she has no issues in allowing access to people who have questions about them. In response to the question of whether records are kept on who is permitted to view R&D data, Erik van Leeuwen states that it is recorded in the system who is permitted to view it, but there is no monitoring of who has done so. “Lumesse is not intended to be able to view the data”, says Van Leeuwen. “If everything is in order, it’s impossible. The data is encrypted.”

Why digital?

Another question is why TU Delft has outsourced the data storage to an external party. Doesn’t TU Delft have this expertise in-house? According to Halewijn, this happens in a lot of organisations and TU Delft can benefit from the experience. “You can opt to store it on your own servers, but that would be a different type of product that does not meet the requirements and wishes that we had. Besides, using your own servers also involves privacy and security risks. It’s not necessarily more secure. In fact, the security requirements that the external partner has to meet are often very strict.”

So why did the R&D process have to be digital? “It was what many people wanted, because the old system involved a lot of manual work and quite a few security and privacy risks”, says Halewijn. “Printing paper versions, copying them and distributing them around TU Delft, collecting signatures: all of this involves risk.” In addition, the digital system will soon prove useful in processing such things as job vacancies and organising training programmes. “We intend to digitise all of that. It’s much more convenient and efficient to organise approval with just a few clicks.”

What if more people have objections? “In that case, we will talk to them about their concerns, but there are not that many of them”, says Halewijn. “According to the circumstances, we will reach agreement about it.” She wants to find an approach that can apply to the whole University.

R&O privacyverklaring.pdf


What do you think of the new R&D-system? Just let me know at the address below.

News editor Connie van Uffelen

Do you have a question or comment about this article?

Comments are closed.