Any information that can be traced back to a person is personal data. If you use personal information, you must always follow the basic principles of the General Data Protection Regulation (GDPR).
If you wish to use new personal data, or you wish to use existing personal data in a different way, you will need to report this to the privacy officer in your department. Even if you are uncertain about the information that you wish to use, you may still report it to your privacy officer.
Recognising personal information
Any information that can be traced back to a person is personal data. This includes direct personal information, such as a name, address or citizen service number. But any information that is used in combination with other data that can be traced back to a person, is also personal data. Examples of this type of information are GPS locations, registration numbers or hair colour. Even if you process this information under a pseudonym, it remains personal data. To put it simply, almost any information that pertains to a person is personal data. If you are uncertain about the information that you are processing, you should always contact the privacy officer in your department.
Examples of situations in which you would use personal information include:
- Collecting personal information and/or pseudonymised data for a specific purpose, such as for a study or for the creation of an app;
- Using a system in which personal information and/or pseudonymised data are being processed, such as in a Customer Relations Management system (CRM).
If you use personal information, you must always follow the seven basic principles of the General Data Protection Regulation (GDPR). If you have any questions, please contact the privacy officer in your department.
1. Legitimacy, fairness, and transparency
You must have a good reason, also known as ‘lawful basis’, for collecting personal data. You must treat this personal information properly and be transparent about the data that you are processing and the reasons for why you need to process it.
2. Purpose limitation
You may only collect and use personal information for a specific purpose. If you collect data for a particular purpose, you may not use it for any other purpose.
3. Data minimisation
You may only collect and use the personal information that you actually need to achieve your purpose. You should also consider whether you can anonymise the data, so that the information that you use is minimally identifiable. Please note that it is forbidden to request additional information because it may turn out to be useful in the future.
Any information that you store must be correct. If the information is not correct, you should correct it as soon as possible.
5. Storage limitation
You may not store information for longer than is necessary. You may also not store the information in different places if it is not absolutely necessary. You must destroy the information at the end of the retention period.
6. Integrity and confidentiality
You must always ensure that your data is adequately secured. This may include technical measures (for example, to make sure that we do not get hacked) as well as a sense of confidentiality among staff members. In other words, do not just cc someone for the sake of it or send emails if it is not necessary.
As an organisation, the university must be able to demonstrate how it complies with the GDPR. Staff members are therefore required to register the use of personal information in the correct manner. The privacy officer in your department can help you to ensure that this is done properly