Personal Data Protection Act
The University of Amsterdam (UvA) collects a range of personal data from its staff and students. These data are recorded at various locations within the UvA.
This document is intended to explain what is meant by personal data, how they are protected, where they are recorded and for what purpose they are used.
What are personal data?
Personal data are any data that can be traced to a natural person. These include basic details such as name, address and city of residence, as well as details about your partner, marital status, place of employment, bank account number and about illnesses and related absences.
The Personal Data Protection Act (Wet Bescherming Persoonsgegevens) lays down rules for the collection and use of personal data. To facilitate the law’s implementation, the management of Legal Affairs launched the personal data protection project in October 2003. The project team visited the organisational units and faculties in 2003-2004 to establish which databases were in use to record personal data. Examples include the personnel administration (SAP HR), the student registration system (ISIS) and the Terms of Employment Menu.
Data Protection Officer
The number of databases being used to record personal data is large. The UvA has a specially-appointed data protection officer to process and publish information about these databases. This officer also represents the national Data Protection Authority (College Bescherming persoonsgegevens) at the UvA and, as an independent party, also handles complaints relating to personal data. The Executive Board has appointed the Legal Affairs director to serve as the UvA’s data protection officer.
It is crucial that databases are registered according to the correct procedure. Faculty deans and organisational unit managers are responsible for database registration, which is coordinated by the personal data protection contact person. Any failure to comply with the statutory requirements, including registration, may lead to claims from staff or students or the imposition of fines and other measures by the Data Protection Authority, which monitors the law’s implementation.
The UvA is permitted to use personal data solely for the purpose for which they were collected. Compliance with this requirement is monitored by the project team through visits to each of the faculties and organisational units. Most of the data collections serve obvious purposes: bank account numbers are needed to pay out salaries and details about illness and leave are needed for occupational medical care and personnel administration.