Questions & Answers

How does HAN handle personal data?

When may I process personal data?

  • When HAN has a reason for doing so; for example, running a degree course or other course. You may process the data needed for this purpose if this falls under your job responsibilities. Are you unsure about this? Send your question by email to

Which data may I record/collect?

  • The data that you wish to record or collect must be related to the purpose for which you are collecting the data. For example, if you want to provide a degree course or other course at HAN, you need certain data from the students or participants. You need to know a student’s date of birth and birthplace, because these should be recorded on the certificate. HAN does not need to know the student’s height, weight or skin colour, however.

Do you always need to ask consent for data processing?

  • There is no short answer to this question. The general principle is that if someone is following a degree course or other course at HAN, you do not have to ask for their permission to process the data needed for this, but you do need to ask for their consent if you wish to do research or if you wish to process external relations’ data. We have provided a more detailed answer in the attachment. For each ‘type’ of relationship between the person and HAN, we explain when and whether consent needs to be asked. There is a consent form for this purpose.

Age limit

Before collecting data, you should always take account of the following. If the person is aged under 18, you should always obtain, record and archive the consent of the parent(s), unless this concerns a legal action that is standard for this age. The privacy legislation (the General Data Protection Regulation) refers to an age limit of 16 years. However, this is only applicable to situations that do not or rarely arise at HAN. You should therefore always use the limit of 18 years.

Examples of actions for which the consent of the parent(s) is required:

  • Enrolling on a degree course or other course
  • Registering for a work placement abroad
  • Examples of actions for which there is no need to ask the consent of the parent(s):
  • Completing the NSE
  • Use of social media for HAN
  • Paid work for HAN
  • Contact with the student counsellor or student psychologist

How can I inspect my data or request the correction (amending, adding, deleting and/or protecting) or transmission of data?

  • Are you a student? If so, contact the Student Affairs Enquiry Desk. You will find the contact information at Insite ‘Student Support
  • Are you a member of staff? If so, contact the HR Enquiry Desk. You will find the contact information at Insite Human Resources

What are personal data?

‘Personal data’ are all data that can be traced back to a natural (living) person. In the diagram, you will find an overview of the characteristics and data that are seen as personal data and ‘sensitive’ personal data.

How can I handle personal data securely?

Do you want to know how to handle personal data securely? If so, be sure to heed the tips below.

Tips to help keep information secure
1. Never share the password for your HAN account with anyone, even if you are asked to do so by email.

2. Secure your mobile devices (tablets and smartphones) with an access code and never share this code with anyone.

3. Do you sometimes leave your desk? Take your mobile phone with you and lock your computer with the Windows logo key + L (or use one of the many locking options if you’re working on an Apple). Or lock the door.

4. Working from home? That needs to be secure as well. Choose a good antivirus program and keep all your software up to date.

5. Have you lost a device belonging to HAN or has a device been stolen? Report this to the Service Desk ASAP.

6. HAN expects you to communicate in a professional manner, regardless of the form of communication (e.g., email or social media). When you present yourself as a HAN staff member on social media, you do so under your own personal title.

7. Don’t carry sensitive data around with you when you don’t need to. Don’t put sensitive data on USB sticks or other portable media.

8. Store your documents carefully, preferably digitally and only on the storage facilities made available by HAN (so not on Dropbox, for example). Keep your digital and physical trash bins empty and never place confidential documents in ‘public or shared’ online or physical spaces.

9. Print safely! Make sure no one unintentionally gets your print job(s). After printing, remove the print job from the printer.

10. Have you stumbled across information which you or others should not see? Avoid the risk of this happening again and report it to Service Desk:

Tips on how you can help to protect privacy

  • Collect, use and store personal data only when you really need it for your regular duties. Make sure you know what you need it for.

  • Do you need to use data for a reason other than your regular duties? You can have this assessed. Find out more at Insite ICT (information in Dutch).
  • If necessary, ask the relevant person for permission to process their data.
  • Collect, use and store personal data in a safe digital environment made available by HAN. 
  • Safe = e.g.,, the W: and R: drives, CATS, Alluris, Filesender.
    Unsafe = e.g., Dropbox, Google Docs, WeTransfer.
  • Do not save data for longer than necessary. Set up a process of deleting data on time.
  • Do you process sensitive personal data on ethnicity, sexual preference, or political or religious opinions, or medical data, biometric data or data on union membership? Ensure that as few people as possible have access to these data.
  • Do you use a third party to process personal data? Ensure you have a processing agreement. You can find models for this at Insite SB (information in Dutch, models in English).
  • Sending out a newsletter? Ensure that people can opt out and, if your newsletter is also used for commercial purposes, ensure that they can opt in too. This rule does not apply to sending information that a student or staff member is required to be informed about.
  • Do you know or suspect that personal data has been leaked? Report the data leak to the Service Desk ASAP ( and (024) 353 16 66).
  • Do you want to use social media (Facebook, LinkedIn, Instagram, or media such as Socrative, Mentimeter and Padlet) in your education? You may only do so on a voluntary basis with students, for example. At least offer the possibility of using an anonymous account.

I want to use the personal data of staff/students, e.g., for research/mailings. Is this permitted, and how do I access these data?

HAN staff members regularly ask for data from HAN’s central database (IMAO database). For example, the email addresses and other personal data of HAN students or staff. These data are used, for example, to send (digital) invitations, letters/emails, online newsletters and to plan research, as well as for the reports that are required as part of HAN’s daily business.

A meticulous process
The process of requesting these data has been designed meticulously, because we often work with privacy-sensitive information. Every request is assessed by a lawyer and approved by the director of the Services Department. After approval has been given, the data are sent to the person who requested them.

Destruction of personal data after use
Privacy legislation provides that personal data may only be used for the purposes for which they have been requested. As soon as these data have been used, they should be destroyed. This means that you should delete the email and the file that you received, If you fail to do so, there is a risk that you will inadvertently leak the data. In doing so, you will be acting contrary to privacy legislation (the General Data Protection Regulation, GDPR).

Do you wish to request data?
Go to Insite ICT for more information about using and requesting data and the application form. Allow for a minimal lead time of ca. 5 working days.

Research: how can I handle data securely?

The code of conduct for practice-based research is a document that has been adopted by the Netherlands Association of Universities of Applied Sciences. It sets out how staff and students should behave when carrying out practice-based research.

The following rules apply to practice-based research:

  • Researchers in higher professional education serve a professional and social interest
  • Researchers in higher professional education are respectful
  • Researchers in higher professional education are meticulous
  • Researchers in higher professional education are honest
  • Researchers in higher professional education are accountable for their choices and behaviour.

HAN endorses the code of conduct for practice-based research in higher professional education. HAN students, lecturers, researchers, associate professors and professors should follow the code of conduct when carrying out research. Any deviation from the code should be justified explicitly and reported, accompanied by the reason for the deviation, in the quick scans, mid-term reviews and external evaluations of the research centres. As such, the document forms part of the quality policy on research that HAN has established in the Handbook on Quality Assurance for Research.

The code of conduct is available at HAN Insite (in Dutch)

Sending out newsletters: what to bear in mind

Before putting together a newsletter or mailshot, it’s advisable first to immerse yourself in the process of sending out newsletters. After all, legislation prescribes that you cannot simply send a newsletter.
At Insite MCV you can read about what needs to be done when sending (online) newsletters or mailshots.

Data leaks: what are they and how should I report one?

As an organisation, we are duty-bound to report the occurrence of any ‘data leaks’. But what is a data leak and how can you report one?

What is a data leak?
We say that a data leak has occurred if personal data disappears or ends up (or may end up) in another party’s hands. This includes accidentally erasing data, for example, or accidentally emailing an overview of student data to someone external to HAN. Not everything counts as an ‘official’ data leak. If you give a student’s email address to someone who subsequently misuses it, for example, this doesn’t count as a data leak, but you would be well advised to apologise to the student.

How do you report a data leak?
Report the data leak to the Service Desk ASAP via or (024) 353 16 66.

Sending out surveys: can I use free software for this?

No, you may not simply use free survey software to send out online surveys from HAN. You may only do so if HAN has concluded a ‘processor agreement’ (available in English) with the provider and this is not the case for most suppliers of free software.

We have put together an overview of the survey tools that you can use. Click on for an overview of the options.