Brightspace privacy statement for students at Leiden University
Leiden University values your privacy. We aim to make our services as transparent, personal and reliable as possible. We handle personal information obtained in the Brightspace online learning environment according to the European General Data Protection Regulation (GDPR).
- Purposes of data handling
- Personal data within Brightspace
- Principles governing the way data is handled
- Who has access to your information?
- How is my information stored?
- How long do we keep your information?
- Plagiarism checks
- What right do I have under the GDPR, and how can I exercise those rights?
- How to submit a complaint
Purposes of data handling
Leiden University handles your personal data for the following purposes:
- to facilitate positive interactions between lecturers and students;
- to promote cooperation among students;
- to motivate and offer guidance to students studying subjects;
- to manage subjects within Brightspace, through activities such as putting students in groups;
- to inform students about the content of the subjects they are taking, including providing information about lectures, seminars and assignments;
- to make teaching material available to students;
- to test knowledge and measure progress;
- to improve the education provided, including the continuing development of teaching methods and materials through means such as scientific research;
- for lecturers to record findings and results.
- to provide support;
- to improve university operations;
- to trace and thereby prevent fraud (plagiarism);
- to achieve an appropriate level of information security.
Personal data within Brightspace
The following personal data is handled in Brightspace:
- your first name, last name, e-mail address and student number;
- your photograph, if you choose to share one. You are not required to upload a photograph; if you do, you can delete it at any time. By uploading your photograph, you give Leiden University permission to handle that photograph;
- preferences you have set regarding matters such as receiving e-mails;
- information about the subjects for which you have registered;
- assignments to be completed, assignment deadlines, the marks you achieve for assignments;
- feedback from lecturers or fellow students;
- contributions to discussion forums. Please note: even posts that have been removed can still be viewed by staff members with the right authorisation;
- information used for the provision and completion of tests;
- information used for the provision and submission of assignments;
- information about participation and progress, such as any awards, progress in terms of task lists and class progress;
- date and time of your last login;
- IP address.
Principles governing the way data is handled
Personal data is handled according to the following principles:
- to fulfil a task in the general interest (Article 6(1e) of the GDPR) for data processing activities that relate to education, including plagiarism checks;
- the legitimate interest of the organisation (Article 6(1f) of the GDPR) for data processing activities that relate to network and information security;
- permission (Article 6(1a) of the GDPR).
Who has access to your information?
This depends on the user’s role and the way the data is processed. Whereas a forum post may be visible to all students in a given seminar group, very different rules apply to other data, such as final marks. Information may be visible to:
- other students;
- staff members who prepare your courses, set up groups and manage the courses;
- staff members who provide support both to lecturers and to you as a student;
- the senior lecturer who is responsible for the course in Brightspace;
- lecturers who teach the course;
- members of the Board of Examiners and members of the Examination Appeals Board;
- Leiden University staff who conduct research with the aim of improving the level of teaching and the teaching material.
How is my information stored?
Leiden University takes care to ensure that your information is stored securely, in accordance with the clear agreements we have established with our suppliers. Personal information is stored within the European Union and in the United States of America, and data is transferred according to the Privacy Shield Framework.
How long do we keep your information?
Your personal information is deleted once you complete your studies. However, certain items need to be kept for a longer period, such as assignments, which are stored longer in case any checks need to be carried out in the future. Under the Public Records Act, the university is required to store this information for a certain number of years. The precise length of time during which this information must be stored depends on the type of information and is set out in the legislation.
Completed assignments, such as essays and practical assignments, are submitted in Brightspace. A plagiarism check is carried out immediately after submission: a programme compares the text of the submitted work with other texts, including previously submitted assignments. However, it is the lecturer who ultimately marks your assignment.
What rights do I have under the GDPR, and how can I exercise those rights?
If you do not agree with the way your personal information is handled, and if there are specific circumstances which mean that your interest in relation to privacy is more important than the purposes mentioned above, you have the right to appeal. The GDPR also confers additional rights, including the right to inspect, amend or delete your data and to restrict the ways it is handled, which you can exercise under certain conditions. If you would like to exercise these rights, please contact the Data Protection Officer: firstname.lastname@example.org.
How to submit a complaint
If you have a complaint about how the University has handled your personal data, please inform the Data Protection Officer (see above). If you do not agree with the way in which Leiden University deals with your complaint, you have the option to submit a further complaint to the Dutch Data Protection Authority.