To safely work and study at VU Amsterdam, sufficient protection against and a good protocol for dealing with data leaks is extremely important. It is important that data leaks are discovered and reported as quickly as possible, so appropriate measures can be taken. Examples of data leaks are the following: a lost USB stick with personal details, a stolen laptop or an e-mail with personal information that was accidentally sent to the wrong recipient. However, a data leak may also be caused by a hacked file or by malicious software or malware that hijacks a computer or files. The university is required to report serious data leaks to the Dutch Data Protection Authority within 72 hours of discovery. Below you can read more about security incidents and data leaks and what to do.
Data leaks and other incidents
What is it and what should you do?
-
What is a security incident?
Security incidents occur when the possibility exists that the confidentiality, integrity or availability of information or data processing systems has been potentially threatened. Examples of security incidents include virus infections and/or malware infections, attempts to gain unauthorised access to information or systems (hacking), the loss of a USB stick with sensitive information, data theft of hardware or a hacked mailbox.
Please notify the IT Service Desk of possible incidents.
-
What is data leak?
A data leak is a security incident in which personal details may have been lost or may have been accessed, viewed, changed or used by unauthorised persons. Personal details are details that directly or indirectly refer to a person. For example a name, date of birth, address, telephone number, email address, account number, personnel number, student number or transcript.
-
What should I do in the event that a data leak occurs or if I suspect a data leak occurs or if I suspect a data leak may have occured?
In the event that a data leak has occurred or if you suspect a data leak has occurred, please contact the IT Service Desk on 020-59 8000 or send an e-mail to servicedesk.it@vu.nl. The IT Service Desk will notify the VU’s Security Operations and Control Center. The SOCC and the VU’s legal department will determine whether or not a data leak has occurred and whether or not the Dutch Data Protection Authority and the persons whose details have been accessed needed to be notified. In addition to that, the SOCC will take any measures necessary to recover the data and restore security.
Do I need to contact the Dutch Data Protection Authority or the persons involved myself?
No, you do not. The VU’s legal department will notify the Dutch Data Protection Authority and persons involved should this be necessary. In order to do this properly, it is important that you supply all the relevant information as quickly as possible. -
SOCC
The Security and Operations Control Center (SOCC) of VU Amsterdam is a specialised team of IT professionals capable of acting quickly in the event of a security incident with computers or networks. The aim is to reduce the damage and promote the recovery of the IT services.
SOCC is affiliated with the SURF Community of Incident Response Teams (SCIRT) and works with various domestic and foreign SOCCs. SOCC should ideally be notified by e-mail: socc@vu.nl. During office hours SOCC is also available by phone on 020-598 7159.
-
Responsible disclosure
VU Amsterdam has a Responsible Disclosure policy, meaning that persons reporting security incidents have immunity from criminal prosecution as long as certain very strict conditions have been met.
Read more about Responsible Disclosure and the conditions