Version 1.0 – 2 December 2020
We are glad that you’re reading the privacy statement of Rotterdam University of Applied Sciences for the service edubadges! We have paid a lot of attention to the protection of your personal data, and you can read all about it in this privacy statement. If you have any questions, comments or concerns after reading this privacy statement, please email [email protected].
An edubadge is a digital insignia (pictured) that shows that the recipient has certain knowledge or skills. The recipient of an edubadge can share it with others, for example on social media, a digital cv, an educational institution or with a potential employer.
A technical infrastructure is required to create and award edubadges. SURF has developed this edubadges publishing infrastructure, in which the edubadges can be stored and validated safely within SURF. More information about edubadges can be found on SURF's website.
The edubadges service is divided into two parts:
- Account/backpack (1) -> SURF is controller, see SURF's privacy statement.
- Creating and maintaining an account
- Storing edubadges in the backpack
- Validating edubadges
- Issuing edubadges (2) -> Rotterdam University of Applied Sciences is controller
- Registering for edubadges
- Creating an edubadge
- Issuing an edubadge
For the user account, the storage of edubadges and the validation of edubadges (1), SURF is the controller. You can contact [email protected] with questions about this processing.
For the issue of edubadges (2), Rotterdam University of Applied Sciences is the controller and SURF is the processor. This privacy statement relates primarily to the processing by Rotterdam University of Applied Sciences.
For the functioning of the edubadges platform, it is necessary to process personal data. Students receive edubadges as a recognition for an achievement as a student at the Rotterdam University of Applied Sciences so they can prove that they have met the assessment criteria associated with the achievement.
For issueing of edubadges, we see three forms of processing:
- Registering for edubadge
- Generating edubadge
- Sending edubadge
Data subject: Badge recipient In the table below are the personal data (with purpose and basis) that are processed before registering for an edubadge. This personal data is obtained by linking to the user's eduID account.
| Personal data | Purpose | Basis |
|---|---|---|
| eduID | Pseudonym identifier in edubadge | Performance of a contract |
| First name | User identification | Performance of a contract |
| Surname | User identification | Performance of a contract |
| Email address | User Notification | Performance of a contract |
| Scoped affiliation | Demarcation available edubadges | Performance of a contract |
| Privacy interaction | Whether the Terms of Use have been agreed to | Performance of a contract |
Data subject: Badge recipient In the table below are the personal data (with purpose and basis) that are processed for generating an edubadge. This personal data is obtained by linking to the user's eduID account.
| Personal data | Purpose | Basis |
|---|---|---|
| eduID | Pseudonym identifier in edubadge | Performance of a contract |
| First name | User identification | Performance of a contract |
| Surname | User identification | Performance of a contract |
| Email address | User Notification | Performance of a contract |
| Scoped affiliation | Demarcation available edubadges | Performance of a contract |
| Privacy interaction | Whether the Terms of Use have been agreed to | Performance of a contract |
Data subject: Badge recipient In the table below are the personal data (with purpose and basis) that are processed for sending an edubadge. This personal data is obtained by linking to the user's eduID account.
| Personal data | Purpose | Basis |
|---|---|---|
| eduID | Pseudonym identifier in edubadge | Performance of a contract |
| First name | User identification | Performance of a contract |
| Surname | User identification | Performance of a contract |
| Email address | User Notification | Performance of a contract |
| Scoped affiliation | Demarcation available edubadges | Performance of a contract |
| Privacy interaction | Whether the Terms of Use have been agreed to | Performance of a contract |
An edubadge contains your eduID. Furthermore, the edubadge contains information such as the time of issue, the publisher (Rotterdam University of Applied Sciences) and information about the performance, educational module and/or learning outcome.
Rotterdam University of Applied Sciences Staff have access to your first name, last name and email address after you apply for an edubadge. SURF and its management party has access to all personal data. The personal data are not provided to other third parties.
Among other things, the following security measures have been put in place to protect personal data:
- Edubadges deviate from the standard personal data in the Open Badge 2.0 specification (first name, last name, email address). Only the eduID is stored in the edubadges as personal data.
- Communication between systems is encrypted in accordance with modern standards and best practices.
- A comprehensive external security audit (code review and penetration test) has taken place for live passage. The edubadges service is regularly audited.
- Access to servers is protected in accordance with modern security standards and best practices.
- All physical and virtual servers and data are located in SURF data centres in the Netherlands. The edubadges service is hosted redundantly at SURF locations Nikhef and InterXion.
- All operating systems and software are kept up-to-date.
- Access to the management side of the edubadges service is shielded through VPN and hardened configuration for access itself.
- Daily backups are made of the production environment.
- Servers, operating systems and/or applications are protected by a restrictive firewall.
- Actions in the operating system and actions of employee accounts are logged.
- The web server uses a hardened configuration and security headers in accordance with best practices.
- The access permissions for employee accounts in edubadges are limited to relevant personal data.
In order to exercise rights like addition and/or modification, you can contact [email protected].
Changes may be made to this privacy statement. We therefore recommend that you consult this privacy statement regularly.