Privacy Statement for Brightspace and Portflow

Personal data means any information relating to an identified or identifiable natural person. There are many types of personal data. Obvious examples include a person’s name, address and place of residence. These data directly relate to an individual or can be directly linked to that individual. Personal data may also be indirect, meaning data that, when combined with other information, can be used to identify a person. For example, a postal code combined with other data may indirectly identify you.

Your personal data are processed for the purpose of providing a Learning Management System in combination with an e‑portfolio system used to organize and support educational activities.

Brightspace
Brightspace is used within Hanze for the following purposes:

• Brightspace functions as the central platform where lecturers share course materials and other education‑related resources with students.
• Interaction between lecturers and students takes place within Brightspace, for example through discussions, messages and online polls.
• Brightspace is widely used for the submission of assignments. Results and feedback are temporarily recorded in Brightspace; final registration takes place in Osiris. The Osiris privacy statement can be found separately.
• In the context of accreditation and quality assurance, Brightspace is used as a source of information to provide insight into the design, implementation and assessment of education. Assignments, submitted work and assessments may be consulted for this purpose.

Portflow
The e‑portfolio system Portflow is used within Hanze for the following purposes:

• Supporting formative assessment and development‑oriented assessment practices.
• The student’s personal portfolio in Portflow allows students to collect evidence, reflect on their learning, gather feedback (from lecturers, fellow students and external parties), monitor their progress and record learning outcomes.

Brightspace
Within Brightspace, the following personal data are processed.

Student:

• Name and username
• Contact details, including email address
• Gender (optional, provided by the student)
• Education and study‑related data, including enrolments in courses and groups, lecturer information, assignments, achieved (provisional) results and attendance
• Access and usage data, such as information on login times (for example, your last login)
• Content included in submitted assignments, discussions or other activities within Brightspace, insofar as this information is voluntarily provided by the student

Staff member:

• Name and username
• Contact details: Hanze email address and four‑letter staff code
• Gender (optional, provided by the staff member)
• Education‑related data, including enrolments in courses and groups and data relating to students
• Access and usage data, such as information on login times (for example, your last login).

Under the General Data Protection Regulation (GDPR), personal data may only be processed if one of the legal bases listed in Article 6 GDPR applies.

As an educational institution, Hanze performs statutory tasks in the field of higher education. These tasks are laid down, among other legislation, in the Dutch Higher Education and Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek – WHW). In order to carry out these tasks, it is necessary to process personal data of students and staff members.

Brightspace
For most processing activities in Brightspace, the legal basis performance of a task carried out in the public interest applies (Article 6(1)(e) GDPR). The provision, organisation and delivery of education are considered tasks carried out in the public interest. On this basis, we process personal data necessary for, among other things:

• Following and supporting education
• Facilitating interaction between students and lecturers
• Monitoring study activities and study progress
• Delivering and assessing educational units and assignments

In addition, we process personal data on the basis of a legal obligation (Article 6(1)(c) GDPR), insofar as this is necessary to comply with legislation applicable to higher education. This includes obligations relating to examinations, accreditation, quality assurance and supervision. Under applicable archiving and retention regulations, such as the ‘Selectielijst Hogescholen’, certain education‑related data, including graduation work, must be retained for a specified period.

For additional processing activities necessary for the technical functioning, security and management of Brightspace, we rely on the legal basis legitimate interests (Article 6(1)(f) GDPR). These processing activities are limited in scope and necessary to ensure that the platform remains secure, reliable and available.

Portflow
For most processing activities in Portflow, the legal basis performance of a task carried out in the public interest applies (Article 6(1)(e) GDPR). Supervising, monitoring and assessing students, including development‑oriented assessment and the recording of learning outcomes, form part of Hanze’s statutory educational task. On this basis, we process personal data necessary to support peer processes and the assessment of students within the framework of degree programmes and awarding of degrees.

Additionally, personal data are processed on the basis of a legal obligation (Article 6(1)(c) GDPR), where required to comply with legislation applicable to higher education. This includes obligations relating to examinations, accreditation, quality assurance, supervision and associated retention obligations. Certain education‑related data, including graduation work, must be retained for a specified period in accordance with applicable archiving and retention rules, like the ‘Selectielijst Hogescholen’.

For additional processing activities necessary for the technical functioning, security and management of Portflow, we rely on the legal basis legitimate interests (Article 6(1)(f) GDPR). These processing activities are limited in scope and necessary to ensure the system remains secure, reliable and available.

We respect your privacy and do not retain your personal data longer than is necessary for the purposes for which they are processed. In doing so, we take applicable statutory retention periods into account. In some cases, we are legally required to retain certain data for a fixed period. These obligations are included in the ‘Selectielijst Hogescholen’

Brightspace
In principle, all information processed within Brightspace is retained for a maximum period of seven years. Where a longer statutory retention period applies, that period will be observed.

Portflow
Submitted work (snapshots) in Portflow is retained for seven years after the student’s deregistration. The student’s personal portfolio is deleted after deregistration in accordance with Hanze’s established retention policy. Where a longer statutory retention period applies, that period will be observed.

The personal data processed in Brightspace and Portflow originate from various internal sources. Student data are obtained from Osiris, the student information system. Staff data are obtained from AFAS, the human resources system.

Brightspace
Internal access:

• Lecturers: lecturers have access to your data within the course(s) in which you are enrolled for the purpose of delivering and supporting education. This access ends one year after the end of the academic year.
• Academic counsellors and student counsellors: access is granted only with your explicit consent.
• Programme key users: programme‑specific access for course management, administrative tasks and support.
• Functional administrators: full access for management and operational purposes.

External access:

• Supplier: Brightspace is provided by D2L, based in Kitchener, Canada. For commercial organisations in Canada, an adequacy decision adopted by the European Commission applies. This decision means that such organisations are deemed to provide an adequate level of data protection. In addition, Hanze has concluded a data processing agreement with the supplier D2L , which includes agreements ensuring that personal data are processed within the European Economic Area (EEA) and adequately protected. D2L has an account in the Hanze Brightspace environment for administrative and support purposes only.
• External partners: external partners involved in learning communities and innovation hubs may be granted access to relevant course environments.
• Netherlands–Flemish Accreditation Organisation (NVAO): once every five years, NVAO has access to examination files for programme accreditation purposes. They review the quality and content of the examination files in order to decide whether the accreditation of the programme will be maintained.

Portflow
Internal access:

• Students determine themselves who (internally and externally) has access to which parts of their live portfolio.
• Students determine with whom(internally anf externally) they share showcase or assessment links of snapshots.
• When a snapshot is submitted in Brightspace, the lecturer gains access to that snapshot. This access ends one year after the end of the academic year.
• Programme key users: programme‑specific access to snapshots within Brightspace courses for administrative purposes and support.
• Functional administrators: full access to snapshots for management and operational purposes.

External access:

• Supplier: Portflow is provided by Drieam B.V., based in Eindhoven. Hanze has concluded a data processing agreement with Drieam B.V., ensuring that personal data are processed within the EEA and adequately protected.
• Netherlands–Flemish Accreditation Organisation (NVAO): access is granted once every five years for accreditation purposes. They review the quality and content of the examination files in order to decide whether the accreditation of the programme will be maintained.

Automated decision‑making refers to decisions made by computer programs or systems without human involvement. There is no automated decision‑making within Brightspace or Portflow.

We take the protection of your personal data seriously and take appropriate technical and organisational measures to prevent misuse, loss, unauthorised access, unintended disclosure and unlawful modification. Your data are only accessible to persons who are authorised to do so based on their role or responsibilities. Hanze’s information security and privacy policy is based on the NBA Maturity Model of NOREA and the ISO 27001:2022 standard. If you believe that your data are not properly secured or there are indications of misuse, please contact [email protected]

If, following the information above, you have any specific questions or comments regarding this privacy statement, please feel free to contact us. You can do so by sending a message to [email protected].

You have the right to access, rectify, erase or restrict the processing of your personal data. You also have the right to object to the processing of your personal data by Hanze.

You may submit a request for access, rectification, erasure, restriction, data portability, withdrawal of consent, or an objection to the processing of your personal data by sending an email to [email protected]. We will respond to your request as soon as possible and, in any case, within four weeks.

Hanze would also like to inform you that you have the right to lodge a complaint with the national supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).