Privacy for teachers

Am I allowed to process personal data of students?

You can process personal data that is necessary to be able to teach and supervise students as a teacher.

Student grades

Make sure that only the individual student can see his or her grades and make sure that you do not share these grades with other students. Grades are registered in Osiris, but (partial) grades can for example be added to the Grade Center in Brightspace. This is an approved and secure (AVG proof) environment to enter grades. You can also send the grade to an individual student by e-mail.

Storage of test results

After entering the numbers in Osiris (and possibly Grade Center), you need to remove them from your local disk/usb-stick/drive. It is not allowed to keep one or more of your own shadow administration(s).

Use of applications

Applications such as Google, WeTransfer and Dropbox are not AVG proof. Preferably use AVG proof alternatives, such as Surfdrive and Surffilesender. These applications are also suitable for sharing data with external parties. Ask your faculty IT manager for help setting up an account.

Also (online) apps like Kahoot and Survey Monkey are not AVG proof. Do not place any personal data in these apps and use alternatives approved by TU Delft such as Survalyzer and Qualtrics. If you still want to use such an app in education, ask the students for permission beforehand, for example by e-mail.

Use TU email for work related communication. Do not share confidential information with colleagues and students through other e-mail channels, such as Gmail or Yahoo.

Click here for a full list of available approved applications.

Learning analytics

If you want to use personal data for analysis, make sure you anonymise the source data.

Sharing student data with third parties

  • With test supporters (e.g. student assistants): make sure that only the data that the test supporters really need is shared. Share the data via a secure application or via TU Delft e-mail. Make sure the data is deleted after use.
  • With internship companies: Make sure you ask the student's permission beforehand to share his or her contact details or grades with a (potential) internship company, for example. Or let the student contact the internship company himself.

Pear feedback

Giving feedback on each other's work is sometimes included in the curriculum's learning objectives. This peer feedback is also permitted under the AVG. Process as little personal data as possible, so if the name/student number of the student is not necessary, do not use it.

Use of network

Contact details of people you use in your professional life (e.g. colleagues, students and collaboration partners) may continue to be used as long as you have an active relationship with these people. If the relationship does not exist or no longer exists or if you want to approach them for a purpose other than the original one (e.g. promotional purposes, marketing), you must ask permission to continue to approach them. You must also indicate why you are approaching them.

Retention of exams

Paper and digital exams must be preserved for two years and then destroyed.

Evaluations of courses

Evaluation of a teacher can be part of the evaluation of a course. Make good arrangements about access to these evaluations. Make sure that they are only accessible to close colleagues (e.g. the department) and do not share the evaluations with students or on the intranet.


If personal information is collected in a survey of students you supervise, please remember the following guidelines:

  • Check if you need approval from the Human Research Ethics Committee (
  • Make sure you have a legal basis for conducting the investigation. This will often be the consent of the person(s) involved. Check for more information about "informed consent" (including templates).
  • Make sure that you inform the person(s) concerned clearly and transparently about what you are going to do with his or her personal data. Check for more information about "informed consent" (including templates).
  • Collect as little personal data as possible. Take special care when collecting special personal information, such as race, religion or health data.
  • Store personal data in a secure database, such as DANS.
  • Delete/anonymise personal data when you no longer need them.
  • When publishing, use anonymised personal data as much as possible.
  • Ensure that personal data is stored within the EU. Cloud applications such as Google and Dropbox store data outside the EU. If it is necessary to store data outside the EU, additional measures will have to be taken. Please contact the data steward of your faculty about this.
  • If you have any questions, please contact the data steward of your faculty.