Privacy & copyrights

Version: 5/5/2020

Howest attaches great importance to your privacy. Therefore, we only process personal data that is required for our operations and in order to be able to offer you the best possible service. We handle the information we have collected about you with the utmost care.

The present privacy statement describes what information we collect about you, for what purpose this information is used and with whom and under what conditions this information may be shared with third parties. We also explain in which way we store your data and how we protect your data against possible misuse and what rights you have with respect to your personal data.

We collect and process personal data of data subjects involved. By data subjects we understand:

  • Students
  • Staff members, lecturers, guest lecturers, research staff, job students, volunteers
  • Applicants (free applications or in response to a Howest job offer)
  • Contractor personnel supplying specific services (e.g. catering)
  • External service providers (e.g. maintenance of software packages we use)
  • (potential) candidate-students
  • Participants/visitors to events, congresses, contact days, info days, assignments as service to organizations, fairs, …
  • External contacts (e.g. teachers or other staff members of secondary education, (potential) work placement companies, (potential) suppliers, (potential) speakers, press contacts, work field committees)
  • Ex-students (alumni)
  • Ex-staff members, formers lecturers, formers guest lecturers, former research staff members
  • Visitors to our website(s)
  • Etc.

In case you should have any questions about our privacy policy, please contact our privacy contact. The contact details can be found in the “Contact” section of the present document.

Contact

The data controller is Howest, with registered office in 8500 Kortrijk, Marksesteenweg 58 and phone number +32 56 241290. Our other addresses and phone numbers can be found on our website https://www.howest.be. Please do not hesitate to contact us for all your questions regarding this privacy statement. The Howest Data Protection Officer can best be contacted by email: privacy@howest.be.

What is personal data and what does processing mean?

Personal data includes all information about an identified or identifiable natural person ("data subject"); with your name or national registry number, we know immediately (directly) who you are, but a combination of your address, age and gender (indirectly) also allows us or another party to recognize you to a certain extent. So, personal data is all data that can be linked to you in one way or another, such as e-mail address, telephone number or even IP address (the internet address of your computer).

Processing of personal data means any operation such as collection, recording, storage, consultation, use, update, transmission, provision, deletion, ...

Which personal data do we process and for what purpose?

Howest ensures that the processing of personal data is limited to the intended purpose(s). Howest processes personal data in order to achieve these purposes.

Education and research matters

This concerns the registration, the management, the optimization and the control with regard to: 

  • Student administration (including enrolment, de-enrolment, communication of results, student file, study credits, learning account, diploma, publication diploma booklet, study tracks, study grants, invoicing, student council, school accidents, educational leave, rental contracts, lost diplomas, registration of decease)
  • Educational logistics (this includes class rooms, schedules)
  • Organization of study programmes (this includes student follow-up system, registration of attendance, registration of participation in evaluation, division into groups, follow-up, coaching, evaluation including the possibility of appeal, monitoring, mentoring, deliberation, educational field trips, recording and distribution of some lessons, entry test, plagiarism detection)
  • Organization of work placements and projects (this includes work placement fair, work placement companies/locations, work placement reports)
  • Work field contacts (this includes the organization of seminaries and other contacts with the work field, services, start-ups)
  • Research files (this includes the creation of a file, sending the file to partners and the granting authorities, user group)
  • Surveys in the framework of research
  • Library (including archiving and making bachelor papers available to students)
  • Organization of internationalization (this includes follow-up, mobility file)
  • Outflow guidance

Some classes are recorded in view of making these available to students (including other student groups) online afterwards. The students are informed about these recordings and in principle never appear on screen. If questions are asked, the student can ask to stop the recording. In certain cases, the choice can be made to have a student appear on screen, with the student's permission, e.g. during practical tests. It can also happen that a student, as part of coaching or evaluation, makes a video and passes it on to the lecturer. In case the lecturer should want to use such a video for a purpose other than coaching or evaluation of the student involved and also wants to show the video to other students, he will only be allowed to do so with the permission of the student involved.

In some evaluations via online systems, Howest may require that these evaluations be monitored via a specific tool and technology. In order to have the exam or other evaluation take place in a fair and correct way, we are forced to check the identity in the first place. This identity verification is also effected in the case of a classical examination, as stipulated in the OER (Education and Examination Regulations), whereby the student must at all times be able to prove his or her identity to the examiner or supervisor by means of the student card or identity card. As it now concerns a digital examination, this identification is effected by means of a camera.  As part of the registration procedure, a Howest staff member can manually verify the identity of the student after the exam on the basis of the photo on the student card.

In view of possible fraud, other elements can be recorded, such as the IP address, the time and duration of use of the tool (sometimes broken down by question/answer), the login details, the screen content.

During the exam, the camera can be used to make audio, video and photo recordings of both the screen and the student (and his environment) in order to check for irregularities. Irregularities can be detected in the recordings so that these can be verified manually in case of a possible irregularity. The recordings are only used in view of detecting possible irregularities (and infringements against the OER). 

Some tools used in online exams also detect which software is running on your computer to ensure that no fraud can be committed. These tools report the detected software and refuse to boot. However, the information related to the detected software is not forwarded in these cases.
At the enrolment of students, the electronic identity card is read in order to ensure the accuracy of the data in our student administration system. This is necessary, among other things, for the link with the Databank Hoger Onderwijs, the Higher Education Database (DHO) of the Flemish Government, and in order to be able to draw up correct credit certificates and diplomas.

In some cases, a number of social data is also collected at the time of enrolment. As far as possible, these data are further processed through anonymization or pseudonymization in view of the justified importance for the promotion of educational and career opportunities. Data related to migration background is also processed in a similar way, but on the legal basis of consent.

For surveys, an “informed consent” is always required, in which the necessary arrangements are laid down.

The legal grounds for the processing operations in this category of education and research are mainly our obligations regarding the agreement to provide education and the legal obligations imposed on an educational institution. The outflow guidance too is part of the obligations concerning the agreement to provide education. A small number of processing operations are based on consent or specific agreement (e.g. voluntary participation in a student event or in a survey). Contacts with the work field come under the scope of legitimate interest. 

Personnel matters

These pertain to the registration, management, optimization and control in relation to:  

  • Personnel (this includes personnel file, recruitment, dismissal and resignation, temporary contracts, contracts with guest lecturers, applicants, volunteers, internal jobbing students, internal trainees, payroll administration, other allowances, contact details in case of an emergency)
  • Career (this includes leave, sickness, overtime, appointments, retirements, decease, career break, cumulative activities, debt mediation and seizure of wages, time registration, work planning follow-up) 
  • The well-being and functioning of our employees (this includes employee evaluations, employee training and competencies, medical examinations, work-related accidents, ergonomics, campaigns in view of improving organization or well-being, organization of awareness-raising campaigns, team events)
  • Miscellaneous (this includes company vehicles, season tickets for public transport, insurances, administrators and shareholders, communication of new recruitments through an internal company channel)

The legal grounds for these processing operations mainly concern our obligations with regard to the employment contract and our legal obligations. A small number of processing operations are based on consent or on a specific agreement (e.g. voluntary participation in a staff event).

Management

This pertains to the registration, management, optimization and control in relation to: 

  • Marketing (this includes collecting data relating to potential students for marketing purposes, collecting data relating to the parents of these students, visual material, sending mailings or newsletters, managing press contacts, sending press releases, sending and following up social media messages, organizing events for target groups)
  • Quality assurance or other optimization objectives (this includes inflow and outflow surveys, other surveys, module surveys, analytics of the use of the learning platform)
  • IT (this includes accounts and authorizations in various systems that are necessary for the data subject, print management, laptops, telephones and associated subscriptions, monitoring of the systems, quotas, licenses, privileged accounts, communication tools)
  • Alumni (this includes keeping the data up to date, invitations to events and follow-up training programmes)
  • Building (this includes badges, keys, alarm codes, camera surveillance, maintenance and notifications, lockers, registration of visitors, reservation of parking space, rental of classes and premises)
  • Miscellaneous (this includes questions for the ombudsman, registration and disbursement of expenses, budget management, approval and control of purchases, accounting, archiving, applications from data subjects in the scope of the processing of personal data, psychosocial and social services)

The creation and use of visual material with recognizable persons is always subject to the law; so, with the knowledge and consent of the data subject.
Monitoring of the IT systems is subject to legitimate interest and aims to be able to further ensure the proper functioning of the systems whereby anomalies in use are analysed, in view of the security and compliance with Fair Use Policy of Howest IT.

Video conference communication tools, such as Microsoft Teams, are used for communication purposes. If the purpose requires so (e.g. in case of evaluations in order to be able to review the evaluation afterwards for further evaluation or detection of fraud or possibility of appeal) these conversations can also be recorded by one of the participants. In the event of chat tools, such as LiveZilla, the chats are stored by default, thus allowing Howest subsequently to identify improvement actions within the framework of quality assurance in order to improve the service. The standard communication tools to be used are mentioned in the Fair Use Policy of Howest IT. Other tools can only be used after successful screening.

Marketing data is collected through the organization of or participation in specific events (e.g. SID-ins, Knappe Koppen, open teaching days, congresses, fairs). Marketing actions are always subject to the legislation in force, and therefore (depending on the specific context) on the basis of consent or on the basis of legitimate interest. 

The analytics of the use of the learning platform and other specific platforms are only used for quality assurance purposes and are not used for the evaluation of the student.

Quality assurance also includes the archiving (and in specific cases the aggregating) of personal data in view of the long-term quality monitoring.
Alumni, quality assurance and a large part of the IT and various processing operations are effected in the scope of legitimate interest.

Websites

This pertains to:

  • Processing contact forms (e.g. request for information, event registration)
  • Processing of student registrations, provisional or other (including reading of e-id data)
  • Processing cookies (see our specific cookie policy https://www.howest.be/nl/cookies) 
  • Collection and processing of data in view of the protection of our website(s) and guarantee of proper functioning

The major part of the information is available through the websites without the need to ask for or collect your personal data. Some personal information, such as cookies, is used for the compilation of our user statistics and for the protection and improvement of our websites. More information on this subject can be found in our cookie policy. The legal ground for this processing is consent (for most cookies) or necessary for the provision of the requested service (in the other specific cases).

Contact forms always mention their specific purpose. Often, it concerns marketing, information, contact or registration (training or event). Cookie processing is usually subject  to consent, but this is further elaborated in the cookie policy. Protection and guaranteeing the proper functioning of websites is carried out with legitimate interest. 

The agreement for the training programme constitutes the legal ground for the websites that are part of the learning environment. 
Howest also holds the responsibility for a number of specific websites, e.g. for specific projects within the training programme. These specific websites have their own privacy statement and may refer to the present privacy statement as far as some general information is concerned. 

Special categories of personal data

Within GDPR (General Data Protection Regulation), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), articles 9 and 10, a number of special categories of personal date are defined as data related to race or ethnic origin, politic opinions, religious or philosophical convictions, the membership of a trade union, genetic information, biometric information in view of the unique identification of a person, health, sexual behaviour or sexual orientation, criminal convictions and criminal offences.

Howest only processes this data in the following exceptional circumstances:

  • Biometric information in view of the unique identification will not be processed. Sometimes, online evaluations do use a (web) camera, but in this case there is no processing in view of identification; so, this cannot be considered as processing within this special category of personal data. The same applies to the passport photos of the students. Here, there is no processing in view of identification either.
  • Data regarding the health of students are processed as part of talent coaching and student services (amongst others, granting facilities) with the explicit consent of the data subject. Moreover, this data is only accessible for those staff members who need the information.
  • Regarding health, there is also the processing in order to register absences of students and staff members, work-related accidents and school accidents. Moreover, some specific diseases and allergies can also be minimally registered in view of prevention (at work, during courses, during events).
  • The Flemish legislation requires an extract from the criminal records at the recruitment of officials to prove that the applicant has a blank criminal record. The request for this extract is therefore restricted to this specific objective.

Automated decision-making

In some cases, Howest uses automated individual decision-making, whereby an assessment is automatically executed which subsequently results into granting a score (marks). In these cases, the legal basis consists pf the fact that this is necessary for the execution of an agreement between Howest and the data subject. In any case, the student always has the right to request a human intervention.

Howest does not carry out profiling in any way.

In those cases where an automated tool is used for the detection of a possible anomaly at an online examination, this is merely a tool that indicates which parts of an online examination must be checked by means of human intervention.

Who has access to this personal data?

Access control

Howest is the controller. This means that we decide which data we collect and to what purpose. In legal terms, we determine the purpose of the processing. But this does not mean that every Howest staff member has access to everything. Your personal data will only be available to the services and the staff members who need this for their work. A large part of the IT access control is also logged in view of inspection regarding the compliance of the Howest IT Fair Use Policy.

For some services (e.g. IT, social secretariat, marketing, catering) we work together with specialized partners. During these interventions these partners can have access to your data, but they always act according to our guidelines laid down in a contract which guarantees that they apply the same high privacy standards. They cannot use the personal data for another purpose. Sometimes Howest is not the only controller. This is e.g. the case for the organization of events with external partners or for some cooperation formats with social media platforms. 

Transfers of personal data

We also exchange personal data with a number of governments and organizations. Nevertheless, we never merely give your personal data to third parties. We only do so provided there is a legal ground. 

Social media messages are posted on the respective platforms (this also includes Facebook, Twitter, LinkedIn, Flikr, YouTube, Instagram, Snapchat, Eventbrite). In view of the optimization of these social media messages, there is a cooperation with an external party which further processes these posts. This external party is processor by order of Howest and only uses this data within the scope of the assignment with Howest.

Howest appeals to the (marketing) services of third parties, such as Facebook, to be able to address a specific target group via social media. This can be effected by means of Facebook look-a-like audiences whereby Howest transmits (relevant) data of students to Facebook with the aim that Facebook shows an advertisement to profiles which are similar to the profiles of the students that we have entered as input. Facebook offers a number of guarantees in the field of these transfers (amongst others pseudonymisation via hashing). The actual presentation of the advertisement comes under the Facebook liability and privacy statement. The legal basis for this transfer by Howest is consent (provided cookies are transferred) or justified interest (if no cookies are transferred and if it concerns students who are enrolled in a Howest study programme).

In view of filling in job applications, Howest also uses personal data obtained via LinkedIn Recruiter. The legal ground for this transfer completely lies with LinkedIn.

Because of legal obligations, there is also a data transfer with the Databank Hoger Onderwijs (DHO) managed by AHOVOKS. Howest sends all information regarding enrolment and results to the databank and can consult the databank in the framework of personal data and previous studies. AHOVOKS is a Flemish government agency. 

Results of students are shared with their secondary schools in view of their quality care. This transfer is effected on the basis of legitimate interest and can be managed by the student himself/herself via iBamaFlex.

For international exchange students, some specific personal data must be transmitted to the guest institution (name, sex, email address, date of birth, nationality, study programme). This is the information that is collected in the Learning Agreement. Other information (such as study results and language knowledge) is given to the guest institution by the student himself/herself. Often, Howest also has to nominate online with the guest institution, whereby the same basic information is asked, including, if the occasion arises, a mobile phone number and address. The guest institution will inform Howest about the study results and work placements. Depending on the financing of these exchange programmes, an exchange of personal data (name, sex, email address, address, date of birth, nationality, university of applied sciences/university of the destination, scholarship information, credits obtained) also takes place with EPOS (this is the agency for the Erasmus+ programme in Flanders) and the European Commission for Erasmus-related study programmes. If, for this exchange, a financing request is submitted to the Flemish government, the national registry number, the name and the study programme are also transmitted to the Flemish government (VLUHR).

‘Moveon’ is the software/database in which we store all personal data of the students who enrol for, long-term and short-term, individual international mobility. The students enrol themselves.  International incoming students who want to take an exchange programme at Howest also must enrol here and enter personal data.

For work placement in companies the necessary information is transmitted to the company. Afterwards, the company informs Howest about the progress of the work placement. For work placement in international companies, the exact same information, as mentioned above for exchange students, is transmitted to the work placement company in the Learning Agreement for Traineeship.

For the organization of events, Howest will transmit the necessary personal data to other parties involved in the organization of this event. The legal basis here is the original entry to participate in the event (agreement or consent).

In view of offering the appropriate software licences to Howest students and staff members, Howest has an Academic Software cooperation with Signpost. To be able to offer this service, Howest must transmit the appropriate information to Signpost.

Howest uses Office 365 and Google Drive. A part of the personal data (also email) is therefore stored on these platforms. There are also a number of more specific cloud platforms, such as e.g. for the learning environment (Canvas software managed by Instructure), for video recordings of courses (Panopto managed by Panopto), for user information and recordings at online exams (Respondus Lockdown Browser and Respondus Monitor software managed by Respondus), for chats (LiveZilla managed by LiveZilla), for repositories with software code (GitHub ClassRoom within GitHub Education managed by GitHub), for several virtual machines (Azure managed by Microsoft), for plagiarism detection (several partners). Howest entered into contracts with all these parties which offer the appropriate guarantees in the field of data protection and information security.

Eduroam means education roaming. It is a system which allows Howest students and staff members to use the WiFi infrastructure of other organizations that are affiliated to Eduroam. In addition, it is also used within Howest to give European students or staff members of European educational institutions in a safe and fast way access to the internet.

For legal obligations, there are also information transfers in relation to amongst others the governmental services Dimona (entry into service and leaving service with the RSZ), Capelo (retirement pensions), tax authorities, inquiries in the scope of judicial investigations.

The receivers referred to can be situated in locations outside the European Economic Area (EEA). In this case, the protection of your data is guaranteed as it is situated in countries which have an adequacy decision from the European Commission, or as the receivers are situated in the United States of America and have acceded the EU/US Privacy Shield or because appropriate contractual provisions have been entered into with these receivers.

The legal grounds for these transfers are legal obligations, necessary for the agreement or  legitimate interest. The marketing-related transfers come under the legitimate interest.

The security and storage period of personal data

Howest never stores the personal data longer than the time required. For a number of the mentioned processing operations, there is a legal minimum term which is respected.

The storage period of cookies is described in the cookie policy. 

In principle, personal data of students are stored as long as they has a relation with the university of applied sciences or on the basis of a legal ground with accompanied purpose. Official reports including student information (name, first name, place of birth, date of birth and obtained results) are stored for 50 years. The student files of the graduated students are also stored for the same period. This file contains all the student information. The objective is to allow that (former) students can apply for an extract for a very long period after graduation (mostly around the time of their retirement date).
Personal data entered at an online registering is stored during a term of 5 years. Paper files are stored until 1 year after unsubscribing and are then destroyed.

Personal data of staff members are stored as long as they have a relation with Howest, to the exception of this data for which the staff member himself/herself has given permission for a longer storage period and to the exception of this information which should be stored for a longer period on a legal basis. 

Personal data of third parties (co-contractors) are stored for the period that is required for the execution of the contractual agreements entered into.
Personal data of participants to a survey and/or inquiry are stored in accordance with the period indicated in the “informed consent” granted in advance, if applicable.  

Personal data processed on the occasion of an event registration are stored during the period allowed by the data subject. As this information is also often used for an invitation to a sequel event, this period mostly amounts to 3 years.

For a number of specific cloud platforms (e.g. Respondus) the storage term is determined by the cloud platform. For Respondus it amounts to 1 year. For the other platforms it is determined by the purpose for which the data is processed. In order to allow possibilities of appeal on the occasion of evaluations, these storage periods mostly amount to 1 year.

Information protection is a necessary condition for the protection of personal data.  Therefore, Howest provides for appropriate technical and organizational measures to guarantee the confidentiality, integrity and availability of personal data and to secure these against any form of loss or unlawful processing.

Howest has elaborated an information protection and privacy policy, based on the internationally recognized standard for information protection ISO/IEC 27001 and consisting of more general and more practical guidelines. This policy is edited and updated on a regular basis.  In addition, on the basis of risk analyses, controls and audits are executed on selected applications or processing operations. 
In this policy document, Howest pays the necessary attention to general principles such as:

  • Transparency
  • Purpose limitation
  • Legitimacy
  • Necessity
  • Integrity
  • Storage limitation
  • Data protection by design
  • Accountability obligation
  • Contractual agreements

Furthermore, Howest organizes awareness-raising campaigns so that the rules described in this information security and privacy policy are actively communicated.
 

Rights of data subjects in the framework of personal data processing

Which rights do you have in the framework of the processing of the personal data?

Depending on the purpose and the legal ground  on the basis of which Howest processes personal data, the data subjects involved can exercise the following rights:

  • The right to ask which personal data is processed and in case this data should not have been given directly to Howest, ask for information about the source of this data;
  • The right to ask to correct data when it is false;
  • The right to ask ‘to be forgotten’ provided a number of conditions has been complied with;
  • The right to ask to supply specific information which the data subject can transfer to another organization;
  • The right to file objection against the processing of personal data in the framework of completely automated processing operations, against legitimate interest and against marketing;
  • The right to limitation of data processing can be invoked when the processing is not legitimate, or in anticipation of a decision regarding the right to correction or the right to objection.

How can you exercise these rights as data subject?

To appeal to these rights, you can contact us to exercise your rights, accompanied by a motivation for your request. To obtain certainty about the justification of a request or the identity of an applicant, Howest may ask for additional information. Howest reserves the right, for duly justified reasons, not to respond to a request. This is e.g. the case when a request is apparently unfounded or undue.

To exercise these reasons, but also for further questions about the several rights and obligations in the field of data protection, or if you think that your personal data is processed in an unjustified and/or incorrect way by Howest, you can contact the Data Protection Officer of Howest via privacy@howest.be. Other contact information can be found in the section “Contact”.

When you are of the opinion that insufficient response has been given to a request or complaint, you can, depending on the context, address to the Vlaamse Toezichtcommissie or the federal data protection authority Federale Gegevensbeschermingsautoriteit:

Vlaamse Toezichtcommissie
Koning Albert II-laan 15, 1210 Brussel
Tel +32 (0)2 553 50 47
Website: https://overheid.vlaanderen.be/vlaamse-toezichtcommissie
Email: contact@toezichtcommissie.be

Gegevensbeschermingsautoriteit
Drukpersstraat 35, 1000 Brussel
Tel +32 (0)2 274 48 00
Website: https://www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be

Remaining rules, remaining privacy declarations

This document does not include all applicable rules in relation to personal data processing. There are also a number of other documents:

  • Howest Onderwijs- en examenreglement (OER)
  • Howest IT Fair Use Policy 
  • Howest data protection and privacy policy

Because of their specific character, the Student services and Talent Coaching departments have extra privacy declarations, so that the students involved who rely on these services, obtain clear and completely relevant information. 

For some services that are completely independent of the processing by Howest, there are specific websites with a specific privacy declaration.
 

Wijzigingen aan de privacyverklaring

Our services are constantly subject to changes. Therefore, the present privacy declaration can be updated from time to time so as to reflect changes in the way in which we work or in legislation. So, you can check this every time you transfer personal data to us. The date of the latest updates will always be mentioned in the title of this privacy declaration. 

In case important amendments are made to the Privacy Declaration, for instance amendments which have an effect on the way in which we want to use your personal data, we will communicate this this in a more direct way (including, for some services, notification of amendments in the privacy declaration by email).
 

Opleiding / Dienst