Explanations on regulations governing student data

These regulations set out the principles which govern the handling of data of applicants for study places, students and former ETH Zurich students at all levels.

The regulations governing student data (only in German) address the handling of data accrued in the context of teaching operations. This data may, for example, serve the application and admissions processes, the issuing of academic titles or planning and statistics.

The regulations governing student data do not address the handling of data arising in the context of actual teaching, e.g. verifications of academic achievement.

The following questions will be answered:

Who may handle the data?
What data are addressed by the new regulations?
How is data security regulated?
How and where may the affected data be stored?
How are access rights regulated?
Who may pass on what data?
How is the archiving/storage of data regulated?

Who may handle the data?

Article 4, Para. 5
Lecturers and Assistants may handle the data of students in connection with the course units they oversee.

Clarification

Art. 4 sets out who has the right to handle the data of applicants and students, and to what extent. In principle the right to handle data exists in each case within the framework of the corresponding tasks.
Lecturers utilise student data in connection with course units. Examples:
- Access to personal data as far as required to fulfil the teaching task
- Grading
- Semester performance and continuous performance assessment results
Lecturers may designate proxies in eDoz. The designated proxies also gain access to the relevant student data and must adhere equally to the data protection and data security rules.

What data are addressed by the new regulations?

Article 5, Para. 1

Clarification

Art. 5, Para. 1 lists the categories of applicant and student data which may be handled. These categories comprise personal details, personal identification data, application and registration data, details of the personal situation and further data. The regulations cite examples in each of these data categories.

How is data security regulated?

Article 6

Clarification

The provisions set out how the data of applicants and students should be protected from unauthorised access.

Student data must be treated as confidential.

With lecturers’ access to data comes the obligation to adhere to Art. 6. How they guarantee data security is their own responsibility.

Superordinate regulations apply, such as the Directive on Information Security at ETH Zurich (RSETHZ 203.25).

It is essential that student data (e.g. lists of grades) not be allowed forwarding via self-organised cloud services such as private email accounts. Storage in the Microsoft Cloud or Google Suite is only permitted via the personal ETH account.

How and where may the affected data be stored?

Article 9, Para. 1b
1 Data storage must proceed in the following ways:
(…)
b. Further systems for teaching and teaching support run centrally by the Rectorate or auxiliary files managed centrally in the Rectorate (…).

Clarification

Art. 9, Para. 1 lists the various ways in which data should be stored. Examples are the central student information system and correspondence data in email directories.

How are access rights regulated?

Article 12, Para. 2 & 3
Art. 12 Access right
2 The following access restrictions apply:
(…)
b. Lecturers or their substitutes only have access to data relating to their course units; (…).

Clarification

Access to the data is granted to the authorised persons in each case to the extent necessary for the fulfilment of the tasks. The Head of Academic Services shall assign the appropriate user role to the authorised persons. In Art. 12 Para. 2, the access restrictions are also explicitly listed. Access to data outside the defined area is generally not possible.

Via eDoz, lecturers are granted access to the data they require for the implementation of academic support processes. Further data can alternatively be obtained via the Study Administration.

Who may pass on what data?

Article 14, Para. 1
Academic Services is in charge of the communication of student data to third parties. Academic Services may communicate data itself or authorise another ETH unit to do so.

Clarification

Under the Data Protection Act communication of personal data is only permitted under certain conditions.

Here admissibility may be affirmed, for example, in cases where a legal basis exists or the affected person gives their permission. Art. 14 sets out the legal basis for communicating certain data from the central student information system to third parties. Cognisance lies with Academic Services.

It follows that lecturers themselves may not pass any student data to “third parties”. The term “third parties” also includes students. This means that no lists of names or lists with student telephone numbers may (e.g.) be circulated for group work. The designated proxies listed in Art. 4, on the other hand, do not fall under “third parties”.

How is the archiving/storage of data regulated?

Article 22, Para. 2 & 3
²Decentrally stored data is offered to the ETH Zurich Archive at the latest ten years after the respective student leaves ETH. If the Archive does not accept the data it is deleted or destroyed.
³Exceptions, governed by special provisions, include accounting records and examination documents.

Clarification

Art. 22 regulates the archiving, deletion and destruction of data.

For details regarding examination documents, see Art. 23 of the Ordinance on Course Units and Performance Assessments at ETH Zurich (SR 414.135.1).

Legal bases

- external page Federal Act on Data Protection
- external page ETH Law