Eindhoven professor under fire for sending student data to OpenAI via tool he developed

A professor at Fontys University of Applied Sciences in Eindhoven encouraged colleagues to upload student data to the AI service ChatGPT using a tool he developed, raising privacy concerns under Dutch and European law, Omroep Brabant reported. The professor initially denied any misuse but later stated that only his personal student portfolio had been uploaded.

The professor, who teaches ICT and Software Engineering, created a tool to analyze and make student portfolios searchable. These portfolios contain detailed personal reflections, progress reports, and areas for improvement. He promoted the tool on LinkedIn two weeks ago as a “local AI tool” and invited colleagues to test it. In his posts, he wrote that he was “testing the tool in practice with real portfolios.”

However, the AI tool did not run locally as claimed but on servers operated by OpenAI, the company behind ChatGPT. On a website describing the tool’s development, the professor later admitted, “The tool now works with OpenAI. This is a problem for privacy.” He said he intended to adjust the setup, but his previous posts suggest that student information may already have been sent to OpenAI.

This is not the first privacy issue involving sensitive data and AI in Eindhoven. Last year, municipal employees uploaded data about vulnerable residents to an AI service, which could not be effectively deleted. Fontys itself faced a privacy breach in April 2022, when hundreds of sensitive files, including medical records, were accessible to unauthorized individuals.

Professor Johan Jeuring of Utrecht University, head of the National AI Education Lab, criticized the tool. “This does not sound good,” he told Omroep Brabant. “Using OpenAI for this application is simply not allowed. The GDPR forbids it. Sometimes I find GDPR rules overly strict, but not in this case. Portfolios are inherently personal documents, and no one knows what OpenAI does with this information now or in the future. You simply cannot trust OpenAI.”

Jeuring added that he assumes the professor acted with good intentions but emphasized that any AI experiments must comply with ethical standards and legal requirements. “A tool like this should run locally, not through OpenAI,” he said.

The professor told Omroep Brabant that the tool now operates “fully locally” and that OpenAI is no longer the default option, though users can still choose it manually. He also clarified that no student data had been uploaded, only his own portfolio. “I am also a student,” he told the newspaper.

Fontys confirmed that AI experiments are allowed but that uploading student data to OpenAI is prohibited. The university said it believes no real student information was uploaded and that only a “test portfolio, without personal data of actual students” was used. This conclusion relies solely on the professor’s declaration, as verification is impossible. “We trust him,” the school said.

A technical staff member at Fontys downplayed the risks, stating, “The danger of OpenAI is often exaggerated. OpenAI says they store files only briefly and then delete them. I have no reason to doubt that.”