University Personal Information Leak Stresses the Importance of Data Protection
The University of east Anglia accidentally sent an email to hundreds of people with highly sensitive information pertaining to over 40 students there, who were suffering from extenuating circumstances.
The types of circumstances extensions were given for include suicidal thoughts, sexual assault, bereavements and family illness. There were also some with anxiety, depression and more mental health issues.
Around 320 American Studies undergraduates received the email, and according to the Daily Mail, Megan Baynes, 23, an American literature with creative writing student, said the university’s action was ‘a total violation of trust’, adding that she is ‘angry beyond belief’.
The UEA has issued a formal apology since, and referred itself to the Information Commissioner. A UEA spokesman said: ‘This clearly should not have happened and the university apologises unreservedly.
‘The university has launched an urgent inquiry and is offering support to anyone affected.’
A similar occurrence already came up last week when the Free University of Brussels (ULB) was accused of being sexist after it asked its female students to wear low-cut dresses for graduation day.
On the matter of the UEA, Jon Belcher, Senior Solicitor at Blake Morgan, told Lawyer Monthly:
“The news that a university has mistakenly emailed hundreds of students intimate and sensitive personal information about dozens of fellow undergraduates serves us all with a reminder of the importance of keeping our data secure.
“This is a very serious incident where personal information contained in a spreadsheet, including very sensitive information about individuals’ health and family circumstances, was emailed in error by the University to more than 300 individuals.
“Under the Data Protection Act 1998, organisations are required to take appropriate measures against unauthorised or unlawful processing of personal data, and against accidental loss of personal data. We don’t know the precise details of what measures the University had taken, but it will now face difficult questions about how the information could have been emailed in error and why the spreadsheet itself was not protected.
“The cost to the University could be significant. As well as the obvious reputational damage, the Information Commissioner can issue monetary penalties of up to £500,000 for serious breaches of the DPA which are likely to cause substantial damage or distress, and she has done so previously where sensitive information was disclosed in circumstances similar to this incident. The individuals involved also have the right to apply to court for compensation if they have suffered damage or distress as a result of a breach of the DPA.
“From 25th May 2018, the General Data Protection Regulation will largely replace the DPA, strengthening the data protection rules and leading to higher penalties for getting it wrong. Our data protection specialists have been working with public and private sector organisations to ensure that they are prepared for the introduction of the new legislation. As this latest incident proves, data protection is not an issue that any organisation can afford to ignore.”
