University of East Anglia not punished over data breach

UEA campusImage copyright
N Chadwick

Image caption

The University of East Anglia emailed sensitive personal information about students to nearly 300 undergraduates

A university that mistakenly emailed sensitive personal information about students to hundreds of undergraduates will face no further action.

Details of health problems, family bereavements and personal issues were sent by the University of East Anglia (UEA) in Norwich to 298 students.

The Information Commissioner’s Office said no regulatory action was needed.

The UEA said it had asked auditors how to prevent similar breaches and was now following their recommendations.

The offending email, sent in June to all American Studies students, contained personal data relating to 191 undergraduates.

It listed extenuating circumstances in which essay extensions and other concessions were granted.

Image copyright

Image caption

A second email was sent out after the error was discovered

Sophie Atherton, 22, a third-year American Studies student whose data was leaked, said: “It was devastating, actually. I was travelling back on the train and I just burst into tears.

“It felt like my life was on show for my entire department to see.”

She said it was “disappointing, to say the least” that no further action was being taken.

Ms Atherton said she was having counselling and considering legal action against the university.

The Information Commissioner’s Office (ICO), which investigates data breaches and can fine serious offenders, said: “After considering the facts in this case we found the breach didn’t meet all the requirements for the ICO to take regulatory action.

“However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law.”

The UEA has yet to respond to request for comment, but published a report on its website into the data breach.

It claimed its response to contain the damage had been “timely and appropriate”, and that it had since introduced mandatory data protection training and tightened up procedures.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *