‘Mind-boggling’ - UEA students’ outrage over regulator’s decision on data leak
PUBLISHED: 11:00 13 October 2017 | UPDATED: 17:03 13 October 2017
Archant Norfolk 2016
The University of East Anglia (UEA) will face no further action after it mistakenly emailed sensitive personal information to hundreds of students.
The Information Commissioner’s Office (ICO) has said that no regulatory action was needed.
UEA students affected by the data leak have expressed their outrage over this decision.
One student involved in the leak, who wished to remain anonymous, described the decision as “mind-boggling”.
She said: “It implies UEA didn’t do anything wrong, or that they didn’t do enough wrong, and what message does that send out?
“I’ve filed a complaint against the university but it’s been radio silence for months while they sort it, despite promises it would be over by September.”
She added: “The breach was awful. I was at work and immediately left and called my dad and cried.
“I felt like I was on show. Despite the University claiming people hadn’t seen it, I found out because a friend had read [the email] and seen my name.
“To imply they didn’t do anything wrong is ridiculous.”
Sophie Atherton, 22, a third year American studies (AMA) student, whose information was leaked in the mass email, said: “I didn’t realise the full extent of the breach until a few days later.
“It was horrendous what they’d divulged to the whole of AMA.”
She described the ICO decision as “disappointing and disheartening”.
Miss Atherton said she is considering legal action against UEA, and that the incident had tainted her experience of university.
She added: “I just hope it never happens again.”
UEA students’ union welfare officer, India Edwards, said: “Although the University has now put in place an action plan, this will be of little comfort to those who were affected.
“Real questions remain about the wider culture of personal data security at the university.
“Why are highly personal details being cobbled together on Excel sheets in the first place?”
A spokesperson for the ICO said: “After considering the facts in this case we found the breach didn’t meet all the requirements for the ICO to take regulatory action.
“However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law.”
The data leak occurred in June this year, when a member of staff at the UEA mistakenly emailed a spreadsheet containing sensitive personal information to hundreds of students.
The University of East Anglia have published a report on the incident on their website.
A spokesperson said: “The university fully accepts the Information Commissioner’s Office findings.
“We have apologised to the students directly affected and following the data breach in June an action plan was quickly put in place to reduce the risk of such an event happening again.”
The action plan outlines a number of steps the university has taken to improve data protection. These include: all staff completing data protection training; password protection of sensitive documents; and changes being made to UEA’s email system to restrict the use of the autocomplete function and the sending of mass emails.