UEA in student data leak

The University of East Anglia (UEA) has admitted accidentally sending an email containing students' highly sensitive personal information to 298 American Studies undergraduates.  The email in question attached a spreadsheet which contained "extenuating circumstances" justifying extensions for work and other academic concessions.  These are understood to include details of illnesses, bereavements and other personal matters.

The UEA Vice-Chancellor Professor David Richardson said, "This clearly should not have happened and the university apologises unreservedly.  The university has launched an urgent enquiry and is contacting all affected students to offer support".  Professor Richardson said the UEA is referring the matter to the Information Commissioner's Office (ICO).

In addition to any regulatory action taken by the ICO, the UEA faces the prospect of individual claims for compensation from the individuals affected pursuant to the Data Protection Act 1998 and/or for the misuse of private information/breach of confidence.

In a statement on the UEA Student Union's website, Undergraduate Education Officer Theo Antoniou Phillips said:-

“This is a shocking and utterly unacceptable data breach that should never have happened. There are questions that the University needs to answer both about this case itself and the antiquated underpinning systems in the Hubs that result in cases like this being logged on rudimentary excel files in the first place. It is particularly galling given that students are required to divulge sensitive information to have an EC upheld, so the least the University can do is keep their data safe. In this case UEA’s ‘do it on the cheap until it goes wrong’ approach will have had devastating results for the students concerned and has to change.”

The data leak is the latest in a series of highly-publicised damaging email blunders.  The Chelsea and Westminster NHS Foundation Trust was fined £180,000 by the ICO in May 2016 after its 56 Dean Street sexual health clinic sent an email newsletter to 781 patients receiving HIV treatment, disclosing their identities to each other (see our blog piece here).  Earlier this year, the Independent Inquiry into Child Sexual Abuse (‘IICSA’) referred itself to the ICO after accidentally disclosing the identities of 90 victims of sexual abuse who had signed up via its website (see our blog piece here).

Click here if you require more information on how Brett Wilson LLP privacy solicitors can assist you if your privacy has been breached.