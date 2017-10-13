UEA will face no further action for mistakenly emailing students’ sensitive personal information to their classmates.

Some 300 students received an email with a spreadsheet identifying students affected by sensitive issues like bereavement, mental illness, and health problems in June.

The Information Commissioner’s Office (ICO), the public body with the power to issue fines for serious data breaches, said they will not be pursuing regulatory action.

Sophie Atherton, a third year American Studies student affected by the breach, told Concrete she was unhappy with the outcome.

She said: “It’s disappointing, it’s almost as if they’re completely getting away with it.

“They’re being advised on what they can do to prevent it again but it doesn’t actually give any students support who were affected by the breach which is the main problem.

She described the breach casting a shadow over her summer. “I’ve come back and now it’s sweeping into my third year”, she said.

A spokesperson for ICO told the BBC: “After considering the facts in this case we found the breach didn’t meet all the requirements for the ICO to take regulatory action.

“However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law.”

The university has said they are following recommendations made by UEA’s auditors, who investigated the breach over the summer.

Ms Atherton called these recommendations “too little too late”.

“I had a look at the recommendations and felt it wasn’t anything new.

“I know staff have had more data training and that’s fantastic and it seems like they are taking it seriously, but if that was in place this time last year then it would have never happened in the first place”, she said.

The university has published a statement on the ICO outcome.

They said action was not taken “given the facts of the case and the remedial measures that have already been taken by the University, which the ICO expects to be implemented University-wide, to prevent any recurrence.”

Concrete understands ICO informed the university that further incidents could result in enforcement action, including fines.

Welfare, Community and Diversity SU officer India Edwards told Concrete: “Although the University has now put in place an action plan, this will be of little comfort to the students who were affected.

“And real questions remain about the wider culture of personal data security across the University- how did this happen, have there been other data breaches that UEA should have learned from, and why are highly personal details being cobbled together on Excel sheets in the first place?”

A report, published on the Portal service, outlines steps “to minimise the risk of a recurrence and to improve the handling of personal data more generally.”

Changes include notifications from the university email system before an individual sends an email to a group mailing list or an address outside the university.

Vice Chancellor Prof David Richardson said mandatory data protection training for staff was introduced over the summer, when interviewed by Concrete in September.

He said: “It’s going to require all of our staff who handle sensitive data, and that is a lot of them, actually change some of their operational practices, because we can’t let this happen again.

“I don’t want this to happen again – there’s never any certainty in life but we are doing everything in our power to make sure this doesn’t happen again.”

UEA were contacted for comment.