There has been another data breach at UEA, with a staff member’s personal information mistakenly emailed to hundreds of students.

Some 300 postgraduate research students received an email which disclosed sensitive information about an individual’s health on Sunday afternoon. The email was sent to students in the social science department.

The incident is similar to a breach which affected hundreds of students in June. A spreadsheet containing the details of why students had been granted extenuating circumstances was accidentally sent to the entire Art, Media and American Studies school (AMA).

Concrete’s most recent front page reported 16 breaches of a similar nature to the June data leak occurred in the 2016 calendar year.

The university’s IT service said they had extracted the message from the accounts of everyone who had mistakenly received the email.

The latest breach follows the implementation of mandatory data protection training for staff and changes to the university’s emailing system in September.

Auto-completion for email recipients has been disabled and individuals are notified before sending an email to a shared mailbox or an address outside the university.

However, the students’ union said not enough is being done to reassure students their data is safe.

Jack Robinson, the Campaigns and Democracy Officer for the students’ union, said the SU would be taking further action on the issue of students’ data protection.

He said:  “Given the earlier revelations about data breaches of this nature last year, this latest incident is breathtaking and we’d be forgiven for not trusting what are starting to look like hollow reassurances.

“Students are rightly questioning whether their personal data is safe in UEA’s hands and we’ll be demanding action at the highest levels in coming days”

In a statement on the student Portal site, the university said that “other incidents” of data breaches had occurred after the June leak, including the most recent breach.

A UEA spokesperson said the university is conducting an urgent investigation into how Sunday’s leak occurred.

They said: “This was unintentional and clearly should not have happened, and the university apologise unreservedly. Steps were taken to immediately recall the message, and the University contacted the member of staff to apologise and offer support.

“We will make any changes necessary to the new data protection systems and training currently being rolled out to prevent incidents like this happening in the future.

 

“The university’s recently agreed data protection action plan is underway and we are working through a schedule of required changes. This includes the deletion of unnecessary group emailing lists and restricting access to group lists. The list involved in the recent data breach was scheduled to be decommissioned this week and deletion took place on Tuesday.”

The spokesperson said UEA will continue to review new data protection policies and training.

“This latest incident suggests we are making the correct changes but regretfully it is impossible to complete all of them simultaneously due to the scale of the task.

“The staff training package provides much helpful information but even following training, anyone sending emails must remain alert to their actions and the content of their emails. This will be achieved not just through a training package but through a cultural change in how personal data is identified and used at the University.”

The Information Commissioner’s Office (ICO) recently determined no further regulatory action was needed following the June breach. UEA did not face a fine for the June incident.

ICO’s decision was partially based on the preventive measures the university put in place after the breach.

Ellen Paterson, Information Policy and Compliance Manager said in a notice on the Portal: “Data Protection law will change in May 2018 and the new rules will affect everyone, but it’s about more than the law, it’s about maintaining people’s trust – and treating students’ and staffs’ personal data as carefully as if it were our own information.”

 

What do you think?