UEA has paid student victims of data leaks more than £140,000 in compensation over the past five years. In comparison the universities of Bristol, Durham, Exeter, Warwick and York have all paid out £0 over the same time period. A Freedom of Information request by Concrete discovered while UEA itself has not directly paid data leak victims in the past five years, its insurers have paid out a total of £142,512.16.

UEA has had close to 20 data leaks in the past five years, which have affected hundreds of students. The largest, in early 2017, saw hundreds of American Studies students receive sensitive information detailing the reasons why individual students were granted extenuating circumstances. 

Ian Callaghan, the chief resource officer and university secretary at UEA, told Concrete: “This figure [£142,512.16] relates entirely to a single breach in June 2017, which involved personal data being sent in error to a student group email address. This was paid in full by the university’s insurers on UEA’s behalf.

“We immediately informed the Information Commissioner as soon as we were aware of the breach and put support in place for all affected students.

“Since this incident we’ve reassessed a number of information security measures, including holding a full review of all data on UEA hard and shared drives, introducing mandatory data protection training and refresher training for all staff (whether permanent or temporary) and reviewing access to group email accounts and redacting this access in cases where it was deemed unnecessary.

“We take data protection very seriously and, with help from the new General Data Protection Regulations (GDPR), we have made great strides as a workforce in raising the awareness of the importance of good data management.”

However, since the American Studies leak in early 2017 there have been two further leaks. Later in the same year around 300 social science students received an email that divulged sensitive information regarding a staff member’s health. In a statement, the then SU Campaigns and Democracy officer Jack Robinson called the breach “breathtaking”. 

He added: “Students are rightly questioning whether their personal data is safe in UEA’s hands and we’ll be demanding action at the highest levels in coming days.”

Additionally, only three months ago a UEA lecturer mistakenly sent sensitive data about a student’s failed master’s dissertation to hundreds of their peers. The data included wide-ranging and specific feedback on the dissertation as well as personal information about the student. Concrete was unable to contact the victim, and it is unknown whether they will seek compensation from the university.

A poll by Concrete found that 66% of students do not trust UEA to keep their confidential data private. 

A former student who had their personal details disclosed in the American Studies leak of early 2017 told Concrete “to have my personal information shared was hugely violating”. The student was off campus at the time of the leak and only found out when her friend saw the leaked email and messaged her about it.

The student said: “After it happened, on the advice of the SU I submitted an academic complaint – they were actually really helpful as I didn’t know the process at all. This got forwarded to UEA’s lawyers and I eventually received a payout offer of £1,100 in November [2017]. At the time it felt like ages but in hindsight it was only a few months. I think it felt like longer because there was such a lack of communication from the university.”

She added that the amount of compensation students received was relative to how severe the data was that was leaked about them, and that others had received more than she did.

When Concrete asked Uea(su) whether students today can trust the university to protect their confidential data, a spokesperson responded: “The SU understands how hurtful it can be for students to have their data leaked and following [a] leak in 2015 we lobbied the university to improve its processes. 

“We know the university has worked hard to improve their systems and put new processes in place to prevent this from happening again, and they are in a much better place now. We will continue to work with them to make sure this situation doesn’t happen again. If it does the Union will be there to support the students and hold the University to account.”