University email disclosed data of students with disabilities

University email disclosed data of students with disabilities

Summary: The University of Kent has admitted breaching data protection laws by disclosing disability information to other students, because someone didn't blind carbon copy the email.


An email popped up on my Outlook earlier yesterday which nearly threw me off my chair.

Before you ask, no it wasn't my disability, Tourette's syndrome, which does on occasion cause me to twitch so hard that I do fall off the aforementioned chair.

Considering it was only this week that a serious breach of university data came to light, you would have thought somebody in the university's registry office was reading the news.

The email discussed my exam arrangements for this summer's finals, whereby I would have my seating arrangements changed to accommodate my disability. You can't have someone shouting out the answers in the same exam hall as everyone else; much to everyone else's dismay.

Quite simply, they had sent this email to 615 students in my academic department at the University of Kent; the same email which points out their own exam arrangements due to their disability, and they hadn't used the blind carbon copy field (BCC:).

It's rather clear to anyone that I have a disability. For crying out loud, some of my friends have developed 'Zack radar'. They can hear me half way across campus, for goodness sakes.

But now I know the names of all the people in my academic department who have a disability.

Everyone who was copied into that email could see everyone else's name and email address; all of which are linked into the student directory system, shuttered behind the scenes behind a passworded page.

In the United Kingdom, we have the Data Protection Act 1998 which was forced down upon all member states of the European Union by the 'Data Protection Directive'. This meant that all 27 member states of the EU shared a good proportion of the same law, enabling simple cross-border transactions of data.

In the United States, however, it gets a little messy. From what my colleagues tell me, this would be a 'FERPA/IDEA breach' whereby heads would most certainly roll.

The Information Commissioner's Office (ICO) is the UK's data protection registrar, which deals with cases of data misuse and loss, and can impose criminal or civil penalties against those who break the rules.

In this particular instance, 615 students of the same university had the fact that they had a disability disclosed to the same number of other students by way of email communication.

This kind of information would be considered 'sensitive personal data' as defined by law, like racial or ethnic origin, religious and political beliefs and any criminal record.

The ICO has clear guidance of some of the security measures that should be employed to protect personal data including:

"If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.

Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone."

From the Health and Safety Executive, relating to confidentiality and data protection regarding disabilities:

"Disabled people have a right to confidentiality and an employer must not disclose confidential details about them without their explicit consent."

Granted, I am not an employee of the university, but at least one person on that list is.

The university was unavailable for response. However a short time ago, a senior university official sent the following as part of a wider, apologetic email to all students involved:

"I would like to apologise unreservedly for any distress this has caused you, and assure you that action has been taken to ensure that this error does not recur.

We are aware that this is a significant breach of Data Protection and have therefore voluntarily reported this to the Office of the Information Commissioner, who will investigate and take appropriate action in due course.  The University has a good record on Data Protection, and this lapse is uncharacteristic."

It just goes to show the damage that can be done by simply not using the blind carbon copy field to protect the identities of recipients.

Topics: CXO, Collaboration, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Deserving of disciplinary action at the least

    How about the guilty party spend a day with every single person on that list acting as their personal servant for the day?

    All too often people who screw up in a big way never have any empathy for the people they harm. At least this way, they'd get to know each and every person as an individual, and what it takes to get them through the day.

    Kind of like walking a mile in someone else's shoes.
  • Had this happen at a financial services business

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group. She, being a CA girl not unlike the recent UCLA YouTube ranter, sent everyone's entire personal info database to everyone in the entire 125-person department: d-o-b, home address, home phone, spouse's name, etc., etc. The one that really pissed me off was the date of birth. Isn't that a huge HR violation? I called HR and all they said was, "we'll look into it." End of story.
    • chia seeds

      I am very interested for this post.This site is so helpful. So i want some information for sharing this side with some of my friend. Thanks.<br> chia seeds
      <a href="">chia seeds</a>
  • RE: University email disclosed data of students with disabilities

    once it's emailed out there, of course there is no way to retrieve it or prevent its further use, such as selling it for marketing or use for personal harassment, etc.

    This is why responsible businesses and schools send a mere notice telling parties to log into their account for a message. That partly prevents the confidential message sharing; still would not correct the visible cc problem. However the university or business could remove "cc" from the email options if they don't screen their employees for intelligence and diligence.

    I hate to say it but sometimes confidentiality breaches are also on purpose but pretend to be an accident. I'm not accusing, but cautioning managers in general about the options they allow employees to have.

    On the personal side, anyone can get their own domain and have as many eddresses as you want, one for each different membership(?), and then you can trace misuse back to the organizations who originated the problem when its used again. Does not prevent abuses but you know who to call or sue depending on the harm.

    That is way easier than changing your eddress after every misuse of it.
  • RE: University email disclosed data of students with disabilities

    I've made a few goofs myself including accidentally posting something with identifying information that I thought I had Emailed to one other person instead of posting, but this is a gross breach for which someone should be held accountable now and when the leaked information costs someone a job or promotion, etc., later in life.
    I wish the U. S. had better privacy protection, like I am told the EU and Canada do. President Obama has supported a draft Internet privacy bill that hasn't been written yet and which I am afraid the big companies with an interest in data-mining and marketing will spend enough to gut, apart from the fact that we have wanted about 15 years too long before providing solid protection under existing and any new technology.
  • University email disclosed data of students with disabilities

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group.
    <a href="">bar in Nashville</a>
    <a href="">funeral Lincoln</a>
    <a href="">tattoo in Scottsdale</a>
    <a href="">realtors Shreveport</a>
    <a href="">doctors Omaha NE</a>
  • University email disclosed data of students with disabilities

    Not good! It should be examined in front of law! Thanks for your sharing information!
    <a href="">hotel deal Los Angeles</a>
    <a href="">Los Angeles hotel deal</a>
    <a href="">hotel deal Chicago</a>
    <a href="">hotel deal in Chicago</a>
    <a href="">hotel deal Philadelphia</a>
  • University email disclosed data of students with disabilities

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group.
    <a href="">Dick Black</a>