Must Read: Mint 15: Today's best Linux desktop (Review)

Topic: CXO

University email disclosed data of students with disabilities

Summary: The University of Kent has admitted breaching data protection laws by disclosing disability information to other students, because someone didn't blind carbon copy the email.

Zack Whittaker

By for iGeneration |

An email popped up on my Outlook earlier yesterday which nearly threw me off my chair.

Before you ask, no it wasn't my disability, Tourette's syndrome, which does on occasion cause me to twitch so hard that I do fall off the aforementioned chair.

Considering it was only this week that a serious breach of university data came to light, you would have thought somebody in the university's registry office was reading the news.

The email discussed my exam arrangements for this summer's finals, whereby I would have my seating arrangements changed to accommodate my disability. You can't have someone shouting out the answers in the same exam hall as everyone else; much to everyone else's dismay.

Quite simply, they had sent this email to 615 students in my academic department at the University of Kent; the same email which points out their own exam arrangements due to their disability, and they hadn't used the blind carbon copy field (BCC:).

It's rather clear to anyone that I have a disability. For crying out loud, some of my friends have developed 'Zack radar'. They can hear me half way across campus, for goodness sakes.

But now I know the names of all the people in my academic department who have a disability.

Everyone who was copied into that email could see everyone else's name and email address; all of which are linked into the student directory system, shuttered behind the scenes behind a passworded page.

In the United Kingdom, we have the Data Protection Act 1998 which was forced down upon all member states of the European Union by the 'Data Protection Directive'. This meant that all 27 member states of the EU shared a good proportion of the same law, enabling simple cross-border transactions of data.

In the United States, however, it gets a little messy. From what my colleagues tell me, this would be a 'FERPA/IDEA breach' whereby heads would most certainly roll.

The Information Commissioner's Office (ICO) is the UK's data protection registrar, which deals with cases of data misuse and loss, and can impose criminal or civil penalties against those who break the rules.

In this particular instance, 615 students of the same university had the fact that they had a disability disclosed to the same number of other students by way of email communication.

This kind of information would be considered 'sensitive personal data' as defined by law, like racial or ethnic origin, religious and political beliefs and any criminal record.

The ICO has clear guidance of some of the security measures that should be employed to protect personal data including:

"If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.

Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone."

From the Health and Safety Executive, relating to confidentiality and data protection regarding disabilities:

"Disabled people have a right to confidentiality and an employer must not disclose confidential details about them without their explicit consent."

Granted, I am not an employee of the university, but at least one person on that list is.

The university was unavailable for response. However a short time ago, a senior university official sent the following as part of a wider, apologetic email to all students involved:

"I would like to apologise unreservedly for any distress this has caused you, and assure you that action has been taken to ensure that this error does not recur.

We are aware that this is a significant breach of Data Protection and have therefore voluntarily reported this to the Office of the Information Commissioner, who will investigate and take appropriate action in due course.  The University has a good record on Data Protection, and this lapse is uncharacteristic."

It just goes to show the damage that can be done by simply not using the blind carbon copy field to protect the identities of recipients.

Topics: CXO, Collaboration, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion

  • Deserving of disciplinary action at the least

    How about the guilty party spend a day with every single person on that list acting as their personal servant for the day?

    All too often people who screw up in a big way never have any empathy for the people they harm. At least this way, they'd get to know each and every person as an individual, and what it takes to get them through the day.

    Kind of like walking a mile in someone else's shoes.
    Dr_Zinj
    Reply Vote

  • Had this happen at a financial services business

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group. She, being a CA girl not unlike the recent UCLA YouTube ranter, sent everyone's entire personal info database to everyone in the entire 125-person department: d-o-b, home address, home phone, spouse's name, etc., etc. The one that really pissed me off was the date of birth. Isn't that a huge HR violation? I called HR and all they said was, "we'll look into it." End of story.
    Noel249
    Reply Vote

    • chia seeds

      I am very interested for this post.This site is so helpful. So i want some information for sharing this side with some of my friend. Thanks.<br> chia seeds
      <a href="http://chiaseedssuperfood.com/">chia seeds</a>
      ngocbich1
      Reply Vote

  • RE: University email disclosed data of students with disabilities

    once it's emailed out there, of course there is no way to retrieve it or prevent its further use, such as selling it for marketing or use for personal harassment, etc.

    This is why responsible businesses and schools send a mere notice telling parties to log into their account for a message. That partly prevents the confidential message sharing; still would not correct the visible cc problem. However the university or business could remove "cc" from the email options if they don't screen their employees for intelligence and diligence.

    I hate to say it but sometimes confidentiality breaches are also on purpose but pretend to be an accident. I'm not accusing, but cautioning managers in general about the options they allow employees to have.

    On the personal side, anyone can get their own domain and have as many eddresses as you want, one for each different membership(?), and then you can trace misuse back to the organizations who originated the problem when its used again. Does not prevent abuses but you know who to call or sue depending on the harm.

    That is way easier than changing your eddress after every misuse of it.
    HappyAdvocate
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    I've made a few goofs myself including accidentally posting something with identifying information that I thought I had Emailed to one other person instead of posting, but this is a gross breach for which someone should be held accountable now and when the leaked information costs someone a job or promotion, etc., later in life.
    I wish the U. S. had better privacy protection, like I am told the EU and Canada do. President Obama has supported a draft Internet privacy bill that hasn't been written yet and which I am afraid the big companies with an interest in data-mining and marketing will spend enough to gut, apart from the fact that we have wanted about 15 years too long before providing solid protection under existing and any new technology.
    Transaction7
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate!<a href="http://nccma.com">nccma</a> <a href="http://coolerkings.com">cooler</a>
    MACKENZI
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing <a href="http://the-ishop.com">the i shop</a> <a href="http://abatwa.com">abatwa</a>
    PEARLINEI
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post.<a href="http://power28.com">power</a> <a href="http://sagesinc.com">sa</a> <a href="http://iloveshoping.net">shop</a>
    RHIANNONA
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper <a href="http://easy-wheels.com/">wheel</a> <a href="http://pbcars.com/">car</a> <a href="http://com69.net">com</a> <a href="http://cadburry.com">bury</a>
    SATURNINA
    Reply Vote

  • University email disclosed data of students with disabilities

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group.
    <a href="http://barinNashville.com">bar in Nashville</a>
    <a href="http://barinNashville.com">funeral Lincoln</a>
    <a href="http://barinNashville.com">tattoo in Scottsdale</a>
    <a href="http://barinNashville.com">realtors Shreveport</a>
    <a href="http://barinNashville.com">doctors Omaha NE</a>
    panda88
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board.<a href="http://vintagesnapbackhatsfan.com">z</a><a href="http://bestsolidstatedrive.net">d</a><a href="http://b2days.com/">n</a><a href="http://b2wp.com/">e</a><a href="http://buy-sell-cheap.com/">t</a> <a href="http://sellcheap.net/">t</a><a href="http://newsoftwarepc.com/">h</a><a href="http://bestlaptoppcreviews.com/">a</a><a href="http://buyfurniturefreeshipping.com/">n</a><a href="http://cheapclothingstoresonline.com/">k</a> Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
    TOCCAR
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    Thanks nice info <a href="http://buyboxinggloves.net/">z</a><a href="http://buygemicrowave.com/">d</a><a href="http://cheapweldingsupplies.com/">n</a><a href="http://cheapcarcareproducts.com/">e</a><a href="http://cheapluggageforsale.com/">t</a> I really liked your current article write more..let me add you to its favorite The articles you have on zdnet <a href="http://mlbshopgiants.com/">s</a><a href="http://best3dtvavailable.com/">i</a><a href="http://lampsplusstorelocator.com/">t</a><a href="http://discountperfumewebsites.com/">e</a> are always so enjoyable to read. Good work and I bookmarked it.
    MCKNIGH
    Reply Vote

  • University email disclosed data of students with disabilities

    Not good! It should be examined in front of law! Thanks for your sharing information!
    <a href="http://hoteldealLosAngeles.com">hotel deal Los Angeles</a>
    <a href="http://LosAngeleshoteldeal.com">Los Angeles hotel deal</a>
    <a href="http://hoteldealChicago.com">hotel deal Chicago</a>
    <a href="http://hoteldealinChicago.com">hotel deal in Chicago</a>
    <a href="http://hoteldealPhiladelphia.com">hotel deal Philadelphia</a>
    Miley229
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    Fantastic news about the new release.I positively enjoying each little bit of it and I have you <a href="http://www.youtube.com/watch?v=JQ3nfbubdTA">b</a><a href="http://www.youtube.com/watch?v=thkxMxMihl0">o</a><a href="http://www.youtube.com/watch?v=VG9Uw27cJH0">o</a><a href="http://www.squidoo.com/kindlefirereviews">k</a><a href="http://www.squidoo.com/bestkindlefire">m</a><a href="http://www.squidoo.com/kindlefireforsale">a</a><a href="http://www.squidoo.com/kindlefireprice">r</a><a href="http://www.squidoo.com/cheapkindlefire">k</a><a href="http://the-ishop.com/kindlefireprice/">e</a><a href="http://power28.com/kindlefire/">d</a> to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
    RICHMONFT
    Reply Vote

  • University email disclosed data of students with disabilities

    The head of marketing for this Des Moines-based business told his admin to send everyone's emergency info to the entire group.
    <a href="http://www.dickblack4senate.com/">Dick Black</a>
    lili07
    Reply Vote

  • RE: University email disclosed data of students with disabilities

    Good day to confirm this comment I would appreciate <a href="http://golfcarttops.com/">T</a><a href="http://snowgum.net/">h</a><a href="http://gatesbydesign.com/">e</a> <a href="http://ashleighblinds.com/">b</a><a href="http://yjsound.com/">e</a><a href="http://dry-fruit.net/">s</a><a href="http://xweddings.com/">t</a> <a href="http://netrail.net/">o</a><a href="http://7ey.net/">f</a> <a href="http://birdellis.com/">Z</a><a href="http://airtechinc.com/">D</a><a href="http://medicalwholesalers.net/">N</a><a href="http://kustombike.com/">e</a><a href="http://beelinebicycles.com/">t</a> <a href="http://dippitydog.com/">d</a><a href="http://infinityskate.com/">e</a><a href="http://jeansjournal.com/">l</a><a href="http://vwebcams.com/">i</a><a href="http://compactlightbulb.com/">v</a><a href="http://expressionphotography.net/">e</a><a href="http://cavehicles.com/">r</a><a href="http://falconconcrete.com/">e</a><a href="http://fedson.com/">d</a> your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
    JACOBSONR
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close