University email disclosed data of students with disabilities

The University of Kent has admitted breaching data protection laws by disclosing disability information to other students, because someone didn't blind carbon copy the email.
Written by Zack Whittaker, Contributor

An email popped up on my Outlook earlier yesterday which nearly threw me off my chair.

Before you ask, no it wasn't my disability, Tourette's syndrome, which does on occasion cause me to twitch so hard that I do fall off the aforementioned chair.

Considering it was only this week that a serious breach of university data came to light, you would have thought somebody in the university's registry office was reading the news.

The email discussed my exam arrangements for this summer's finals, whereby I would have my seating arrangements changed to accommodate my disability. You can't have someone shouting out the answers in the same exam hall as everyone else; much to everyone else's dismay.

Quite simply, they had sent this email to 615 students in my academic department at the University of Kent; the same email which points out their own exam arrangements due to their disability, and they hadn't used the blind carbon copy field (BCC:).

It's rather clear to anyone thatIhave a disability. For crying out loud, some of my friends have developed 'Zack radar'. They can hear me half way across campus, for goodness sakes.

But now I know the names of all the people in my academic department who have a disability.

Everyone who was copied into that email could see everyone else's name and email address; all of which are linked into the student directory system, shuttered behind the scenes behind a passworded page.


In the United Kingdom, we have the Data Protection Act 1998 which was forced down upon all member states of the European Union by the 'Data Protection Directive'. This meant that all 27 member states of the EU shared a good proportion of the same law, enabling simple cross-border transactions of data.

In the United States, however, it gets a little messy. From what my colleagues tell me, this would be a 'FERPA/IDEA breach' whereby heads would most certainly roll.

The Information Commissioner's Office (ICO) is the UK's data protection registrar, which deals with cases of data misuse and loss, and can impose criminal or civil penalties against those who break the rules.

In this particular instance, 615 students of the same university had the fact that they had a disability disclosed to the same number of other students by way of email communication.

This kind of information would be considered 'sensitive personal data' as defined by law, like racial or ethnic origin, religious and political beliefs and any criminal record.

The ICO has clear guidance of some of the security measures that should be employed to protect personal data including:

"If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.

Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone."

From the Health and Safety Executive, relating to confidentiality and data protection regarding disabilities:

"Disabled people have a right to confidentiality and an employer must not disclose confidential details about them without their explicit consent."

Granted, I am not an employee of the university, but at least one person on that list is.

The university was unavailable for response. However a short time ago, a senior university official sent the following as part of a wider, apologetic email to all students involved:

"I would like to apologise unreservedly for any distress this has caused you, and assure you that action has been taken to ensure that this error does not recur.

We are aware that this is a significant breach of Data Protection and have therefore voluntarily reported this to the Office of the Information Commissioner, who will investigate and take appropriate action in due course.  The University has a good record on Data Protection, and this lapse is uncharacteristic."

It just goes to show the damage that can be done by simply not using the blind carbon copy field to protect the identities of recipients.

Editorial standards