The University of Kent has been found to have breached data protection rules as a result of a disclosure of personal data, relating to an email which could identify other students with disabilities.
Yesterday, the Information Commissioner's Office (ICO), the UK data protection agency, assessed that the University unlawfully disclosed personal data, mostly due to human error.
The full ruling can be found here (PDF).
When I received an email a few weeks ago from my own institution, the University of Kent, which noted along with 615 other students that all recipients of the message had a disability, it nearly threw me off my chair.
It was clear that someone had failed to use the blind carbon copy field in composing the email, which had led to the disclosure of so many students' personal data.
Students received a personal apology from deputy vice-chancellor, David Nightingale within hours of the unlawful disclosure, confirming the "significant breach of data protection" and enforcing policies to ensure that this error could not occur again.
The assessment by the ICO said it was "unlikely that the University has complied with the requirements of the Data Protection Act" because it "did not take sufficient steps to ensure the security of the personal data".
The university is also delivering "refresher training for staff on the importance of using the blind carbon copy function when sending emails containing personal data", according to the letter.
The disclosing email came only days after the University of York published vast quantities of student data by mistake, amounting to one of the largest breaches of personal data in a higher educational institution.
The university was unable for comment.
- University email disclosed data of students with disabilities
- University in 'serious' data breach; Publishes 17,000 students' data
- Facebook, Google 'must adhere' to strict EU privacy rules
- Should students sue universities over poor degrees?
- Hotmail hacked: Thousands of account details published online