Kingston University could be fined for breach of students’ personal data

The direction of the case is still unknown Photo: Isabella Ruffatti

Kingston University could be fined after students’ personal information, including details of disability, were shared by accident, according to a GDPR data protection expert advisor.

Several students were told on October 21 that their personal information had been shared breaching strict new data law brought in under UK Data Protection Act 2018.

Micky Khanna, an advisor from Deslyon, said that it is up to the Information Commissioner’s Office to “pass judgement” on the situation based on the evidence collected.

“This would suggest that technical and organisational measures probably weren’t in place and that Kingston University failed to carry out its obligations following article 24 of the EU GDPR [Responsibility of the Controller], amongst other [laws and articles].

“It doesn’t sound good for the organisation,” he said.

Personal data breach

Emails which contain personal information sent unintentionally to a third party would generally be classified as a personal data breach.

“Organisations should assess the likelihood and severity of the risk of such an incident to the data subjects affected,” he said.

“Being the victim of a data breach can cause considerable damage and immense distress.”

He could not confirm the consequences for Kingston University but said it would be up to the regulator at the Information Commissioner Office to decide what penalty the University would face but noted that this could include enforcement notices, penalty fines of up to €20m or inspections from the supervisory authority.

Previously Greenwich University was fined £120,000 for a security breach of 19,500 students’ data which were shared online.

However, this was under the previous data protection law, UK Data Protection Act 1998 and was classified as “serious” due to the data being shared externally and the scale of the incident.

11 recalls failed

The KU student personal information was shared with hundreds of academic mentors and teaching assistants before being recalled. However, 11 of these recalls failed.

“That means that potentially 11 student ambassadors would have been able to view your personal information,” said an email sent to the affected students by Enrichment Manager, Julia Millette.

She also reassured students that the University had received confirmation from the ambassadors that all the data had been deleted and would remain confidential.

The University has not revealed how many students were affected, but The River knows of at least 50 students.

GDPR training 

One student ambassador who had her information shared said she had mixed feelings when she received the email informing her of the data breach.

“I felt a bit sorry for whoever had caused the data breach because they might have thought their job was on the line. But then I did start to think ‘well, how could this affect me?’

“We don’t know who saw what. Did they just get my name and course details? My address? My grades? The bank details that I have on Unified [Kingston University’s payment portal]?” she said.

The Kingston Hill-based student said she does not think the University or the person responsible should be punished if it was an honest mistake.

“I received GDPR training for working the clearing hotline last year so I’d assume the University would’ve provided it for the staff responsible for the data breach,” she said.

“But maybe a top-up of GDPR training wouldn’t be a bad idea, like when drivers go on a speed awareness course.”

No financial information 

A third-year student, who is not a student ambassador, received the email informing her that her data had been shared.

She asked the University what personal data was shared.

In an email seen by The River, Milette’s response to this was: “The personal data referenced in my previous email was data you entered into the HEAT system when you set up your account.

“The data was on a tab of a spreadsheet, and included contact details, course details, supporting information in your application, fee status and demographic data (e.g. gender, disability, ethnicity, age).”

HEAT is a student ambassador system, which the student had not even heard of before the email from Milette.

Kingston University has not confirmed the exact details of what was shared, but a spokesperson said: “The University became aware that, while sending out an email to a group of student staff members, personal information about some other students was inadvertently shared.

“To allay any concerns, the University can confirm this did not include any bank details.

Reported the incident

“The breach was identified and contained quickly to reduce the impact on students affected. They were informed promptly, and the University has worked with them to address any concerns or questions they raised.

“The University takes its responsibilities under the General Data Protection Regulation very seriously and has taken steps to strengthen its processes to ensure a similar incident does not happen again.”

According to Kingston University, the data was inadvertently shared by email and has been reported to be as a result of human error.

One law student said: “As long as it was a human error and it was managed that’s a good thing.”

The University has reported the incident to the Information Commissioner’s Office (ICO).

An ICO spokesperson said: “We have been informed by Kingston University of an incident and will be assessing the information provided.

“As the case is ongoing, we cannot comment further at this time.”

Kingston University said that they apologised for the mistake and that they had taken steps to minimise the impact of the data breach to ensure a similar incident did not happen again.