Kingston University share students’ personal data

Kingston University should provide more GDPR awareness courses, said one student who had her personal information shared by the university.  

Students were informed on October 21 that their personal information was shared with hundreds of academic mentors and teaching assistants before the email that contained the information was recalled.

However, 11 of these recalls failed.

“That means that potentially 11 student ambassadors would have been able to view your personal information,” said an email sent to the affected students by Enrichment Manager, Julia Millette. 

She also reassured students that the University had received confirmation from the ambassadors that all the data had been deleted and would remain confidential.

One student ambassador who had her information shared and who asked to remain anonymous said she had mixed feelings when she received the email informing her of the data breach.

“I felt a bit sorry for whoever had caused the data breach because they might have thought their job was on the line, but then I did start to think ‘well how could this affect me?’

“We don’t know who saw what. Did they just get my name and course details? My address? My grades? The bank details that I have on Unified [Kingston University’s payment portal],” she said.

The Kingston Hill-based student says she does not think the University or the person responsible should be punished if it was an honest mistake.

“I received GDPR training for working the clearing hotline last year so I’d assume the University would’ve provided it for the staff responsible for the data breach.

“But maybe a top-up of GDPR training wouldn’t be a bad idea, like when drivers go on a speed awareness course.“

Did not include bank details

A third-year student, who is not an ambassador, received the email informing her that her data had been shared.

She asked the University what of her personal data was shared.

In an email seen by The River, Milette’s response to this was: 

“The personal data referenced in my previous email was data you entered into the HEAT system when you set up your account. 

“The data was on a tab of a spreadsheet, and included contact details, course details, supporting information in your application, fee status and demographic data (e.g. gender, disability, ethnicity, age).”  

HEAT is a student ambassador system, which the student had not even heard of prior to the email from Milette. 

Kingston University has not confirmed the exact details which were shared but a spokesperson said: “The University can confirm this did not include any bank details.”

Reported the incident

According to the University, the data was inadvertently shared by email and has been reported to be as a result of human error.

The University has reported the incident to the Information Commissioner’s Office.

An ICO spokesperson said: “We have been informed by Kingston University of an incident and will be assessing the information provided.

“As the case is ongoing, we cannot comment further at this time.” 

Kingston University said that they apologised for the mistake and that they had taken steps to minimise the impact of the data breach to ensure a similar incident did not happen again.