Last week, the University of East Anglia (UEA) paid out over £140,000 compensation to students affected by a 2017 data breach. An email containing information on personal issues, health problems and circumstances such as bereavement, was mistakenly sent to 300 UEA students. The email contained sensitive personal data of over 190 people. UEA reported that the email was mistakenly sent to a group email address, that autofilled when the sender started typing. This very simple mistake had a severe impact on hundreds of already vulnerable students.
This is an all too common example of how a simple slip can have a major impact. As Outsourced DPO for many schools and education institutions, we’ve seen just how often these mistakes are made. A misdirected email is one of the most frequent breaches logged by our customers. Although these breaches are prevalent, mismanagement of communication can have a devastating impact on an organisation.
What’s more, there are additional risks in Higher and Further education. Unlike trusts, student information is often held centrally, rather than in separate faculties or sites. Universities such as the University of London, The Open University and The University of Manchester, all have over 100,000 students on their enrolment list. When mistakes happen — and they will happen — a lot of people could be affected.
As this data breach occurred in 2017, the General Data Protection Regulations were not yet in effect. Should the Information Commissioner’s Office (ICO) have decided to fine the University, the amount would have been far lower than if the breach occurred today. However, The ICO decided that no punishment was required. Yet, while the regulatory consequences were low, the University was not absolved of their responsibility to the affected students.
As compensation for the damage from the breach, UEA paid a large sum to all affected students. The breach also damaged UEA’s reputation. Prospective students and their parents may worry about attending a university that is known for leaking personal data. Due to the high levels of media coverage, this breach could affect UEA’s admission rates for quite some time.
How can this be prevented?
The key tool here is knowledge. Providing training on good data protection practice can help staff stay on top of breach risks. The more aware they are, the more mindful they will be when handling personal data. Training can also help staff put their own preventative measures into place. For example, adding a ‘grace period’ to your email account. This puts a delay on your sent emails, allowing you to cancel them if you realise they are being sent to the wrong person, or hold the wrong information.
Other actions include adding the email recipient last, after writing the email and checking attachments. This gives the staff chance to double check emails and stops incomplete messages from being sent. A motto we encourage among our customers is “check twice, send once.” Taking the time to review a piece of work, saves time and stress in the long run.
What about when breaches can’t be prevented?
It’s important to note that breaches will happen. However hard your organisation works at prevention, mistakes happen to the best of us. Therefore, it is important to put a plan in place to mitigate the effects of a breach. Having a clear pathway for recording and managing breaches can ensure an issue doesn’t spiral into a reportable offence. Once again, knowledge is key. Make sure that members of your organisation know how to recognise a breach, and they know exactly who to tell. When you discover a breach, the clock is ticking. Not only do you have just 72 hours to report major breaches to the ICO, but the faster you act on a breach, the more effectively you can contain the impact. To avoid compensation pay-outs, a quick and efficient management process is vital.
The GDPR may feel like a hassle to many, but for all the students who entrust their data to educational institutions, following the regulations is integral to their wellbeing. The University of East Anglia has reminded us just how important data protection is. Effective management, good training, and staff awareness are all incredibly important.