University of East Anglia not punished over data breach

  • Published
UEA campusImage source, N Chadwick
Image caption,

The University of East Anglia emailed sensitive personal information about students to nearly 300 undergraduates

A university that mistakenly emailed sensitive personal information about students to hundreds of undergraduates will face no further action.

Details of health problems, family bereavements and personal issues were sent by the University of East Anglia (UEA) in Norwich to 298 students.

The Information Commissioner's Office said no regulatory action was needed.

The UEA said it had asked auditors how to prevent similar breaches and was now following their recommendations.

The offending email, sent in June to all American Studies students, contained personal data relating to 191 undergraduates.

It listed extenuating circumstances in which essay extensions and other concessions were granted.

Image source, UEA
Image caption,

A second email was sent out after the error was discovered

Sophie Atherton, 22, a third-year American Studies student whose data was leaked, said: "It was devastating, actually. I was travelling back on the train and I just burst into tears.

"It felt like my life was on show for my entire department to see."

She said it was "disappointing, to say the least" that no further action was being taken.

Ms Atherton said she was having counselling and considering legal action against the university.

The Information Commissioner's Office (ICO), which investigates data breaches and can fine serious offenders, said: "After considering the facts in this case we found the breach didn't meet all the requirements for the ICO to take regulatory action.

"However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law."

The UEA published a report on its website, external into the data breach, in which it claimed its response to contain the damage had been "timely and appropriate", and that it had since introduced mandatory data protection training and tightened up procedures.

In a statement, a spokesman said: "The University fully accepts the Information Commissioner's Office findings.

"We have apologised to the students directly affected and following the data breach in June an action plan was quickly put in place to reduce the risk of such an event happening again."

Related internet links

The BBC is not responsible for the content of external sites.