University of East Anglia not punished over data breach
- Published
A university that mistakenly emailed sensitive personal information about students to hundreds of undergraduates will face no further action.
Details of health problems, family bereavements and personal issues were sent by the University of East Anglia (UEA) in Norwich to 298 students.
The Information Commissioner's Office said no regulatory action was needed.
The UEA said it had asked auditors how to prevent similar breaches and was now following their recommendations.
The offending email, sent in June to all American Studies students, contained personal data relating to 191 undergraduates.
It listed extenuating circumstances in which essay extensions and other concessions were granted.
Sophie Atherton, 22, a third-year American Studies student whose data was leaked, said: "It was devastating, actually. I was travelling back on the train and I just burst into tears.
"It felt like my life was on show for my entire department to see."
She said it was "disappointing, to say the least" that no further action was being taken.
Ms Atherton said she was having counselling and considering legal action against the university.
The Information Commissioner's Office (ICO), which investigates data breaches and can fine serious offenders, said: "After considering the facts in this case we found the breach didn't meet all the requirements for the ICO to take regulatory action.
"However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law."
The UEA published a report on its website, external into the data breach, in which it claimed its response to contain the damage had been "timely and appropriate", and that it had since introduced mandatory data protection training and tightened up procedures.
In a statement, a spokesman said: "The University fully accepts the Information Commissioner's Office findings.
"We have apologised to the students directly affected and following the data breach in June an action plan was quickly put in place to reduce the risk of such an event happening again."
- Published26 June 2017
- Published16 June 2017