University of East Anglia pays data breach students £140k compensation

University students whose personal details were emailed to hundreds of their classmates have been paid more than £140,000 in compensation.

A spreadsheet containing student health problems, bereavements and personal issues was sent to 298 people at the University of East Anglia in June 2017.

Insurers have since paid out £142,512 to affected students from UEA, which said it had reviewed data practices.

The Information Commissioner said at the time no further action was needed.

One affected student, who asked to remain anonymous, said the figure was "a lot of money" but she was not "massively shocked" given the scale and sensitivity of the breach.

She highlighted subsequent data-management mistakes at the university, adding: "You'd think leaking private medical history, the names of sexual assault victims and personal family traumas just once would be enough to learn the lesson and move on."

The compensation payouts were revealed through a Freedom of Information Act release reported by student newspaper Concrete, external.

Ian Callaghan, chief resource officer and university secretary at UEA, said "great strides" had been made in raising awareness of data management since the breach.

He said all data on hard and shared drives had been reviewed, mandatory data protection training had been introduced and access to group email accounts had been limited.

The offending email, sent to all American Studies students at the Norwich-based university, contained personal data relating to 191 undergraduates.

It listed extenuating circumstances in which essay extensions and other concessions were granted.

Students described how they felt their "life was on show".

The Information Commissioner's Office, which investigates data breaches and can fine serious offenders, said the breach did not meet the requirements for regulatory action.

It gave the university advice on how to improve in future.

The UEA's own report, external into the breach found its attempts to contain the damage had been "timely and appropriate" and it had tightened procedures.

The following November, an urgent investigation was launched after personal details about a UEA staff member were sent to 300 people.