University of East Anglia pays data breach students £140k compensation

Published
image copyrightN Chadwick
image captionThe University of East Anglia emailed sensitive information to nearly 300 undergraduates

University students whose personal details were emailed to hundreds of their classmates have been paid more than £140,000 in compensation.

A spreadsheet containing student health problems, bereavements and personal issues was sent to 298 people at the University of East Anglia in June 2017.

Insurers have since paid out £142,512 to affected students from UEA, which said it had reviewed data practices.

The Information Commissioner said at the time no further action was needed.

One affected student, who asked to remain anonymous, said the figure was "a lot of money" but she was not "massively shocked" given the scale and sensitivity of the breach.

She highlighted subsequent data-management mistakes at the university, adding: "You'd think leaking private medical history, the names of sexual assault victims and personal family traumas just once would be enough to learn the lesson and move on."

'Life on show'

The compensation payouts were revealed through a Freedom of Information Act release reported by student newspaper Concrete.

Ian Callaghan, chief resource officer and university secretary at UEA, said "great strides" had been made in raising awareness of data management since the breach.

He said all data on hard and shared drives had been reviewed, mandatory data protection training had been introduced and access to group email accounts had been limited.

The offending email, sent to all American Studies students at the Norwich-based university, contained personal data relating to 191 undergraduates.

It listed extenuating circumstances in which essay extensions and other concessions were granted.

image copyrightUEA
image captionA second email was sent out after the error was discovered

Students described how they felt their "life was on show".

The Information Commissioner's Office, which investigates data breaches and can fine serious offenders, said the breach did not meet the requirements for regulatory action.

It gave the university advice on how to improve in future.

The UEA's own report into the breach found its attempts to contain the damage had been "timely and appropriate" and it had tightened procedures.

The following November, an urgent investigation was launched after personal details about a UEA staff member were sent to 300 people.

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.