University of Essex Data Breach
The BBC reported yesterday that the University of Essex had suffered a data breach in late March affecting more than 400 students. It appears that a spreadsheet containing a range of personal data relating to students was attached to an email sent by the Facilities Management department requesting payment for repairs to a broken door at an accommodation block. The BBC report doesn’t go into detail about how the data breach occurred but presumably, the spreadsheet was compromised either by being sent to an unauthorised address, or more likely CCing in all those affected students. A University of Essex spokesman said: “We are taking this issue very seriously and ensuring our delivery partners understand our high expectations about the management of data.” Prevention is always better than remediation.
Sadly email continues to be used for transferring and sharing personal data and spreadsheets continue to be a medium to record and transfer personal data. Perhaps the University of Essex has a policy forbidding these tools for transferring personal data – if they haven’t then they should have – or perhaps the person sending the email circumnavigated the established data transfer process for expediency? Maybe they hadn’t received appropriate training? Maybe the University doesn’t expect the Facilities Team to interact much with personal data and maybe the team doesn’t get the same level of training as those more obviously processing personal data. Lots of unanswered questions.
Unfortunately, in our experience, GDPR training is so often a tick box exercise covering the law: the 7 principles, the fact folks have rights etc. etc. The missing element we find in just about all of the GDPR training we review is HOW to work within the specific framework of policies and procedures at a specific employer. It seems obvious to us that the emphasis of training should be on how to perform job roles, tasks and duties in addition to some detail about the legal requirement. Without training employees about the “rules of engagement” you’re pretty much leaving it to chance that everyone works in the same way.
Presumably, as Hayes Connor is representing students, there may be a compensation claim in play the outcome of which we look forward to. In the meantime, we commiserate with all those affected including the students and employees who caused the breach.
Data Protection People is one of the leading providers of GPDR and data protection training in the UK.