University of East Anglia not punished over data breach Published duration 13 October 2017

image copyright N Chadwick image caption The University of East Anglia emailed sensitive personal information about students to nearly 300 undergraduates

A university that mistakenly emailed sensitive personal information about students to hundreds of undergraduates will face no further action.

Details of health problems, family bereavements and personal issues were sent by the University of East Anglia (UEA) in Norwich to 298 students.

The Information Commissioner's Office said no regulatory action was needed.

The UEA said it had asked auditors how to prevent similar breaches and was now following their recommendations.

The offending email, sent in June to all American Studies students, contained personal data relating to 191 undergraduates.

It listed extenuating circumstances in which essay extensions and other concessions were granted.

image copyright UEA image caption A second email was sent out after the error was discovered

Sophie Atherton, 22, a third-year American Studies student whose data was leaked, said: "It was devastating, actually. I was travelling back on the train and I just burst into tears.

"It felt like my life was on show for my entire department to see."

She said it was "disappointing, to say the least" that no further action was being taken.

Ms Atherton said she was having counselling and considering legal action against the university.

The Information Commissioner's Office (ICO), which investigates data breaches and can fine serious offenders, said: "After considering the facts in this case we found the breach didn't meet all the requirements for the ICO to take regulatory action.

"However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law."

The UEA published a report on its website into the data breach, in which it claimed its response to contain the damage had been "timely and appropriate", and that it had since introduced mandatory data protection training and tightened up procedures.

In a statement, a spokesman said: "The University fully accepts the Information Commissioner's Office findings.