Students hit by University of Greenwich data breach By Leo Kelion

Technology desk editor Published duration 17 February 2016

image copyright University of Greenwich image caption The University of Greenwich says it is contacting students involved in the data breach

Personal details about hundreds of London-based research students were posted online in an apparent breach of data privacy laws.

The University of Greenwich has apologised and said it is in the process of contacting those affected.

The matter was brought to the BBC's attention by one of the students, who discovered the information could be found via a Google search.

They also flagged the matter to the UK's data watchdog.

The Information Commissioner's Office has confirmed that an investigation is under way.

One legal expert warned there could be financial consequences.

"It does look as though there has been a significant breach of the Data Protection Act's obligations to process personal data securely, fairly and lawfully," said Ruth Boardman from the law firm Bird & Bird.

"[The university] may face enforcement action by the Information Commissioner (ICO) and claims by affected individuals.

"Under new rules due to be adopted in Brussels later in March, it would face a penalty of up to 10m euros [$11.2m; £7.8m]."

At present, the largest fine the ICO can impose is £500,000.

Medical problems

Students' names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university's website.

They were posted alongside minutes from the university's Faculty Research Degrees Committee, which oversees the registrations and progress of its research students.

In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work.

image copyright University of Greenwich image caption Details of some of the students' health problems were included in the published documents

In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application.

Supervisors' comments about the students' progress were also documented.

In some instances, copies of emails between university staff and individual students were also published.

The university believes all the documents are now offline and has contacted Google to try to ensure cached copies of the documents cannot be retrieved from its search engine.

"I am very sorry that personal information about a number of postgraduate research students has been accessible on the university website," said Louise Nadal, the university's secretary.

"This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light.

"We are now acting urgently to identify those affected. I will be contacting each person individually to apologise and to offer the support of the university.

"At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.

"We are co-operating fully with the Information Commissioner and we will take all steps necessary to ensure that we have the best systems in place for the future."

The university was unable to say whether or not any of its staff were aware of the problem before it was contacted by both the BBC and the ICO on Monday.

The watchdog confirmed that its investigation was at an early stage.

"We are aware of an incident at Greenwich University and are making enquiries," it said.

'Huge relief'

The student who discovered the uploads has not revealed their identity. They said they welcomed the fact the documents had been made inaccessible.

"It's sad that it took an investigation by the BBC to get the documents off the internet," they said.

image copyright Thinkstock image caption Organisations can face large fines if they do not properly protect personal data in their care

"It's a huge relief. My motivation was that it is so wrong and I was worried about the Middle Eastern student who, to me, was put at great risk."

Ms Boardman said the affair served as a warning to other organisations who might not be properly reviewing the material they posted online.

"Public bodies do have obligations to publish information," the lawyer said.

"However, they must do so in a way which meets their obligations under data protection legislation.

"This breach shows the importance of doing this properly, so as to avoid causing significant distress to those whose information has been made available in this way."