An interesting display of indifference from Imperial College on what could have been one of the largest data breaches in higher education history.
Data on students is clearly being fired around the College more frequently than some may assume, and with very little oversight on how it is protected. What sort of data protection team doesn’t know the difference between hiding and deleting data in Excel?
Furthermore, when the personal data was originally flagged to the FOI team, they responded by saying that there wasn’t actually a breach? At any step along the way the user could simply have not responded to the FOI team and the data would still be up there today. We can thank our stars that the person who made the request was so diligent and moral, or the data of most of the people reading this could be floating around in cyberspace right now. It is by sheer luck that the data wasn’t downloaded during the 9 days it was publicly available, and this should be no defence for the operating procedure.
The College’s response says that the ICO’s guidance “advises against notifying individuals in such circumstances”. As far as I can see this is not true. The ICO states on its website that “If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay”. Nowhere does it say that an organisation should NOT inform individuals included in such a breach. Is it right that we hold the College to the very minimum of what the law requires in protecting our data?
In spite of all this, the College seems to have responded in a tone suggesting they did everything right. Let’s hope that the unspecified changes made to the data management system lead to real change in how similar requests are processed, or maybe next time lady luck won’t be so kind.