BELFIELD PAPERS: DPO Investigates Potential Data Breach
The UCD Data Protection Office (DPO) is internally investigating into highly sensitive documents recently discovered to be open to student access. The DPO has said they are “following the standard university incident management procedure,” in response to the allegations.
The College Tribune has contacted the Data Protection Commission (DPC) regarding the incident. UCD are now liaising with the UCD DPO and the DPC. The Tribune is also liaising with the DPO regarding the allegations.
The incident, named by the Tribune as the “Belfield Papers”, suggests a potentially huge breach in UCD employee and student data. This comes after sensitive documents were discovered unattended in a third-floor storage room in the UCD Student Centre. UCD Musical Society were found to have unattended access to this space, raising questions about the safety of this data. Unverified reports also suggest other students to have previously discovered these files while unattended in the area by UCD Student Centre Staff.
The DPO is an independent office within UCD, that works to defend the rights of data subjects. A spokesperson for the DPO said they are “following internal protocol whenever a data incident is brought to light.” The DPO is currently categorising this as an “incident” rather than escalating it into an official data breach.
UCD will perform a risk assessment of the incident, with the counsel of the DPO following their investigation. Following this, if the potential breach in data is categorised as “medium or high risk,” the incident will be officially reported to the Data Protection Commission for further investigation.
Last week, the College Tribune discovered a large collection of unattended files spanning from at least the years 2000 to 2014. The limited number of files seen by the Tribune belonged to UCD, the UCD Student Centre, UCD Campus Sport and Leisure Ltd., UCD Department of Sport and UCD Societies. Included in the sensitive documentation were: payroll reports, employee bank account details, PPS numbers, employee Revenue and Social Insurance Numbers, UCD societies grant applications, UCD societies income and expenditure accounts, documents regarding student disciplinary hearings and details of TD donations to student political societies; to name only a small fraction on what was left unattended to student access.
UCD’s website has a GDPR section with advice on how to “reduce the risk of causing a security related data breach.” Within these guidelines is advice stating: “Leave paper documents containing personal data: If not in use, locked away, Never lying around or behind; Out of sight of unauthorised people…” The section also states that: “for paper documents containing personal information: Never keep them on an open shelf in a general office, Never throw them in the general bin; Never leave them behind after you are finished with it.”
The ‘Belfield Papers’ raise questions on how these guidelines are implemented within the UCD’s various institutions.
The Tribune reached out to UCD Student Services for comments on the security of these files and the DPO’s ongoing investigation. They responded saying: “Student Services has already made a statement and has no further comment to add.”
More to follow…
Conor Capplis – Editor