University College Dublin (UCD) experienced significant delays in acting on “far reaching” data management recommendations from the Data Protection Commission (DPC). Following a data breach in November 2019, uncovered by The College Tribune, the university was instructed to review its physical storage practices and data retention periods which led to the promise of mandatory data protection training for all staff.
It can also be revealed that UCD considered taking legal action against a student and a journalist from The College Tribune who exposed the story.
The Belfield Papers
In November 2019, The College Tribune discovered a number of highly sensitive personal files, belonging to UCD staff and students, open to unsupervised student access. Known at the time as the ‘Belfield Papers’, these files included payroll reports, employee bank account details, PPS numbers and details of TD donations to student political societies.
A storage room under construction on the third floor of the UCD Student Centre stored miscellaneous furniture for UCD Musical Society, alongside a number of sealed and unsealed boxes of documents (a practice later deemed as a “security risk” by the university). At the time, the student society confirmed to both The College Tribune and The Times that a member of staff would open the room for the students, and return to lock it thereafter, giving students unattended access to the sensitive files – against GDPR recommendations.
Following media coverage on the issue, UCD’s Data Protection Office (DPO) investigated the matter, which aided the university’s report to the Data Protection Commission (DPC). In December, the DPC confirmed to this publication that the matter was closed following the issuing of recommendations.
Following initial reporting in 2019, amid rumours of ongoing investigations into the matter and subsequent audits within the university, The College Tribune can now reveal some stark truths on UCD’s response to the initial breach, lengthy delays in acting on the DPC’s recommendations, and the “far reaching” repercussions for the institution.
The College Tribune obtained over 150 documents that shed light on the university’s response to the initial incident.
In the university’s breach notification to the DPC, the incident was deemed as “medium risk”, with UCD admitting “better security measures should have been put in place”. The report also admits the storage practices posed a “security risk”. One staff member noted that a lower risk designation could lose credibility for the university, warning that the DPC could have escalated the situation.
The university also suggested several concerns following the breach, including “loss of control” over personal data, “discrimination” and “damage to reputation”.
Following an internal investigation, UCD took the decision not to inform the affected individuals of the data breach as they believed the potential harm caused by informing them was higher than the threat posed from the breach itself.
Though the university had “no proof” of unauthorised access to the files in question outside of the discovery by The College Tribune, the seriousness of the incident, and the malpractice that occurred, was enough for the DPC to issue a number of strict recommendations for UCD.
Significant Delays in Action
On December 2nd 2019, the DPC declared the case as closed following the university’s immediate actions. However, there were a number of “far reaching” consequences for UCD on foot of the negligence unearthed by the incident.
Among the DPC recommendations were demands to review the institution’s personal data storage facilities and practices. They also advised regular staff training in UCD’s data protection obligations.
Following this, Dr Ulrike Kolch (UCD’s Data Protection Officer) gave her first warning to the university’s GDPR steering group: “Given that the DPC is looking at us already, we need to demonstrate that we take this Regulator’s input seriously.” Kolch said it was “paramount” that UCD adopt a “broad university commitment and follow-up actions supported by the senior management team.”
Weeks had passed and UCD President Andrew Deeks nor the wider University Management Team (UMT) were made aware of the gravity of the situation.
It took until January 16th for the DPO to receive a meaningful response from UCD management, a staggering 41 days after their last communication on record. Finally, President Deeks was made aware of the situation, but delayed moving forward due to “lack of clarity” on the implementation of a university-wide GDPR e-learning tool.
Following Kolch’s concerns that the university was running behind schedule, Tristan Aitken (Director of Human Resources) told her: “If this feels like too short a timescale I am happy to intervene with the DPC to keep them off your back for the time being,” prompting concerns on the university’s attitude towards the regulating body.
UCD’s first update to the DPC at the end of January provided basic information on the university’s plans for the future but lacked evidence of substantive action. A second update was requested for the end of April, with Kolch appealing for swift action, telling management they’ve “lost quite some time already with approvals”.
Almost a month later, Kolch met with members of university management, later emailing them: “… what [do] you want me to feed back to the DPC as a reason for us being so far behind our plans and commitments to undertake the physical data audit […] Given that the original DPC email is from early Dec 2019, Covid as sole reason will not be an option.”
Kolch also requested a statement from a senior management member for the DPC update, something that never made it to the final communication.
Weeks passed without action from university management. Kolch demanded a further update on the institutions’ progress, but this time she attached details of a recent Information Commissioner ruling in the UK. A London-based pharmacy was fined £275,000 (€315,892) under similar circumstances to the Belfield Papers, in which Kolch calls “very relevant for this topic in general.”
The April update also reported little evidence of progress, admitting that headway on the physical data audit was “behind schedule”. In her report, Kolch said: “I realise that my progress update is not entirely in line with expectations, but you will appreciate we have unfortunately been overtaken by events beyond our control.”
This explanation comes despite weeks of delay amongst university management to promptly engage with UCD’s Data Protection Officer on reforming the institutions’ data management.
Mandatory Staff Training
Back in summer 2019, following an inquiry from the DPC, the university vowed to implement a ‘Data Privacy & GDPR E-Learning Tool’. According to Kolch, it was “promised that UCD will make basic GDPR training mandatory for everyone who processes personal data”.
As part of the DPC’s recommendations in December, UCD moved to implement this. However, The College Tribune could not find evidence of such training being introduced at UCD – over a year after their initial promises.
It’s All About The Signs
In November 2019, after informing the Student Centre of the data breach, a spokesperson responded, noting that they were reviewing CCTV footage to identify the individual accompanying The College Tribune journalist (a confidential source who tipped off this publication), as our actions could be interpreted as “trespassing”.
“Once we establish the identity of these individuals legal advice will be considered to verify that this access was unlawful and/or a breach of the UCD Student Code, thus enabling further action to be taken by the management of the University.”
On November 14th, Kolch emailed members of UCD management cautioning against legal action. She advised the group: “Unless there is clear signage in the Student Centre that the CCTV footage will be used in such an instance, i.e. that people expect such a use of footage, any handling of footage in this context could potentially be seen as a privacy risk in itself.”
Following that communication, The College Tribune received no further indication that UCD intended to pursue legal action.
Due to the lack of GDPR compliant signs within view, outlining that footage could be used in instances of prosecution, any attempt to do so could be seen as breaching one’s rights as a data subject – likely restricting the university’s ability to pursue legal action.
Estate Services were “reviewing the matter” of these signs since summer 2019, around about the same time UCD was subject to an inquiry from the DPC.
The College Tribune subsequently investigated the number of GDPR compliant warning signs on the Belfield campus. Before the incident on November 8th, there were two such signs at UCD. In the period between then and May 2020, 54 new signs were erected, with a further 90 GDPR compliant signs planned for posting in subsequent months.
In response to a number of questions on the above investigation, a university spokesperson told The College Tribune: “The university is acting on each of the recommendations by the Data Protection Commission from December 2nd 2019. It is committed to GDPR compliance throughout the organisation and has and will continue to invest considerably in resourcing this important area.”
Conor Capplis – Senior Reporter