In November 2019, the College Tribune discovered highly sensitive UCD documents open to student access. Included in these files were payroll reports, employee bank account details, PPS numbers and details of TD donations to student political societies. After the UCD Data Protection Office (DPO) investigated into the matter, the Data Protection Commission (DPC) was informed by the university with a late breach notification.
Following several weeks of liaising with UCD on this matter, DPC spokesperson Graham Doyle confirmed on December 6th that the DPC “issued recommendations to the college and the matter is now closed.” This comes after the university provided extensive information to the DPC on the steps taken following this incident.
The data breach known to the Tribune as ‘the Belfield Papers’ is reportedly still under investigation within the university, but these accounts are unconfirmed.
The incident occurred when a storage room under construction in UCD Student Centre was discovered to have a large collection of unattended UCD Employee and Student files. UCD Musical Society were also found to have unattended access to this space.
Included in the sensitive documentation were: payroll reports, employee bank account details, PPS numbers, employee Revenue and Social Insurance Numbers, details of TD donations to student political societies, documents regarding student disciplinary hearings, UCD Societies grant applications and UCD Societies income and expenditure accounts.
It is unclear whether the university has contacted the data subjects of this breach. With the potential of an internal investigation continuing within UCD, this raises questions on data management practices within the university.
Conor Capplis – Editor