The Data Protection Commission (DPC) has received a formal Breach Notification from University College Dublin (UCD). This comes after the College Tribune discovered highly sensitive employee and student documents unattended and open to student access in a UCD Student Centre storage room. This notification was received by the DPC on 14th November, after the DPC contacted UCD in response to the Tribune’s coverage of the Belfield Papers. A DPC spokesperson has said the “DPC are currently assessing” the issue.
Since 25th May 2018, the General Data Protection Regulation (GDPR) requires organisations to report personal data breaches to the relevant authority. Under GDPR, UCD is required to report to the DPC within 72 hours of being aware of a data breach “without undue delay”. The Tribune informed UCD of this potential breach last Friday 8th November, meaning UCD failed to meet the mandatory time period to report to the DPC. GDPR allows exceptions to this requirement if “the reason given [to the DPC] is sufficient to justify the delay.”
DPC guidelines also recommend in cases where a full breach notification cannot be lodged within 72 hours “the initial notification should be lodged and then information may be provided in phases.” UCD submitted a breach notification more than five days after receiving notice from the Tribune.
This week, the Tribune revealed that highly sensitive employee and student files had been found open to student access, leading to a potentially huge breach in data protection and personal details. A storage room under construction in UCD Student Centre was discovered to have a large collection of unattended UCD Employee and Student files. UCD Musical Society were also found to have unattended access to this space.
The Tribune discovered a large collection of files spanning from at least the years 2000 to 2014. The limited number of files seen by the Tribune belonged to UCD, the UCD Student Centre, UCD Campus Sport and Leisure Ltd., UCD Department of Sport and UCD Societies. Included in the sensitive documentation were: payroll reports, employee bank account details, PPS numbers, employee Revenue and Social Insurance Numbers, details of TD donations to student political societies, documents regarding student disciplinary hearings, UCD Societies grant applications and UCD Societies income and expenditure accounts; to name only a small fraction on what was left unattended to student access.
The UCD Student Centre third-floor storage room contains miscellaneous furniture items alongside large theatre set pieces used by UCD Musical Society. The student society has access to this room for storage of large set pieces and enjoy “access to the storage space whenever we need it. When it is locked we can have it opened by a member of staff.” The Belfield Papers raise questions on the security of employee and student data within UCD.
More to follow…
Conor Capplis – Editor