After multiple breaches of confidentiality, why are UCD Schools and administration not taking the protection of student details seriously? Michelle McCormick examines the lack of data protection in UCD and asks why it’s such a low priority for the powers that be.
“UCD is firmly committed to ensuring personal privacy and compliance with the Data Protection legislation, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection.”
Or so says the UCD data protection policy. But with yet another data protection blunder hitting the headlines, exactly how seriously can we take this “commitment to privacy”? How many more times must sensitive and confidential student data be made available to all and sundry before the university realises that its processes are vulnerable and half-hearted?
In the past number of years, information such as phone numbers, addresses, student numbers, exam results – and now even degree transcripts – have been made public, either accidentally or by unthinking administrative staff. It would be easy to say that the powers that be have little respect for the privacy of students or the importance of keeping their personal details personal, but the presence of an extensive data protection document would seem to suggest otherwise. There are measures in place to prevent the sort of information leakages we’ve seen time and time again in UCD – measures, it seems, that are not working.
Is it the case that the processes aren’t stringent enough, or are staff just not adhering to the rules? Why, when simply gaining access to the library has become an almost military procedure, can we not get to grips with keeping highly sensitive information private?
Whatever the problem, the more pressing issue is the lax attitude to such breaches. In each case, staff in the relevant schools or departments were oblivious to the dangers of revealing personal information publicly, or did not take enough precautions to prevent leaks. Not only are the staff at ground level not taking the issue seriously, but the powers that be are also less than concerned at the continuous slip-ups.
Both the Students’ Union and the University have placed responsibility for data protection at the feet of students. According to SU President Gary Redmond, students should “take appropriate measures to ensure the protection of their personal details”. A spokesperson for UCD said that due to the increase in online social media, there’s an increased risk of impersonation and identity theft, and so students need to be more protective of sensitive details. “Remain extra vigilant about publishing any personal information in publicly accessible online media which may be added to information obtained from other sources to create an impersonation,” was the UCD line on handing over transcripts to a stranger without questions.
This advice is almost laughable given the nature of slip-ups in the past – a list of names and student numbers was posted on a notice board in an Arts Block corridor just two years ago. A comprehensive list of student names, addresses student numbers and phone numbers posted in a public area of Blackboard. What use is extra vigilance on social networking when the university is not equally vigilant about protecting our details?
Redmond acknowledges that something needs to be done. “The university should review its internal policies to ensure that all procedures were followed in this instance, and if necessary introduce mechanisms to ensure that a breach of this nature does not occur in future,” he said. But the president does not go far enough. If a situation where student transcripts can be ordered, paid for, and collected by anyone other than the student who owns them is part of the “procedure”, then something is seriously amiss with the level and extent of data protection in UCD.
Even when prompted, the staff member in question did not deem it necessary to get any proof of ID from the person collecting the transcript. Why is this acceptable? Why is the university passing the buck, telling students that they should be “more vigilant” with their personal details? It’s clear that until the university starts taking student privacy seriously, our personal information is subject to the whims of its staff.