UEA pays out £140k compensation for leaking students’ extenuating circumstances
298 students had their personal details leaked
The University of East Anglia will pay the 298 students affected by the data-breach £140,000 in compensation.
In June 2017, a spreadsheet containing 298 students' personal details, including issues such as health problems and bereavements, was emailed to hundreds of their classmates.
The University's insurers have now paid all affected students £142,512 in compensation and have said they have reviewed their data practices.
UEA paid out more than £140,000 to student data leak victims https://t.co/NtSI4RVMP0 | @C_E_Matthews via @ConcreteUEA | BBC coverage https://t.co/dPFyvgK2HH | #FOI #highered #dataprotection (pre-#GDPR)
Compensation paid by UEA's insurers; there was no regulatory penalty.
— Owen Boswarva (@owenboswarva) January 29, 2020
The Information Commissioner said at this time no further action is needed.
One student, who has asked to remain anonymous, told the BBC the compensation figure was "a lot of money" but she wasn't "massively shocked" considering the scale and sensitive nature of the data-breach.
She added: "You'd think leaking private medical history, the names of sexual assault victims and personal family traumas just once would be enough to learn the lessons and move on."
The compensation pay out was discovered by Concrete, who had filed a Freedom of Information Act.
The chief resource office and university secretary at the university, Ian Callaghan, has said "great strides" are being made to raise awareness of data management since the breach.
He said all data on both hard and shared drives has been reviewed, mandatory data protection training had been introduced and access to group email accounts has been limited.
The email that failed to comply to data-protection laws was sent to all American students at the Norwich-based university.
The email contained personal data about 191 undergraduates.
It listed the mitigating circumstances that allowed students to gain extensions and other concessions.
Students affected have said they felt as if their "life was on show."
The Information Commissioner's Office, which investigates data breaches and has the ability to fine serious offenders, said the breach did not meet the requirements for regulatory action.
The office gave UEA advice how to improve on data protection issues in the future.
The universities independent report into the breach found that its attempts to contain the damage had been "timely and appropriate" and had tightened procedures.
The following November, an urgent investigation was launched after the personal details about a UEA staff member was sent to over 300 people.