A review of cyber-security procedures has concluded that King’s College London violated EU data laws when it shared personal and private data of politically active students with police authorities.
King’s College London (KCL) has now handed itself into the Information Commissioner’s Office.
The review also concluded that none of the data subjects had “been part of a disciplinary process and none had been found guilty of violating King’s policy or regulations.”
In an open letter, KCL acting principal, Evelyn Welsh said that action was now underway to address the recommendations laid out in the review.
Ms Welsh wrote:
“Our aim is to have a plan ready by mid-September 2019, which we will also make public.”
The famous London university took the decision to hand the students’ data over to Metropolitan Police prior to a visit made by the Queen to open KCL’s new Bush House in mid-March.
The dataset, comprising the information of 16 students and one member of staff, had been gathered by security teams working at the university after student protests took place near an event being conducted by the Israel Society.
The review stated:
“This document included the names of the students and staff, and details of their course and membership of various student societies. A data protection impact assessment was not carried out and no checks were made to further verify the identity of these individuals.
A day after the Queen’s visit, the university’s security chief contacted police acquaintances to tell them of rumours that the students had been planning to disrupt the royal visit.
Responding to a request for more information, the head of security sent police a document that detailed the principle protesters. The head detailed to which groups the students belonged, as KCL Action Palestine, KCL Cut the Rent, KCL Justice for Cleaners, KCL Intersectional Feminists and KCL Climate Strike.
The security chief also informed the police that the student data had been taken from university security cards, which omitted birth dates.
“I would have to go to student services, which would raise flags and cause chatter, so would rather not as this is sensitive around student freedom!!!” he said.
As a result of the security chief’s actions, the students had their access to KCL buildings taken away for the duration of the Queen’s visit, and one student almost missed an exam.
The formal review found that the teams involved had “overstepped the boundaries of their authority and in doing so have lost overall sight of their role in protecting the students and staff of King’s.”
Twenty recommendations have now been set out on the back of the review, one of which urged for a data breach to be reported to the Information Commissioner’s Office. A recommendation was also made to put mechanisms in place to facilitate prospective DSARs that students might want to submit to the Metropolitan Police Service.
In the open letter, Welch wrote:
“The report has been uncomfortable to read. It makes it clear that the actions we took with respect to our students were wrong and did not meet our values. We accept its findings and recommendations in full and are putting in place a plan to address all the issues that have been raised.
“The report shows that we need to take some actions to ensure that the values we uphold are applied consistently across our organisation. While individuals are identified, they should not be singled out as those who were solely responsible; as such, we will be looking at the systemic underlying issues that we need to address at King’s going forward.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.