Three sent to 120 care experienced and estranged students revealed the names and emails of others in the group and were not reported to the Information Commissioners’ Office (ICO), The Cheeese Grater can reveal.
UCL states that, “personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention.”
According to the ICO, when a data breach occurs, it is standard practice to report a “personal data breach” within 72 hours, if it “meets the threshold for reporting.”
These emails were sent by the Student Success team to the care experienced and estranged students (CEES) group in their first year.
Two were sent in September and another was sent in November.
All three of these emails accidentally revealed the students’ information to each other, through use of the “CC” function, rather than “BCC”.
However, when a student complained about the error, UCL determined that, “in this case [we] decided it did not meet the threshold to report to the ICO.”
One of the factors in this decision was that, “only one complaint was received about the data breach.”
The threshold for reporting varies but the ICO considers the release of “sensitive personal information of vulnerable people” to be a high risk situation.
UCL defines care experienced and estranged students as “someone who, for any length of time and at any stage of life, has been in care” and “someone who no longer has any contact with their parents” respectively.
“Invasion of privacy”
The Cheese Grater spoke to a student impacted by the data breach who felt his concerns were not treated adequately by the University.
The student said, “for something that is such a sensitive topic, it isn’t appropriate at all… it’s a huge invasion of privacy to have that leaked.
“It’s a breach of privacy. It’s not acceptable and it’s also a very silly error.”
The student first raised their concerns with UCL after seeing the third email, which was sent in November 2024, promoting a lunchtime social for CEES students.
They then later realised that at the start of the year, prior to their enrolment, two other emails had made the same error — “As this was prior to enrolment, it involved the personal email addresses and school email addresses… that’s almost even worse.”
UCL initially responded to the student 24 hours after to inform him that the error should have been rectified and an apology should be issued.
The Cheese Grater understands that, at the time of publication, only one of the breaches has been rectified and no apology has been issued to the students impacted.
The student expressed disappointment in the CEES team for the handling of the situation, telling The Cheese Grater, “They never apologised to me, they were clearly instructed to do so by the data breach people and they didn’t do that.”
The Cheese Grater cannot confirm that the CEES team were told to apologise by UCL but can confirm that UCL told the student an apology was necessary.
Following their initial complaint to UCL, the student then proceeded to contact the ICO inquiring whether UCL had reported the incident and it was revealed there was no report on record.
When asked about how UCL handled the situation, the student said, “I feel very let down, I feel like one mistake is understandable. Three mistakes from two individuals is a lot less understandable”.
Why did UCL not report the breach?
A year on from the student’s initial report, they received a formal response from UCL’s Data Protection Office, after pursuing legal action against the University.
UCL revealed that they did not report the incident to the ICO because “only one complaint was received about the data breach” and it was marked by the student as a “medium” risk rating.
Furthermore, UCL felt that “It was not necessarily evident that being a member of this group was inherently stigmatising, and the intention was for the group to be a safe environment.”
UCL deemed that “the risk to individual’s rights and freedoms was low”.
As a result of this assessment, UCL determined that it would be disproportionate to contact all the recipients of the email to request deletion, as it was “likely to aggravate the risk.”
Following UCL’s investigation, the Student Success team did issue an apology to the student which recognised that “there was a mutual misunderstanding” between the Data Protection Office and the Student Success team over who would issue the apology to the student.
They told the student “we have since reflected and reviewed our processes to ensure that such an incident does not occur again.”
A UCL spokesperson said: “We are grateful to the student who reported the email error to us back in 2024 and have apologised. As soon as this came to our attention, we acted promptly to investigate, and our Information Services Division deleted the related email.
“UCL takes data protection and the privacy of our students extremely seriously. Our data protection team assessed the matter in line with ICO guidance and, with the benefit of specialist legal advice, determined that it did not meet the threshold for reporting.
“We will continue to review our processes to ensure we maintain the highest standards of data protection and student support.”
