University Post
University of Copenhagen
Independent of management

Working environment

Data slip-up: IT manager blames it on »ageing IT systems«

Data security — IT head at the University of Copenhagen says that it was ageing systems that led to a select group of employees having improper access to sensitive personal information from 310,000 students and employees over a longer period of time.

A serious oversight at the University of Copenhagen (UCPH) has led to the sensitive personal information from 310,000 students and employees being accessible to a group of staff for a number of years.

The sensitive personal information includes CPR numbers and private addresses.

Of course this should not happen

Karen Bjernemose Rahbek, Deputy Director and IT Manager at UCPH

It was one of the university’s own staff members who discovered the fault, which has now been reported to the Danish Data Protection Agency.

READ ALSO: University of Copenhagen staff had access to sensitive data of 310,000 people

The University Post spoke to UCPH deputy director Karen Bjernemose Rahbek, who is responsible for the university’s IT department, to find out more about the data blunder.

How can such a mistake happen?

»We have many different IT systems, and some of them are ageing systems which were coded many years ago. This means that here there is one system that transfers a file to a drive which, of course, should have been delimited to a higher degree. Unfortunately it was coded so long ago that we were not aware that it was coded that way,« says Karen Bjernemose Rahbek.

But ageing systems or not, surely this kind of mistake is not acceptable?

»No, we take it really seriously, and of course this shouldn’t happen. Now we have discovered this error, and on this basis we have had the opportunity of setting up a wider delimitation.«

What do you mean when you say ‘a wider delimitation’?

»This is a network drive that too many people at UCPH have had the opportunity to access. Now that we have discovered the error, only a select group of people now have the opportunity to gain access to it,« says Karen Bjernemose Rahbek.

Misuse of data cannot be ruled out

Not all UCPH employees have had access to the personal data. According to Karen Bjernemose Rahbek, all the employees who have unlawfully had access to the personal data are employees in the IT department – where only a small part of the IT department should have had access to the data.

The possibility that some employees have been able to access this information has been available for a number of years. Have you been blind to the possibility that this kind of error could occur?

This is something we will continue to work on for many years to come

Karen Bjernemose Rahbek, Deputy Director and IT Manager at UCPH

»We have a lot of IT systems and a very large installation. And this is not the only organisation that has experienced something like this. It’s simply a question of not getting through everything when you have so much IT. You cannot sit there keeping an eye on everything, all the time. Now we have been made aware of something. And this means also, of course, that we can make an effort to look at this problem elsewhere in our IT systems,« says Karen Bjernemose Rahbek.

You have stated that there is no indication that there has been any misuse of personal data. Is this a guarantee, or how should we understand this?

»In cases like this, you have to be careful about giving guarantees, so we don’t do that. When we state it like this, it is because we have not established that there has been any misuse of the data. And we estimate that the likelihood that any misuse has taken place is very low.«

How do you prevent a mistake like this from happening again?

»We have set some analyses in motion, and this includes setting up some tools that scan for errors like this. Things look good so far. But this is, of course, a task that we need to finish,« says Karen Bjernemose Rahbek. »And it is something that we will continue to work on for many years to come«.

Latest