Universitetsavisen
Nørregade 10
1165 København K
Tlf: 35 32 28 98 (mon-thurs)
E-mail: uni-avis@adm.ku.dk
University of Copenhagen
Independent of management
—
Education
Leak — A number of students’ CPR personal registration numbers were posted on the Faculty of Health and Medical Sciences intranet by mistake. And the students were not subsequently informed. The faculty has now been reprimanded by the Danish Data Protection Agency.
It was human error that was behind the release of a group list with 277 students from the Faculty of Health and Medical Sciences and their personal CPR numbers on the University intranet Absalon system on 9th January this year. The document was posted by a study programme secretary at 08.36 and taken down on the same day at 09.33 when the error was detected.
However, the secretary was not aware that the intranet automatically stores a copy of uploaded documents in an archived file. This was discovered by a student who contacted the faculty 13th January, after which the document was removed.
The faculty’s IT staff did not contact the affected students, as they did not consider the incident to be serious enough. This was partly due to the short period of time in which the CPR numbers were available and that the intranet requires a login with password.
In a situation where 277 student’s personal numbers have been available to unauthorized persons, it is the opinion of the Danish Data Protection Agency that the Faculty of Health and Medical Sciences at the University of Copenhagen should have informed the affected persons
Data Protection Agency decision
But the decision not to inform the students who have their CPR numbers published has now been criticised by the Data Protection Agency. CPR numbers can be abused for identity theft.
“In a situation like this one, where 277 student numbers have been available to unauthorized persons, it is the opinion of the Data Protection Agency that the Faculty of Health and Medical Sciences at the University of Copenhagen should have informed the affected persons,” the agency writes in its decision.
Read the decision here.
After receiving the decision from the Data Protection Agency, the faculty will tell the 277 students. Allan Have Sørensen, head of IT at the Faculty of Health and Medical Sciences, told the media DR that it was a mistake not to inform them beforehand.
“We should have informed those people. This is a procedural error. Human error does happen. Now we have been made aware of it, we are doing something about it,” he says to DR.
Allan Have Sørensen emphasizes at the same time that the university has taken steps to improve data security. This includes preparation for new EU personal data regulations – effective next year.
Inside the faculty, employees have been encouraged to pay special attention to group lists with CPR personal numbers.