Universitetsavisen
Nørregade 10
1165 København K
Tlf: 35 32 28 98 (mon-thurs)
E-mail: uni-avis@adm.ku.dk
—
Working environment
Data security — Deputy director apologizes and promises stricter access restrictions.
Only six months after a major case of unauthorised access to sensitive personal information, the University of Copenhagen (UCPH) has yet again been affected by a security breach. Employees working in the university’s journal system temporarily allowed access to documents containing Danish personal identification CPR numbers, health details, consultations, and exam certificates.
The University Post has spoken to Deputy Director Thomas Molin, who heads the joint HR department at UCPH and who has responsibility for the latest breach. He says the slip-up is »deeply regrettable«.
»We take this very seriously. That is why this is also an opportunity to review our procedures and systems,« he says.
You can always do more, and you can always enforce more controls. We will now step it up in light of this incident
Thomas Molin, Deputy Director at UCPH and Head of the Shared HR department
According to the deputy director, the error occurred during the mandatory submission of archived documents to the Danish National Archives. A technical glitch removed access restrictions on some documents, making them available to more UCPH employees than intended.
This led to a further investigation that revealed several documents lacked proper access restrictions, allowing the staff who were using the journal system to view them.
The error has been reported to the Danish Data Protection Agency.
Thomas Molin emphasizes that employees who inadvertently had access to sensitive information are bound by confidentiality under penalty of law. The university has found no evidence that the information has been accessed or misused.
According to Thomas Molin, approximately 2,500 employees have had access to the sensitive information.
»The error occurred because employees failed to apply the correct access restrictions to documents,« says Thomas Molin.
This remains your and your department’s overall responsibility. Should you have maintained stricter ongoing control to ensure UCPH employees followed correct procedures?
»We are responsible for having a journalization plan and guidelines on how to use these systems correctly. This is in place. However, you can always do more, and you can always enforce more controls. We will now step this up in light of this incident,« says Thomas Molin.
According to the deputy director, it is not possible to monitor all employees to ensure documents are archived correctly. In the future, technical checks will be carried out on documents for specific keywords that should trigger access restrictions.
»Take a word like ‘medical certificate’. If it appears in a document, it should be assumed that the document is not meant to be accessible to everyone,« says Thomas Molin.
The case echoes a similar incident earlier this year, where a group of employees had unauthorised access to personal data on more than 300,000 individuals associated with the university. At that time, the affected data included CPR numbers, private addresses, and salary-related information.
The UCPH IT Director, Karen Bjernemose Rahbek, expressed regret over the previous incident to the University Post and assured that measures were being taken to prevent similar errors.
READ ALSO: IT Director blames data error on »outdated IT systems«
Sometimes, things happen that simply shouldn’t.
Thomas Molin, Deputy Director at UCPH and Head of the Shared HR department
Thomas Molin, how can this happen again just six months later?
»It was an entirely different technical problem involving a drive believed to be restricted to a specific group of people, which it wasn’t. This is a separate issue, but the consequence is the same: some individuals had access to documents they shouldn’t have,« he says.
What does this say about data security at UCPH, given these two comparable errors within six months?
»I think it reflects what happens in most organizations, that sometimes things happen that simply shouldn’t. We learn from it, improve, and move on. That is what we must take from this incident. But for now, we can only apologize and take it seriously,« says Thomas Molin, adding:
»It shouldn’t happen, but one must also acknowledge that UCPH is an extremely large organisation with a vast number of IT systems. Managing and continuously improving technical security while ensuring users operate the systems correctly is a massive undertaking.«
According to Thomas Molin, the University of Copenhagen will now work intensively to prevent similar errors in the future. The measures include an internal awareness campaign on proper use of the journal system.
»We need to increase awareness and improve communication about the importance of getting these things right. We will also look into adding prominent icons in the system, so if someone saves a document without a restriction, a prompt will appear asking if they are sure,« says Thomas Molin.
According to the deputy director, data security will only become more critical as IT systems continue to play a larger role in the future.
»It is therefore important that users are adequately equipped to operate the system correctly,« he says.