University Post
University of Copenhagen
Independent of management

Working environment

University of Copenhagen staff had access to sensitive data of 310,000 people

Data security — A group of employees has, for several years, been able to access the Danish civil registration CPR numbers, and other sensitive information, from 310,000 students and employees affiliated to the University of Copenhagen.

A group of employees at the University of Copenhagen has unlawfully had access to the sensitive personal data of people affiliated with the University of Copenhagen.

This is according to a release on the University of Copenhagen website.

About 310,000 employees, students and other people affiliated with the university have been affected.

A member of staff discovered the serious error which has now been reported to the Danish Data Protection Agency.

The case is still under investigation, but there are no indications that the personal data has been abused.

»The University of Copenhagen naturally takes this incident very seriously and apologises to all those affected. For the majority of the people affected however, the risk of their data being misused is assessed to be low.«

According to the University of Copenhagen, the case primarily concerns data used in connection with salary payments.

»This means CPR numbers, job categories, employment start dates (plus any termination dates), home addresses, and other information, could be used by other staff members to obtain information related to representatives that are authorised to negotiate in connection with pay negotiations. The data includes a code used by the UCPH HR department to determine reasons for termination,« the university writes.

A small number of the affected employees are subject to name and address protection.

Source of breach to be checked

The University of Copenhagen emphasizes that only staff members have had access to the data. Very few of them were aware of the option as the information was located on a network drive to which access had to be actively established.

For the persons affected with name and address protection, the risk has increased. But the university does not assess that there is a high probability that unauthorised employees were aware of the possibility of gaining access to the sensitive personal information, or that they have used it.

The University of Copenhagen writes that work will now be set in motion to uncover how the error could occur, and how the university’s security processes can be optimized so that the risk of similar incidents happening again is minimized.

READ ALSO: Oops! 600 staff had unlawful access to 13,600 CPR personal ID numbers