The news of a Pembroke College data leak has recently been reported after it emerged that private details relating to the college’s alumni were made vulnerable to unauthorised access. Users with access to the college’s single sign-on system were reportedly able to access extensive personal information on the former Oxford University students who were hosted at Pembroke College, according to Cherwell.
All organisations that process and store personal data have a legal duty to protect it in accordance with the GDPR. Where they fail to do so, they can be held liable for a data protection breach. In some cases, the affected victims can also be eligible to make compensation claims for the harm caused.
Although it appears that the alumni information was not exposed outside the organisation, the incident at Pembroke College nevertheless demonstrates the problems with failing to manage data access appropriately.
The Pembroke College data leak
As part of a 2021 telethon designed to obtain donations from alumni, Pembroke College is understood to have held a range of details to allow telethon workers to contact these former Oxford University students. However, the Pembroke College data leak led to the records of this telethon being open for access by employees outside the authorised team.
Cherwell reports that the compromised information included full names, addresses, phone numbers, and ages of college alumni. It is also understood to have included notes taken during the calls, and details about donations that have previously been made by named individuals.
Pembroke College has stated that the technical issue in the system that holds alumni and donor data, which it says has since been resolved, arose when the site was first created. It has also said that those who accessed the data without the appropriate authorisation have been identified and warned against misusing information.
Limiting data access within organisations
In its privacy policy, Pembroke College says that only those who require certain data for their job role and duties are given access privileges. However, the Pembroke College data leak indicates a significant failure to appropriately limit access to information.
According to the GDPR, employees should only be allowed to access personal information for specific work-related purposes, and for purposes that reflect the reasons for which the data was disclosed. The alumni of Pembroke College would likely not have been aware that their data would become freely accessible across the university without good reason.
The issue was deemed to be serious enough to report to the Information Commissioner’s Office (ICO), which investigates potential data protection breaches. While the damage caused by the incident may have been limited, those affected by the Pembroke College data leak may well have lost trust in the organisation.
Growing data breach claims
Anyone who has been affected by a data breach in which an organisation has mismanaged access to data could be eligible to make a compensation claim. We are seeing more and more of these types of incidents where simple flaws or oversights have resulted in a wealth of information being leaked. In the worst cases, private and sensitive data can be leaked which can cause significant distress to the victims.
All organisations have a duty to protect the information that they store and process, and we continue to see more and more breaches and more and more people claiming. Things, as they stand, do not seem to be getting any better despite the GDPR being introduced.