Colleges leak students’ personal data
A number of colleges are failing to protect their students from identity theft, an investigation by The Oxford Student has revealed. A reporter from The Oxford Student was able to obtain personal information �" including financial details �" about current and former students with startling ease. In one instance, a college handed over files without asking for any form of identification.
The investigation has triggered a review of data procedures by the affected colleges. An Oxford Student reporter impersonated several undergraduates using ‘Google Mail’ email accounts set up in their names and used these to send a request for personal data to the students’ colleges. Consent was gained from the students in question, but after that point they played no part in obtaining the files.
Further details of the investigation will not be revealed to avoid inciting further breaches. While several colleges saw through the ruse and did not hand over personal data, lax security measures at other colleges led authorities to release private student fi les to The Oxford Student. LMH student Ollie Clough’s file was obtained without an identity check.
Clough’s file included his student loan username, information which could potentially be used to divert money from his account. Under the provisions of the Data Protection Act, colleges hold a vast array of information on students, ranging from swipe-card access to personal correspondence between the student and University authorities.
The Act allows colleges to hold sensitive personal information about students, including details about sexual orientation and politi- cal opinions. It allows individuals to request access to their fi les under strict guidelines to ensure security. Clough criticised his college for failing to adhere to the identity checks demanded by the Data Pro- tection Act. He said, “The amount of personal data that was given freely, without asking to see a Bod card, was staggering.
“Some of the data was fairly em- barrassing. But the real worry is the thought that the fi nancial and personal details that The Oxford Student obtained could be used ma- liciously. “Whilst I’m hardly surprised by the amount of data colleges hold on students, I think the manner in which this data is protected needs to be reviewed urgently.” The investigation also revealed that colleges keep and update the fi les after students have graduated.
The personal data of a student who graduated in 2006 was accessed without his assistance. The student, who did not want his name or college revealed, said, “It’s very concerning that the University’s security software is so inadequate, especially considering the level of prestige it accrues else- where.
Michael Parkinson, a spokesman for civil liberties campaign group NO2ID, claimed that the breaches demonstrate the risk of institutions accruing large amounts of informa- tion about individuals. He said, “This shows that very of- ten the weak link in the chain is the human element.” “That is why the development of vast databases of information in this country is deeply worrying.
Any of the people handling this data are in danger of being fooled, bribed, cajoled or threatened into releasing it.” In response to the evidence presented by The Oxford Student, LMH Treasurer Mark Robson launched a review of his college’s handling of student data. “It is college policy not to comment on the affairs of individual students. We take data- protection issues very seriously, and are always keen to consider improvements.
Since you have drawn attention here to what you see as some defi ciencies in current proc- esses, I assure you that I will be considering your implied criticisms very carefully in reviewing those processes now.
He added, “I would point out that the Information Commissioner’s policy on data controllers being as helpful as possible when establish- ing identity (and so foiling imper- sonation) requires a balance to be struck, and much of the debate on national identity cards is based on achieving appropriately such a bal- ance. I believe that the guidelines were met in this case.” The power for colleges to collect personal information is enshrined in the Data Protection Act of 1998.
Students are required to sign a consent form when they arrive at Oxford, giving colleges the power to collect both “non-sensitive” and “sensitive” data. The latter includes such information as sexual orientation, political opinions and mental health, and those collecting this data “are required to seek explicit consent to do so”, according to the contract.
The contract also enables the University to keep and update the data once students have left, to be used in “fundraising programmes, which might include an element of direct communication [colleges and the University].” Students have complained that they were not aware what the con- tract entailed. Clough said, “We have so many things to sign when we fi rst arrive that I didn’t really think about the implications of signing my life away.
I certainly didn’t realise that I was giving colleges permission to snoop around in my sex life."
26th Apr 2007