Union leaks members’ data


In a potentially serious breach of data protection laws, the personal details of almost 900 old members of the Oxford Union have been freely available on the society’s website.

The Oxford Student discovered the webpages, which listed home addresses, telephone numbers and email addresses of life members of the Union, last week.

Although details were immediately taken down when this newspaper informed the society, the Union could face a fine of up to £500,000 if it fails to improve its data management.

The website allowed anyone with an Internet connection to access the personal details of former Oxford students.

The members had filled in an online form asking to be kept in touch with events at the Union – but had not agreed to their details being posted on the Internet.

The Data Protection Act makes it illegal for any organisation to use personal data without asking consent first. It also requires organisations to draw up a data protection policy and appoint a designated data protection officer.

Former Oxford student Liz Mendes da Costa was concerned that her information was freely available online.

“This feels such a gross and unnecessary invasion of my privacy. I’m really cautious about disclosing my data and never imagined that an institution like the Oxford Union would be so blatantly negligent with it,” she said.

The data was available on the Union website, alongside copies of minutes from committees, pictures of society officers – and videos of Kermit the Frog.

A spokesperson for the Information Commissioner’s Office, which deals with complaints under the Act, said that the Union had probably broken the law.

“If they haven’t consented, the Union wouldn’t have any right to do that. That would likely breach the Data Protection Act,” he said.

“We would encourage anyone [affected] to get in touch with the ICO and we’ll look into it.

“If we feel there has been a breach, we have a range of enforcement powers from an undertaking…to an enforcement action where there is a more serious data breach and we can ensure they look after their data in a more responsible manner. If they then continue to do that, we can fine the organisation up to £500,000.”

Despite this, some members did not appear concerned when told about the breach. Christopher Wright, Director of the Merifin Capital Group, said that he was “delighted to know that my life membership continues”.

James Nicola, who heads up a consultancy company, said: “My home address is available to anybody with access to a London phone directory…The Union has been slightly careless and should take greater care, but it’s hardly something which is worth making a fuss about.”

The Union published a statement on the front page of their website last Tuesday evening, after a reporter informed them of the breach. It said the society has asked its web provider to launch an investigation into why the details were available.

“We take this matter very seriously, and will provide further information as soon as it becomes available,” it read.

As soon as this newspaper became aware of the breach, it contacted the Union, the data protection authorities and as many of the individuals concerned as possible, complying with the provisions of the Act.


Sign up for the newsletter!

Want to contribute? Join our contributors’ group here or email us – click here for contact details