The report concluded that the SU 'did not have in place the appropriate checks and balances' concerning sensitive student dataDaniel Hilton

An independent report into the data breach at Cambridge Student Union (SU) has found that “fundamental mistakes have been made” and that current data practices are not “robust, effective or transparent”.

A Varsity report earlier this year found that students had been “effectively outed without even knowing it” as students’ sexualities, gender identities, race and disabilities, which are declared anonymously in some SU-run elections, were accessible to committee members running elections for other societies and J/MCRs - without the explicit permission of the students themselves.

After axing an initial student-led inquiry into the incident, the SU commissioned an independent report, conducted by Coole Insight Ltd, which has now found that a data breach did take place.

The report states that the SU should have gained the explicit consent of students to collect this data and that the SU’s voting platform “did not have in place the appropriate checks and balances”.

Despite the SU initially claiming that a data breach had not taken place, the report concludes that a breach did occur as “multiple students” had “the ability to view the names of students who self-define into liberation groups” which breaks the GDPR principle of “protection against unauthorised or unlawful processing”.

The report also acknowledges the dangers that were posed by this breach, declaring that “if this list had fallen into the hands of someone intent on processing this in a malicious way, this has the potential to have catastrophic consequences for the individual concerned”.

Based on the number of student groups involved in the breach, the report also concludes that between 250 and 300 students had access to sensitive data.

The report, which was in part based on interviews with students and SU staff, criticises SU staff for showing a “distinct lack of urgency about the issue”. The report finds that the SU were made aware of the issue in January 2022, and took five months to take any action and then a further five months to resolve the issue. This ten month process and delay is described as “unacceptable”.

The SU are also criticised for going “against all practice within GDPR legislation” by taking four weeks to report the breach to the Information Commissioner’s Office (ICO). This report was incomplete as it claimed less than 100 students were affected. Responding to the conclusions of this report, the SU have now made a further, full report to the ICO.

The report also finds that the SU’s CEO Rich Wiltshire, who is responsible for data protection and has since left his role, claimed in a democracy committee meeting in December 2022 that no data breach had occurred.

The report says that “significant mistakes” made by the SU “have then been compounded by inaccurate reporting and poor information flow within the SU’s governance structure which has contributed to actions being taken that have made this issue significantly worse than it originally should have been”.

Following Varsity’s initial article concerning the data breach, a statement on the SU website, which has since been deleted, criticised Varsity’s reporting as “misleading” and responsible for causing the “spread of misinformation”. In the same statement, the SU claimed “there was no data breach… the ICO confirmed that this did not class as a data breach”. The independent report finds that this statement was made “on the basis of incorrect information”.

Although criticising the SU for being slow to act, the report finds that the organisation has made “clear steps to avoid this happening in the future”. The SU have re-reported the full data breach to the ICO on the recommendation of the independent report. The SU have also pledged to improve GDPR training for student volunteers during the summer and conduct a review of their current data procedures.

The report also urged the SU to make a full apology to students. In a statement on their website, the SU have said: “We sincerely apologise for the mistakes made in this situation and for the distress and uncertainty caused to students over the last few months. We would also like to apologise for any lack of clarity or miscommunication throughout the process, including the initial statement made that we now know to be untrue. In all our work we prioritise the safety and wellbeing of our members, especially those from marginalised groups. We will be acting swiftly to ensure that the recommendations from the investigation are completed as soon as possible, and will update students as progress is made on this. We always welcome feedback from students on how we can be better, and this will include making it easier and clearer to raise concerns and complaints in future.”


READ MORE

Mountain View

SU axe student-led inquiry into data breach

Sam Carling, a student who originally raised concerns of the data breach last year, welcomed the report and told Varsity: “Over the almost eighteen months since I first raised the issue of students’ sensitive data being leaked, we’ve seen the SU go from ignoring the issue, to denying it ever happened, to downplaying the extent of it. Further, students reporting this issue were accused of lying and acting in bad faith. This report finally delivers justice for affected students, and those of us that fought to bring the issues to light. It lays bare a need for significant reform within Cambridge SU, and I hope the SU learns from this that it must take students seriously when we raise concerns.”

Fergus Kirman, the SU undergraduate president-elect who raised concerns about the potential breach, told Varsity: “I welcome the fact that this report has fully vindicated the concerns that I and other students raised back in January. I’ve seen how much this saga has damaged student trust, and I look forward to rebuilding that trust and addressing the broader issues this has raised - with the rest of the new Sabbatical Officers - when we take office in July”.

In a further statement to Varsity, the SU said: “We accept that we have made serious mistakes and are truly sorry to all students who have been impacted. We acknowledge that our initial statement made in January was incorrect, as we did not have a full picture of events.”

The SU also said: “We take this failing seriously, and we know that student trust will take time to rebuild; we will continue to work with students to improve. We are constantly working to be as transparent as possible and welcome feedback from students on how Cambridge SU can be better in future.”