Leak raises privacy issues at Brock

Erik Dickson
The Brock Press
February 9, 2010

In their day-to-day lives, students give up a great deal of their personal information; whether it be on Facebook, in e-mails or when signing a petition.

However, a recent leak of students’ personal information at Brock raised questions about how the university handles this information.
According to a message posted on the Brock Web site from the University Provost, Murray Knuttila, some student information was inadvertently made accessible through Internet searches.

Sometime prior to Jan. 28, a library employee accidentally uploaded a file containing student information to a publicly accessible Brock Web site. The file itself contained names, student numbers, phone numbers, mailing addresses and email addresses.

A student notified the school shortly after, when he was able to access information about himself by simply searching Google.

“The file that was inadvertently uploaded has been deleted,” said Knuttila. “All student files are now safe and secure.”

Despite correcting the error, the leak of personal information has raised questions about privacy, and how it is handled by staff within the school. According to university spokesperson Kevin Cavanagh, student information is used in many different departments, serving different purposes.

“Remember that university staff in different departments need different types of information,” he said. “Data like student names, student numbers and contact information is used in many ways, from professors updating class lists to the registrar’s office sending letters to students.”

Cavanagh also pointed out that although it may seem unusual for library staff to have access to this information, they require it on a daily basis in order to lend out books to students.

“The university sincerely and unequivocally apologizes to anyone affected by this mistake. It should not have happened, and we are taking steps to try and make sure it never happens again,” said Cavanagh. “This mistake was the organization’s, not the individual’s.  The university takes full responsibility. Our processes should not have put a staff member into a position where this could happen in the first place.”

Despite this issue being addressed on Feb. 3, many students were surprised later in the week to find an unusual e-mail from an Academic Advisor containing at least 300 student numbers. A second message quickly followed, asking all recipients to delete the previous e-mail, as it “was sent to [them] in error”.

Andrew Beech, an international student from Bermuda, received the e-mail, and approached The Brock Press. He was surprised to find that his own student number was included in the list.

In regards to this error, Cavanagh stated that although the e-mail was not intended to be sent to students, it did not contain any personal, identifiable information, therefore there was no breach of privacy.

Nevertheless, the two separate incidents have caused a stir among students.

In order to help prevent similar mistakes from happening in the future, the university is asking Deloitte – a world leading audit and management consultant – to review how Brock stores and handles information.

“A situation like this is not something we take lightly, and immediate steps were taken to reduce the risk of any recurrences,” said Knuttila. “Brock University is committed to the highest level of security of student information and the protection of privacy.”

“We are also reviewing our staff training procedures for handling and storing any files with student or personal information,” said Cavanagh. “If our system needs better checks and balances, we want to know it and implement them.”

Those with questions or concerns should contact University Communications at univcomm@brocku.ca.

Originally Printed: The Brock Press