Employees at the University of Copenhagen have had unjustified access to confidential personal data
The University of Copenhagen regrets to announce that, for a period of time, groups of university staff have had too broad access to personal data about individuals associated with the University. The case is being investigated, but there are no indications of personal data misuse.
The error was discovered by a University of Copenhagen staff member in connection with a review and subsequently reported to the Danish Data Protection Agency. The University is taking the case very seriously; however, it does not concern data that is normally at high risk of being misused or that people outside the University have been able to access.
At the same time, it is emphasised that the staff members who have had access to the data are all subject to the provisions of the Danish Public Administration Act about duty of confidentiality under criminal liability.
What is the nature of the personal data?
The case primarily concerns data used in connection with salary payment. This means civil registration numbers, job categories, employment start dates (maybe termination dates), home addresses and other information that could be used by other staff members to obtain information related to representatives authorised to negotiate in connection with pay negotiations. It also includes a code used by the University’s HR department to determine reasons for termination. A small proportion of the employee data concerned is subject to name and address protection.
In addition, some data was related to the physical access of employees, students and others associated with the University. This data was also linked to civil registration numbers and was accessible for the University’s IT department.
Who is affected?
In total, around 310,000 people are affected, and some of the data has been accessible for several years. Those affected have all been directly and formally associated with the University of Copenhagen. This means that they have received payment in the form of salary or other fees from the University of Copenhagen or they have been students.
However, student data has only been accessible for the University’s IT department.
Who had access to the data?
Only employees at the University have had access to the data, and the vast majority did not know they had access since the data was stored on a network drive to which access had to be actively established.
Risk assessment
Naturally, the University of Copenhagen takes this incident very seriously and apologises to all those affected. However, for the majority of those affected the risk of data misuse is assessed to be low. For example, civil registration numbers are confidential personal data, but not easy to misuse for identity theft or similar. Read more on the Danish Crime Prevention Council’s website: https://dkr.dk/it/identitetstyveri (in Danish only).
The University has not identified how pay information, and other related information, could be misused to harm those affected.
Home address data is assessed to pose a potential risk for the rather few individuals under name and address protection in Denmark. The University of Copenhagen does not assess that there is a high probability that unauthorised staff members have been aware of the possibility to access the data or that they have used it. The error was discovered by the University's employees, and the data was located on a specific network path that could not be accessed automatically.
Finally, the data did not include a specific list of individuals with name and address protection. This means that in order to misuse the data, one had to be among the group of staff members with access to the files; know that they had access; open the relevant files and find each individual with name and address protection; and know how to find the network drive. In this regard, the risk assessment also emphasises that the number of people who had gained access to the data at the time of the discovery was relatively low.
What are the University of Copenhagen’s next steps?
The University takes the situation very seriously, and that is why measures have been initiated to uncover how this error could occur and how the University’s security processes can be optimised in order to minimise the risk of similar incidents occurring again.
Contact
If you have any questions, you are welcome to contact the University’s data protection officer at dpo@adm.ku.dk.