Employees have had access to personal data they should not have had access to

The error was discovered in connection with self-control and has been registered with the Data Protection Authority. The University of Copenhagen takes this matter very seriously and is now taking steps to ensure the same error does not occur again. At the same time, it is emphasised that the staff members who have been able to access the data are all subject to the provisions of the Danish Public Administration Act about duty of confidentiality under criminal liability.

What is the nature of the personal data?

The data in question is stored in the University’s records system. It concerns different areas but includes, among other things:

• CPR numbers in various documents. Including timesheets for fee payments
• Health information, for example in connection with sick leave (employees) and applications for dispensation (students)
• Information on applications for and granting of special educational support or applications for extended time
• Exam matters, including diplomas (students)
• Consultation of parties involved in different cases
• Information on suspensions and dropouts relating to individuals.

However, it should be stressed that only very few documents with the said content are part of the security incident.

How did it happen?

It was a human error that occurred in connection with the statutory delivery of documents to the Danish National Archives. In the process, some documents in the system lost their access restriction, although the overall access settings of the cases remained unaltered. This meant that it was possible to find and open individual documents by using sophisticated search methods.

When the error was discovered, the cause was unknown. The University therefore launched a thorough investigation to clarify the nature and extent of the incident. In this investigation, further errors were identified and corrected.

What are the University’s next steps?

This is a case that the University takes very seriously. It is now being investigated how to prevent the same error from occurring in future deliveries to the Rigsarkivet. Among other things, an internal information campaign will be launched on using the system.

UCPH has no reason to believe that data has been misused. At the same time, it should be stressed that employees who may have known about this sophisticated search method and have had access to applying it are subject to statutory confidentiality provisions.