Data protection questions raised as list of students’ emails and modules made available

Richard Herlihy

Loop was down between 2-3pm on Thursday, March 7th.

An oversight in DCU’s Loop portal may have inadvertently revealed the names of students who did not vote during recent student elections.

The alleged lapse also allowed the email addresses and module information of up to 18,000 students to be visible to all other students.

A ‘Participants’ page within the Students’ Union (SU) section of Loop displayed names and profiles for all students with access to student voting resources.

The list showed a “last accessed” timestamp which identified 4,499 students who visited the SU module on Loop, where online student voting occurs, between 10am Tuesday March 5 and 3pm Thursday March 7 last.

A further 11,007 students who have not visited the page since elections began (and thus may not have voted) are identified. 2,607 students were recorded accessing the page in the days after voting closed.

According to results issued by the DCUSU Returning Officer, 4,134 students cast votes in this year’s SU presidential election.

Joan O’Connell, a member of DCU’s Data Protection Unit, told The College View on Thursday last that the matter was under investigation and declined to comment further.

In a separate statement several hours later, a spokesperson for the university’s communication team stated: “The University can confirm there was no breach of general data protection regulations in relation to the student Loop platform in the recent student elections.

“DCU is fully committed to ensuring that all staff, registered students, agents, contractors and its own data processors comply fully with data protection legislation regarding the processing and confidentiality of any personal data held by the University and the privacy rights of individuals under the legislation.”

On Friday the ‘Participants’ page of the SU Loop page was disabled, replaced with the message: “Sorry, but you do not currently have permissions to do that (View participants).”

However, up to 17,000 email addresses remained visible via the ‘Participants’ page of the Library E-Tutorial for Students (LETS) module in Loop.

A section of Loop’s Edit Profile page allows control over who can view a student’s email address. However, The College View can confirm that when this setting was toggled to “Allow only other course members to see my email address,” email addresses remained visible to non-course members via the SU voting and LETS modules.

The College View has identified other potential issues within the university’s e-learning platform.

Moodle, the open-source software which powers DCU’s Loop portal, issued detailed GDPR compliance recommendations ahead of tight EU data protection measures introduced last year, including the use of its new Data Privacy and Policy plugins.

However, the “Policies and agreements” plugin on student profile pages viewed by The College View on Loop is currently empty, displaying the message: “For any questions about the policies please contact the privacy officer.”

According to Moodle’s GDPR FAQ: “Installing the developed plugins alone will not be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required.”

Online voting for student elections was first introduced at DCU in 2015. An eVoting system was also considered and contracted in 2011 “but ran into data protection issues” and was abandoned according to a poster which described the launch of the present system. The document includes “totaly [sic] anonymity for voter” among a list of benefits of the current implementation.

The DCU communications team informed The College View that learning management systems are designed using the principles of social constructivism, “which enables student – student collaboration in addition to student to lecturer interaction. This involves sharing of profile information which under the ‘lawful processing of data’ principle of GDPR is covered by ‘service of contract’ with the university.”

Additionally, a “Privacy” link on DCU’s Loop login page simply redirects to the university’s Registry homepage. In the “DCU Loop” Android app, a privacy policy link is included – however, it directs students to an out-of-date pre-GDPR privacy policy from 2015.

DCU’s full Privacy Policy describes an extensive data protection regime, outlining how it processes student data. But the documents do not appear to specify how personal data is controlled on the Loop platform.

The European Union’s General Data Protection Regulation (GDPR) came into effect in May of last year and was integrated into Irish law under the Data Protection Act (2018). It requires Data Controllers like DCU to protect the personal information of individuals, and to record consent and process it fairly for specified purposes, including a right to rectify incorrect information.

Just prior to the introduction of GDPR in May 2018, the University of Greenwich, UK was fined £120,000 (€140,000) for a 2004 breach in which data of 19,500 students was placed online. That data included addresses, dates of birth, phone numbers, and some details of mental health issues.

Organisations breaching the new regulations can now face penalties of up to 4% of annual turnover or €20 million (whichever is greater). The rules place particular emphasis on securing consent and providing terms and conditions “in an intelligible and easily accessible form”; companies can no longer “use long illegible terms and conditions full of legalese”.

According to the Irish Data Protection Commission, organisations are required to report personal data breaches within 72 hours.

The College View first reached out to the university’s Data Protection team on Thursday, March 14 to flag this issue. Numbers referenced above were retrieved on this date.

In its initial statement to The College View, DCU’s spokesperson added: “The university operates a dedicated Data Protection Unit, complete with a full and comprehensive suite of policies including the University Privacy Statement, all of which are available on the University website, designed to assist staff, students, members of the public and other interested parties in understanding the University’s approach to ensuring compliance with data protection legislation.”

Separately, referring to website visitors, the university’s Privacy and Cookies statement states that data is collected to track standard behaviour patterns and create summary statistics. However, it also states: “We do not attempt to find out the identities of those visiting our website” and “If we do intend to collect personal information we will make it clear and will explain what we intend to do with it.”

Richard Herlihy

Image Credit: DCU