Student site blunder sets off online data alarm bell

Bath University student union has taken down its online student registration system after students, staff and security experts...

Bath University student union has taken down its online student registration system after students, staff and security experts accused it of collecting sensitive personal data in breach of the Data Protection Act.

The union provoked an outcry when it asked union staff and student group officials to register their addresses, mobile phone numbers, and sensitive details about their disabilities and religious beliefs on an online database.

Bath is the latest union to outsource the management of its student databases in a £10,000 a year deal with supplier Uniservity. The system will improve communications with students and offers the union the potential to generate advertising income by sending targeted e-mails and phone text messages to students.

Its experience will act as a warning to other student unions or small businesses developing online databases designed to hold personal information.

"Student unions, like any organisation, have to comply with data protection legislation and that requires them to be fair in the collection and dissemination of that data," said Dai Davis, IT lawyer at Nabarro Nathanson.

Bath University registrar John Bursey told Computer Weekly that the university had asked the union to take down the site after parents and staff raised concerns about how the data would be used. "The university cannot be party to any kind of activity which places it at risk of breaking the law," he said.

Although the site is still under development and will not be launched until September, security experts said the student union had fallen foul of the Data Protection Act, by asking staff and student group officials to sign up for union membership cards, without posting a privacy policy.

"It would be like asking what religion you were before giving you a library ticket," said Neil Barrett, director at IRM, who examined the site for a concerned parent.

"They were asking for considerably more information than is strictly necessary to establish that you are a student and eligible for a National Union of Students membership card," he said.

Davis said the union should have taken extra safeguards because it is dealing with sensitive information on religion and health. "They should have a Web site which spells out what they are going to do with the data and they should ideally ask students to opt in to supplying sensitive data, rather than opt out," he said.

Daniel Yeo, president of Bath Students Union, said staff had simply translated its existing paper registration form, which records religious and ethnic background for monitoring purposes, on to the Web.

Only 50 students and staff had signed up before the site was taken down. "We need to think more about the data protection. We did not make it clear which fields were mandatory and which were compulsory," Yeo said.

The student union has asked Uniservity to sign a data protection agreement confirming that the data will be held securely and will not accessed by third parties.

Uniservity said that while it provides the technology and can give details of how the system has been used by other organisations, it leaves data protection issues to each student union.

"It is very much down to the institution. Really we are providing the technology. In a lot of cases they are not asking for any information online that they are not asking for offline," said Uniservity director Alan Wood.

But Barrett said student unions often lacked the experience to deal with data protection issues. "[Uniservity] does have a responsibility to make sure that the data that has been passed to it has been collected fairly."

Five steps to data protection
  • Does your data include sensitive political, religious or medical data?
  • Identify who is giving data and who receives it
  • Are any of the people you are giving information to passing it on?
  • Spell out all uses of data, especially sensitive information, precisely in a disclosure statement
  • Allow an opt-in for sensitive data.

Read more on IT risk management