We are sorry for any inconvenience caused by recipients replying to an email sent to some of our students on 14 January 2021. In order to minimise this inconvenience, the University’s IT department removed the ability of recipients to reply en masse to the email within a short time of the issue occurring. This means that if you had replied to the email after 14:00 your email would not have been distributed to the list. However, it is possible that many people continued to receive emails after this time. This is because of the volume of emails being sent before the list was frozen, resulting in the release of those emails over the course of the afternoon.
The University’s Data Protection Officer has had the opportunity to review the contents of the email, the manner in which the email was sent and the number of individuals affected by the breach.
They have determined that the data protection risk to individuals is minimal. This is because, apart from the email addresses of the individuals who replied to the mailing list before the list was frozen, no other personal data had been compromised, as the email distribution list was private. Furthermore, the email sent by the University was generic in nature which meant that its contents could not be used to deduce if the recipients shared any sensitive data in common with each other.
We have provided advice to those staff members involved in sending out the communication and have highlighted the availability of University tools the use of which can reduce the likelihood of the breach reoccurring. The University now considers the data protection element of the incident closed. If you would like to make a complaint to the Information Commissioner’s Office (the body responsible for regulating the use personal data in the UK), please see the link below: