I was shocked to read in the news of the case of a lecturer at University College Dublin who has been charged with offences relating to unlawfully access of students’ personal information and use of that information to harass students. According to news reports, over 100 students were affected by these actions.
The case is still before the courts so it would not be appropriate to comment any further on it, but I hope it sets alarm bells ringing in universities everywhere about access to student information. University registry systems store personal data on each student, from home addresses and telephone numbers to photographs and confidential medical records. It has always worried me that a determined hacker could have access to very sensitive information they could use for nefarious purposes.
Higher education institutions do take data security very seriously. In the UCD case mentioned above the person concerned is alleged to have used some sort of malware to read student passwords and access personal data that way. That in itself is a criminal offence, quite apart from what this lecturer may have done with the information subsequently.
On the other hand, it does concern me greatly how much information about students may be routinely accessible by teaching staff without needing to do anything unlawful. For example, I can see no reason for lecturers to be able to access home addresses and private telephone numbers of students. The university needs to hold that information, of course, but I can see no legitimate purpose for individual lecturers to have access to it. Access to such data should be strictly limited to departmental administrators or other carefully selected staff, for use in very specific situations (e.g. emergencies). Otherwise a student database may become a stalker’s paradise.
I hope universities in Ireland and elsewhere will be sufficiently worried about this case that they will review not only the defence of their systems against unlawful access from outside, but also their policies on who inside the institution is actually allowed access to what data and why. The more people who can obtain this data, the greater the risk to students.
In the Dark 