King’s College London breached GDPR by handing students’ information to police, review finds
Following a review of its security arrangements, King’s College London has referred itself to the Information Commissioner’s Office after improperly sharing sensitive information about politically active students with police
An independent review of King’s College London’s (KCL) security arrangements has found that the university breached the EU’s General Data Protection Regulation (GDPR), as well as its own data protection policy, when it disclosed the sensitive personal information of students and staff to the Metropolitan Police.
The review, carried out by independent higher education consultant Laura Gibbs, also found that none of the individuals had “been part of a disciplinary process and none had been found guilty of violating King’s policy or regulations”.
Acting principal, Evelyn Welch, said in an open letter that KCL was now working on plans to implement the review’s recommendations.
“Our aim is to have a plan ready by mid-September 2019, which we will also make public,” she wrote.
KCL made the decision to hand over these individuals’ information to the police in the run-up to a visit by the Queen, who was invited to open its new Bush House building on 19 March.
The university’s head of security had gathered the information two weeks before, following student protests outside an event being held by the Israel Society, compiling a list of 16 students and one staff member.
“This document included the names of the students and staff, and details of their course and membership of various student societies. A data protection impact assessment was not carried out and no checks were made to further verify the identity of these individuals,” the review said.
Later, on 15 March, the head of security emailed his police contacts, alerting them to unconfirmed reports he had received about students’ plans to hold a disruptive protest during the Queen’s visit.
The police replied asking for more details on the individuals, to which the head of security responded by attaching a document listing the “main protestors”.
In an email dated 18 March, the head of security also told police which groups the students were from, naming KCL Action Palestine, KCL Cut the Rent, KCL Justice for Cleaners, KCL Intersectional Feminists and KCL Climate Strike.
He added that the students’ information had been taken from the university’s card security, which did not include date of birth: “I would have to go to student services, which would raise flags and cause chatter, so would rather not as this is sensitive around student freedom!!!”
The new list of protestors was a subset of the earlier one, this time including 13 students and the member of staff – all of whom had their access to KCL buildings revoked during the Queen’s visit.
As a result, one student nearly missed an exam and another ended up being late for an assessed presentation, having to “beg to the point of tears to be let in”.
KCL’s security team handed over the information without police having made a formal written request for the students’ information.
Although the review found the creation of the original list to be “proportionate and appropriate as part of a disciplinary process”, the addition of further information regarding membership to student societies, the repurposing of the information, and its transmission to the police without formal written request are all breaches of the GDPR, as well as KCL’s own data protection policy.
The review concluded that the teams involved, despite being under considerable strain to balance the right to freedom of expression against maintaining security, had “overstepped the boundaries of their authority and in doing so have lost overall sight of their role in protecting the students and staff of King’s”.
It also set out 20 recommendations, including…