An independent review of King’s College London’s (KCL) security practices has found the university guilty of breaching GDPR regulations and its own data protection policy when it disclosed the personal information of student activists to the Metropolitan Police.
Prior to a visit by the Queen, KCL’s head of security gathered information of students from protests outside an event being held by the Israel society and handed the list of names to the Police. Correspondence between the head of security and the police shows that the information was taken from their security cards and it also included details of the societies they were members of including: KCL Action Palestine, KCL Justice for Cleaners and KCL Intersectional Feminists. Consequently 13 students and a member of staff had their access to KCL buildings revoked during the Queen’s visit to open the new Bush house in mid-March.
The review revealed that KCL’s security team handed over the information without the police making a formal written request. It also found that information “regarding membership to student societies, the repurposing of the information, and its transmission to the police without formal written request are all breaches of the GDPR, as well as KCL’s own data protection policy.”
In a letter addressed to staff and pupils, acting principal Professor Evelyn Welch wrote about the review, “It makes clear that these actions we took with respect to our students were wrong and did not meet our values. We accept its findings and recommendations in full and are putting in place a plan to address all the issues that have been raised.”
The review set out 20 recommendations including that the data protection breach should be immediately referred to the Information Commissioner’s Office and for appropriate mechanisms to be put in place to support students who wish to make a subject access request to the Metropolitan Police Service. KCL has notified the ICO of the breach and is awaiting a response.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.