King’s College London breached GDPR to prep for royal visit
Image credit: Dreamstime
According to an independent report, Kings College London (KCL) breached European data protection regulations (GDPR) when it shared a list of activist students with police.
Several students (and one member of staff) were barred from campus in March 2019 during the opening of the new Bush House site by the Queen. The students were unable to access KCL buildings due to having their access cards temporarily deactivated.
Approximately two weeks before the visit, a group of protestors appeared at a closed-door Israel Society event. The protestors were identified (although their identities were not verified) and listed in a document by the Head of Security. The Head of Security later contacted the Metropolitan Police to alert them to unconfirmed reports that students may disrupt the planned royal visit and the police asked him for details of the individuals. The Head of Security disclosed that the students belonged to the KCL Students Union Intersectional Feminist Society and shared a document listing the protestors.
After a group of protestors disrupted a university council meeting on the day before the visit, the Head of Security decided to prevent 13 individuals previously identified from accessing some parts of campus on the day of the visit by blocking their card access. This caused one student from entering a KCL building to attend an assessed presentation, forcing her to “beg to the point of tears” for admittance, while another had to have their access reinstated to attend an exam in Denmark Hill, South London.
An independent report has concluded that the creation and limited circulation of the list of protestors (within KCL) was “proportional and appropriate”, as well as being compliant with GDPR. However, it found that adding information about the protestors’ membership of student societies was not appropriate and was a breach of Article 9 of GDPR, which protects ‘special category data’, such as racial or ethnic origin, sexual preferences, political opinions, religious affiliation, trade union membership, and biological data.
It also found that sharing the data with the Metropolitan Police was a further breach of GDPR, as well as its own data protection policy (King’s Data Protection Policy). Barring the students was also found to be “disproportionate”.
“The release of information regarding individuals, against whom there was neither evidence of criminal activity nor any internal disciplinary findings, representing a significant breach of trust and a failure to protect the wellbeing and future prospects of King’s students.”
The report recommended that KCL report the breaches in data protection to the UK data watchdog, the Information Commissioner’s Office.
Acting principal of KCL, Evelyn Welch, has confirmed that the ICO has been notified of the breach and that she would be beginning a consultation to implement other recommendations made by the independent report.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.