An internal audit is criticising Lund University’s handling of students’ and employees’ personal data. The University says that they are listening to the critique but has given themselves to 2018 to deal with the problem – until then the University does not know how they can ensure the protection of students’ sensitive information.
By Andrea Huberyc Translated by Viktor Jönsson
The way Lund University is dealing with personal data is not enough. This statement was made by an internal audit in early September after reviewing the University’s organisation and resources. Among other things was a lack of routines for recording the processes that exists at the University, and there was also a lack of follow-up and check-up of the process. The University is furthermore judged to be in great need of reviewing their routines and guidelines, as those existing have not been clear enough.
It is, for example, not made clear for the one who is handling the personal data how to go about in order to ensure that the information is adequately protected. The University has also insufficient routines when it comes to categorising and handling the sensitive data in a secure way, which can lead to using a cloud based system where the University has no control over the protection.
The responsibility is 1/5 of an employment
Gunilla Norberg, comptroller at the internal audit, point out that part of the problem is that the person responsible for maintaining the protection of personal data has an employment where this task only makes up twenty percent of the total work time.
“We do not know how big this service should be, but we can be sure that twenty percent is not enough”, she says.
Rather more risks than something bad has happened
In May 2018 a new data protection law will be in effect which will place further demands on companies and administrative authorities dealing with personal data to have enough resources to protect the information.
As the internal audit was done before the rules were changed Gunilla Norberg want to stress that the critique was not a result of problems occurring per se, but that they could have happened in the future.
“Does not feel particularly safe”
Pontus, a student at Lund University, thinks it does not feel particularly safe to disclose personal information to the University when they store the information in the cloud services.
“The majority of personal information is public today, but there is some sensitive information only the University has special access to. For example, information in the case you are in the need of special assistance because you have dyslexia. It does not feel if such information can be leaked”.
Shall review all procedures
Lund University takes the criticism seriously.
“We absolutely think that there is work to be done here and have put together a project where a project manager will review all procedures”, says Susanne Kristensson, Head of Administration at the University.
How have these problems been able to happen at all? Should this not be a high priority to ensure that an individual’s personal information is safe?
“Just because there are areas in need of improvement does not mean that this had not had a high priority from the beginning. We see potential for improvement all the time when it comes to procedures, but everything is sadly enough not perfect from the beginning”, says Susanne Kristensson.
Lus are not particularly worried
Lund universitets studentkårer (Lus) have read both the rapport and the Vice-Chancellor’s statement.
“While we agree with the internal audit’s conclusion that there are shortcomings that must be addressed but the rapport is more about identifying risks and dealing with them – not that a violation has occurred – and we are therefore not particularly worried. But it is of course a problem for someone in the need of a more sensitive treatment of their data if everything is not done properly”, says Jack Senften.
Pontus is an alias.