UCD reports six personal data breaches to watchdog
The details are contained in UCD’s annual report and consolidated financial statements, which have been laid before the Oireachtas.
University College Dublin reported six personal data breaches to the Data Protection Commission in the year to 30 September 2021, including two cases where an unencrypted USB stick that held personal information was “lost”.
A further breach involved a fraudulent third party being granted temporary remote access to the UCD computer during a scam call.
It was also discovered that the university had expenditure of €6.6m during that financial period that was not compliant with procurement regulations. Just under €1m of this expenditure is now compliant.
The details are contained in UCD’s annual report and consolidated financial statements, which have been laid before the Oireachtas.
It said that despite the effects of Covid-19 during the year to September 2021, the university recorded a net surplus of €34.8m.
Total income increased by 10% during the year, with State funding increasing by €3.9m and income from academic fees increasing by €20.6m to €260.6m.
UCD secured a new loan financing facility of €350m with the European Investment Bank to part fund planned capital developments, but has not yet drawn down any of these funds.
It said this money would go towards increasing faculty and student numbers by building “world-class academic and student amenities”, the new Centre for Creativity, the Centre for Future Learning, a new extension to the O’Brien Centre for Science and new and improved sporting facilities.
The university also pointed to its new bullying and harassment and sexual misconduct policies. “It is anticipated that this will yield a greater number of formal complaints,” it said.
On the subject of the data breaches, UCD said that the Data Protection Commission closed the six cases it reported but provided a list of recommendations for the university to consider.
It said: “UCD has considered the recommendations of the Data Protection Commissioner and opportunities for improving controls have been identified.
“Two have been approved for action, with further work to be done a third before it is considered again. The implementation of the approved action is ongoing.” It set a target date for the completion of this work in the first quarter of 2023.
In February 2021, the university was fined €70,000 by the Data Protection Commission after log-in details for some of its email accounts were posted online.
It was officially reprimanded and ordered to bring its processes up to General Data Protection Regulation (GDPR) standard, together with the fine, for seven separate personal data breaches dating between August 2018 and January 2019.
The DPC said the breaches concerned “instances where unauthorised third parties accessed UCD email accounts, or where the log-in credentials for UCD email accounts were posted online”, while the college had further infringed the GDPR by failing to notify the commission without undue delay — the notification having occurred 13 days after UCD became aware of it.
At the time, UCD said it had addressed the issues raised by the DPC.
Regarding its non-compliant procurement procedures, UCD said that action is being taken to highlight spend approaching the €25,000 threshold “so that if a tender process is required, there is sufficient time to run the process before the spend breaches the threshold”.
This is an interim measure, it said, until the compliance framework encompassing a number of factors can be implemented in the first quarter of 2023.




