
King's College London breached GDPR sharing list of activist students with cops - noobermin
https://www.theregister.co.uk/2019/07/05/kings_university_breached_gdpr_by_sharing_list_of_activist_students_with_cops/
======
noodlesUK
I don’t know much about this particular case, but speaking as someone who has
experienced _serious_ lapses of data protection in the UK university sector,
there needs to be stronger enforcement of data protection laws, as the
universities just don’t care. They make a huge fuss about privacy to students,
but will just randomly hand out PII without a second thought. I’ve personally
seen spreadsheets of people’s enrolment and disability status sent to entire
mailing lists by mistake, egregiously violating data protection law. I’ve
actually called the ICO before when I realised that literally hundreds of high
privilege SU accounts had the same password (these accounts were used to
handle expense claims for thousands of students, and had years of bank
records). There was no enforcement action as far as I’m aware.

I doubt that the administrators who provided this information to the Met even
thought about the students rights for a second.

~~~
huntermeyer
According to the article the administration knew there were privacy concerns.

> In response to a request for the dates of birth of the protesters from the
> Met Police, an email from KCL read: "We've taken their details from our card
> security which does not have DoB. I would have to go to student services
> which would raise flags and cause chatter so would rather not as this is a
> sensitive around student freedosm!!! [sic]"

~~~
noodlesUK
Oh dear... That sounds like a security team bending over backwards to
accommodate a police request knowing that it’s against data protection
policy...

~~~
SAI_Peregrinus
The police hadn't even requested the data. It's the security team _going out
of their way_ to bend over backwards in hope of pleasing the police despite
knowing that it’s against data protection policy...

------
olliej
You shouldn’t need a law to tell you the “sharing the names of activists with
police when they haven’t committed any crimes” is wrong.

~~~
colechristensen
But apparently you need a law with punishment swift and severe for this kind
of activity.

~~~
mdpopescu
Yeah, how's that working out?

------
bitxbitxbitcoin
Why did this university have a list of "activist" students curated anyways?
The article doesn't make it clear whether the police asked the uni for a list
of students involved in x and y organizations or whether the uni just handed
over a list of people on a watchlist. Either is disturbing.

The student organizations that these activists belonged to don't really sound
that extreme, depending on who is asked of course.

Action Palestine, Cut the Rent, Justice for Cleaners, Intersectional Feminists
and Climate Strike

~~~
DanBC
They had the list because they've had problems with some students occupying
buildings in demonstrations around pay and conditions of cleaning staff. Often
cleaning is sub-contracted to a different company, and the cleaning staff have
terrible pay and conditions.

Police requested the information, but did so informally. Police didn't specify
specifically what information they needed. [EDIT: This is bad! The uni should
have asked for a formal request, and then done a privacy impact assessment.
This is mentioned in the report linked to below]

Ignore the Register, which is hopeless, and read the report which is also
hopeless but at least it's mostly factual.
[https://www.kcl.ac.uk/news/statements/bush-house-security-
re...](https://www.kcl.ac.uk/news/statements/bush-house-security-report.pdf)

~~~
harimau777
Wouldn't an informal request be more concerning than a formal request since it
is more likely not to undergo the normal scrutiny?

~~~
DanBC
Yes!

------
lostmymind66
Let's flip this around. If these were 'nazis' would you feel the same way?

In the US, alleged nazis are doxxed and given to the press, police, and anyone
else and nobody seems to care. I don't think I've seen on complaint here on
HN.

My point is that we should care about everyone's privacy..not just the people
that you agree with politically.

~~~
p_l
Do these groups include, in their core beliefs, the idea that _others_ should
have no rights or worse?

No?

Nazi do. They aren't going to extend the same olive branch to talk things out
if they have the power, but will hide behind "but your tolerance! DEBATE
ME!!!" when they don't.

The only thing I'd extend to them is the right to due process and innocent
until proven guilty - but walk around with Nazi paraphernalia or slogans and
you're getting punched.

~~~
lostmymind66
Well, We see the tolerant left strikes again. Thanks for proving my point.

~~~
p_l
Tolerance needs to go both ways. When the other side's core belief do not
allow for "live and let live", there's no space for tolerating them.

------
Zenst
I would recommend reading :- [https://ico.org.uk/for-organisations/guide-to-
data-protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/)

This will enable a better perspective about GDPR and exemptions, which would
be most relevant in relation to the cops/police/security
services/government/.......

------
download13
At least the GDPR turned out to have one good use...

What the hell was the uni doing trying to suppress activists to begin with?
That's kind of a hostile school/student relationship.

~~~
achamayou
The clue is perhaps in the name, it isn’t called “The Students’ College”.

------
dogma1138
Sharing data with LEOs even voluntarily isn’t a breach of the GDPR, this isn’t
an ICO finding the ICO will come back to Kong’s Collage and say nope you
didn’t violate the GDPR.

~~~
DanBC
I agree it's not a violation of GDPR. I still think the university is wrong to
just hand over the data.

The university isn't covered by RIPA (I don't think so anyway, maybe I'm
wrong), but the police are and I'd be interested to know if this police
request was RIPA compliant.

~~~
detaro
Curious why not? Legally required sharing would be covered, but this doesn't
appear to fall under that?

