An email sent out to all students registered with a disability with UFV’s Disability Resource Centre (DRC) on Nov. 23 accidentally identified students on the email list.
David Johnston, the university registrar, explained that the email, which went out to 435 students, unintentionally failed to follow the standard procedure of blinding the email addresses.
“An employee was emailing instructions to a group of students in the DRC and put the student email addresses in the cc instead of the bcc, so it exposed students’ email addresses to everybody, so everybody knew who else got the email,” explained Johnston. “It’s a human error. It’s an unfortunate, inadvertent human error.”
Within a few hours, UFV’s IT department recalled the email, making sure that it was deleted from all myUFV student emails.
“We did work with the email team in IT and they were able to delete it from people’s email boxes, myUFV email boxes, because that was the right thing to do, to correct that part of the error,” Johnston said.
However, Johnston noted that with many students having their UFV emails automatically forward to their personal email accounts, there is no way to verify that the email is no longer in circulation.
“Some people had seen it, some people hadn’t, and then of course some people forward it to an off-campus email,” he said. “So we did what we could in terms of that, and then we’re required to communicate with people who have had their personal information breached.”
To let affected students know about the email, an additional email was sent out by Johnston, letting them know of the error.
“They got an email from me describing in quite simple terms what happened and what we had done and advised them that … no other personal information was released, if they had concerns they could contact me,” he said.
Since the email was also sent to 128 external email addresses, Johnston’s email requested that anyone involved delete the email from their personal email address.
“If you forward your UFV email to a non-UFV email account we ask for your cooperation in double deleting the original email and the recall notice from your inbox and then from your deleted or trash folder,” the email read.
Because the incident is considered a breach of privacy, UFV’s privacy officer was required to file a report with the B.C. Privacy Commissioner, whom affected students were provided with the contact information for, should they have any concerns.
“We informed the board, the privacy office here, which is in our legal counsel office,” Johnston explained. “[They are] now required to report to the office of the information privacy commissioner what the breach was and what we did to stop it, what we’ll do to make sure it doesn’t happen again, and what we did to inform the people who had their information breached.”
Jody Gordon, UFV’s vice president students explained that the requirement exists as the province’s way to ensure that breaches of privacy are dealt with accordingly.
“They want to make sure that we’ve done things so that in the future this can’t happen again,” she said. “Our legal counsel will tell them exactly what we have done and what we will do in the future. If they think we’ve missed something they’ll tell us. If they think that there’s a risk of greater exposure, they would then step in.”
To prevent similar incidents from recurring in the future, Johnston and UFV’s chief investigation officer are currently exploring options to switch to an email management software program that will automatically send out the emails and blind the email addresses.
“Email management software can help with that where you’re not relying on someone putting it in the right column, cc versus bcc,” Gordon explained. “It’s human error and human error is going to occur and software is a way of making it harder for human error to occur.”
