General Data Protection Regulations (GDPR) give you the right to request information held about you — for example, meeting minutes about your promotion, pay, complaints or even just malicious emails naming you. You may be unhappy about how your University has handled your own personal information. The Information Commissioner’s Office (ICO) is the last resort when Universities behave recklessly with your data and don’t comply with GDPR.
Trustpilot’s reviews of the ICO are shown above. They don’t inspire much confidence. 97 % of those who made a complaint to the ICO rate the service as 1 star (“… illusion of help …. Useless, don’t investigate anything … Communication is very poor, and it seems they do not care … They fail to take data breaches seriously … My MP is now questioning why they take tens of millions in taxpayers’ funding and don’t do anything … Not fit for purpose, intentionally … Why do they exist. When you advise them of a breach of your personal data, they say you have to deal with the problem … All these organisations supposedly there to protect people are just set up to create the impression that there is some form of regulation when there is not“).
This is entirely consistent with two stories reported to the 21 Group.
In the first, a Head of Department at a Russell Group university began tracking two members of staff with whom he disagreed. This involved monitoring the location of the members of staff by inappropriate access to the technical University wifi location logs which record mobile phones. This is a very clear breach of GDPR. An employer cannot track the locations of an employee unless the employee has given permission. In this instance, the matter was worse. The Head of Department was engaged in a bullying campaign against the employees and so was motivated by malice.
The ICO responded thus
A slap on the wrist for the university! Of course, the Head of Department suffered no ill effects for what would be a sackable offence in many professions.
The second example concerned material provided to candidates interviewing for a job as Human Resources (HR) Manager at the same Russell Group university. The candidates were asked to study interview materials for 30 minutes before answering questions. Extraordinarily, the materials were a thinly disguised description of an ongoing grievance raised by a number of individuals with the HR department. This material is confidential. Its use in a job interview process is unprofessional. Its use is legally improper, as the matter is under purview of a forthcoming Employment Tribunal. One of the interview candidates recognised the situation and forwarded the material to the individuals involved. Hence, any anonymisation was not done properly, as the individuals were readily identifiable to candidates.
The ICO responded thus
Here the ICO swallowed everything the University told it — which does not seem to be accurate. The most important error is that it is not a “previous real life case“. It is an ongoing real life case both in the university and in the Employment Tribunals. The ICO’s letter ends with another flick on the wrist for the university, though no individuals in HR are ever reprimanded or held to account.
Universities say they take bullying and harassment seriously. It should be obvious — but apparently it is not. So let’s spell it out. Individuals will be reluctant to raise Grievances with a HR department which recycles confidential matter into interview material and is then distributed to random job applicants.
26 Comments
Anonymous · 23 December 2024 at 08:20
“In the first, a Head of Department at a Russell Group university began tracking two members of staff with whom he disagreed. This involved monitoring the location of the members of staff by inappropriate access to the technical University wifi location logs which record mobile phones. This is a very clear breach of GDPR. An employer cannot track the locations of an employee unless the employee has given permission. In this instance, the matter was worse. The Head of Department was engaged in a bullying campaign against the employees and so was motivated by malice.”
Completely bizarre and psychopathic behavior from a university, though, sadly, hardly surprising. Some universities might as well rebrand their GDPR policies as GDR policies, given how pervasive and normalized this kind of creepy, pathological, Stasi-style behavior has become.
When was this kind of stalking (let’s call it what it is) ever acceptable for someone working at a university, let alone in a leadership position? And how on earth do these people and institutions think they can get away with it in a democracy?
My feeling is that the institutions, academics, and administrators engaging in this kind of behavior should be investigated—by the media, and the police. ICO and its incompetence be damned.
21percent.org · 23 December 2024 at 12:35
Agreed.
Psychopathic is the appropriate adjective for this behaviour.
Exuent · 26 December 2024 at 11:15
“When exposing a crime is treated as committing a crime, you are being ruled by criminals.”
Perturbed ptarmigan · 26 December 2024 at 18:15
“The whole educational and professional training system is a very elaborate filter, which just weeds out people who are too independent, and who think for themselves, and who don’t know how to be submissive, and so on — because they’re dysfunctional to the institutions.”
Anon · 27 December 2024 at 12:55
“When exposing a crime is treated as committing a crime, you are being ruled by criminals.”
So true. What makes the featured case of the psychopathic stalker more worrying is that this individual was in charge of IT and had “circumvented” the University’s “strong safeguards and procedures”.
Worse still, the “inappropriate” access was known to HR, features in a written investigation report, and was brought to the attention of the Head of School with a request to clarify the University’s policy on the use of wireless logs for tracking members of staff.
The University had to admit the inappropriate access to personal data to the ICO, stating that the senior member of staff had “used his pre-existing access to the Local logs” which –- but this is discretely put in brackets — “had been put in place erroneously several years ago by the departmental IT team”.
Surely such erroneously obtained access and the potential for its “inappropriate” use over several years should be setting off all sorts of alarm bells?
Not at all. Instead, the University’s hastily provided context of the complaint to the ICO, as one of a “long-running series of interpersonal disputes” was happily lapped up as an assurance that all is well in cyberstalking land.
Anonymous · 27 December 2024 at 13:46
Are you sure the department’s IT personnel weren’t complicit in some way too?
Group psychology is a powerful thing, and as with HR, the evidence of this in academia shows that all kinds of non-academic staff can be unwittingly (à la Milgram experiment) or willingly roped into a mobbing.
Mapleist · 26 December 2024 at 21:29
As a former subject of academic bullying in UK academia (bye bye losers) I just want to say I really appreciate the work you guys are doing. Keep on going, and don’t let those bastards grind you down.
Anon · 12 January 2025 at 15:58
Well, to avoid the grinding down, you have to be on your toes with this kind of thing because institutions in universities can try a lot of tactics. Sometimes, when the target has successfully fought back against the bully institution and bloodied its nose a bit, they behave just like a defeated schoolyard bully and go get a bigger bully.
They do this by leaning on connections to ruthless and bloodless corporate characters from large outside organizations that have chronic problems—some of these problems have recently reached the news and caused major scandals and upsets in scientific communities, as well as massive reputational fallout.
The idea is to do a hatchwell job on the target: to isolate, silence, smear, and neutralize dissent. It’s a calculated move, but the calculations and computations are flawed, and it’s remarkably stupid. See, the more people you bring in—and outside organizations too—the greater the risk, because the bigger the story, especially when some of those outside organizations and their staff have already taken quite a reputation hit themselves.
And then, of course, the whistleblower can just bring in their own support network, which may include the press (who are already watching and taking note), as well as policymakers. So, it never pays off in the end, and it’s a very cowardly move that always shows desperation from the institution.
Anon · 12 January 2025 at 16:00
Sorry, typo: * hatchet job.
Hunni eunt domus · 27 December 2024 at 09:23
Hmm well actually this is true in a more fundamental sense, in that it is also an infraction not to report a crime, if you had been rendered previously aware. And hence a more severe crime, to actively frustrate and prevent the reporting of abusive conduct against students and staff.
Anon · 11 January 2025 at 15:01
♫ And you may find yourself in a university haemorrhaging money and facing financial ruin.
And you may find yourself dependent on transfusions from funding agencies (ka-ching…).
And you may find yourself in a department with a toxic organizational culture.
And you may find yourself facing increasing scrutiny from the government, press, and the public.
And you may find yourself tempted to retaliate against a whistle-blower.
And you may ask yourself, “Should I be doing this— should I shoot the messenger?” ♫
What a hot mess… A once-in-a-lifetime crisis for those once-mighty UK universities, indeed, even if they are getting regular transfusions from funding agencies that keep them afloat, banking on the illustrious name of a namesake (of an organization that has also faced scandal), a mummy they wheel out periodically for an institutional Inti Ramnyi to lend legitimacy.
All jests aside, it would be a spectacularly dumb idea for universities to retaliate against whistle-blowers right now, given the risk of spectacular blowback…
Final point. Pro tip for the universities out there: No matter how hard you go after a whistle-blower, trying to destroy or silence and smear them, everything they’ve blown the whistle on will stay with your institution and its brand forever and forever be tied. Best to just get busy with the hard work of taking a long, hard look at your organizational dynamics and reforming them now.
Don’t get defensive and flustered, you don’t have the luxury of time now—it’s time to put your big-boy pants on.
♫ Letting the days go by, same as it ever was, same as it ever was, same as it ever was…. ♫
Elias · 27 December 2024 at 20:13
Seems to me there is a very clear lesson here, which is that if your boss asks you to do something that raises ethical and legal concerns, immediately take a pause. Ask for opinions from colleagues, search online, post to a discussion forum, speak to Citizens Advice, even go to the local police station and sound out their views too.
And if your manager made you do something that you now realise was illegal, you should stop complying right away and start making plans to find another role as soon as possible. Plus, be ready to be the first person to blow the whistle, before they do so on you – because if that is how they treat others, have no doubts that they will throw you under the bus as their trail of misdeeds start to surface.
Anonymous · 28 December 2024 at 06:31
Elias, the problem is that you can’t really stop people from complying with and participating in unethical behavior in a system that prioritizes and breeds compliance and cowardice above all else (forget all of the platitudes it’s compliance with the status quo and the narcissism of careerism that many institutions are actively selecting for in their students and staff).
For many people in HR, academia, and maybe even the student body, a moment of pause—a prelude to whistleblowing—simply isn’t going to come because there’s no reason to doubt whether there is an ethical or legal concern at play in what they are doing. After all, the thinking has already been done for them by the institution. Welcome to the machine.
Then, by the time a higher-up in the organization is involved, the work will have already been done through conformity to organizational culture and the self-narrative of bystanders and mobbers. The target or targets will have been dehumanized and made the institutional scapegoat, and through organizational and group psychology, there will be an implicit understanding that orders from the top of the hierarchy—whether from HR, line managers, or academics—are to be obeyed and not questioned.
Of course, perpetrators will throw others under the bus if they have their backs against the wall, but that isn’t something that crosses some people’s minds. After all, in the meantime, there will be rewards for the obedient—little goody bags filled with careerist penny sweets and trinkets for good boys and girls—and hints that if you don’t comply, you could be next.
And that carrot-and-stick approach, an appeal to self-interest and preservation, is usually enough to make most people fall into line and comply with anything—whether it’s participating in the violation of GDPR rules, breaking the law by retaliating against whistleblowers, or keeping silent about a professor who is a sexual harasser or a student suicide that resulted from institutional bullying.
Veritas · 28 December 2024 at 07:57
Working for a toxic institution can really fuck up your career. A legal adviser asked to file vexatious claims can end up disbarred for life, an IT officer exposed for cyberstalking will not be getting future interviews.
The big mistake most people make in these situations, is to think that by keeping a record of their boss ordering them to engage in illegal deeds, this will absolve them when the shit hits the fan.
It will not. You have to prove that you reported them to the appropriate authorities, including external ombudsmen, regulators, MPs or investigatory bodies.
That is the rule. No matter how late, you have to show that you acted.
Anon · 28 December 2024 at 13:04
There’s evidently not enough shit hitting the fan… yet.
Uskadar · 28 December 2024 at 13:34
When you look at the famous cases of organizational abuse in western societies, there is a common pattern. By the time the “shit hits the fan” there has been a process of compliance decay over a period of many years or decades because cases were never exposed or prosecuted, perpetrators got away with small acts of abuse, and then the small acts got larger and larger.
This is the same whether it is sexual harassment by managers, excessive risk in finance, the disregard of safety rules (Boeing, NASA, Chernobyl) or in this case, bullying in academia.
Sadly it often takes a big disaster before people start opening up the files and seeing ok, who said what to who and when? How did we get here? How did it start, and why did no-one put up a big hand to say “stop”?
The decay has taken place in academia over several decades due to rising job precarity, growing workloads, and erosion of basic values: from viewing younger staff as apprentices to be mentored and trained to a disposable resource.
One thing you can be sure of, though, is that once questions start to be asked, the reckoning never stops.
After all, people are still making youtube videos about Challenger, Chernobyl, Enron, Lehman etc and these all happened decades ago. We are still digging up more and more evidence about these cases.
Anonymous · 29 December 2024 at 14:18
Honestly, I’d like to believe that corruption, whistleblowing, and bullying within academia would generate the same public interest in the UK as other major scandals, but I don’t think it will—or at least not to the same extent in the mainstream media.
Years ago, there was an excellent investigative journalist, Rianna Croxford, for the BBC, who reported on gagging orders, bullying, and mobbing in universities. The reports made a splash, particularly around the issue of NDAs, but attention to the other issues quickly faded in the mainstream media.
The problem, I think, is that even in cases where lives have been lost and an institution’s toxic culture is momentarily thrust into the media spotlight, the story and attention quickly fizzle out. Headline news can become yesterday’s fish and chip paper, and this lets the universities get off the hook.
University departments evade further scrutiny by burying scandals under glossy marketing about the ‘student experience,’ using NDAs, inquest restrictions, or offering informal incentives for silence to those who could speak out. Meanwhile, whistleblowers can face retaliation through sabotage, and ostracism through professional networks and that can take a toll on anyone.
Still, I’m cautiously optimistic. Advocacy groups like the 21 Percent Group have helped normalize the conversation surrounding these issues. Like others who have commented on the blog, I believe it’s inevitable that higher education in the UK will face its own ‘Post Office scandal’ moment. I think it will come very soon and will probably coincide with coverage of the financial turmoil the higher-ed sector is currently facing (and hopefully wont be overshadowed by it).
If the Post Office, the Church of England, the Vatican, the NHS, and the police force have all faced major scandals, why should universities and higher-ed be any different?
Fingers crossed, the new year brings progress on this front.
Anonymous · 29 December 2024 at 12:46
About the second ICO case in this blog:
GDPR provides to data subjects the right for rectification (of inaccurate personal data), and also the right to erasure (or right to be forgotten – once there no longer is a legitimate reason for the organization to process the data).
The data used by the institution for the purpose of interviewing had obviously been insufficiently anonymized since it enabled (at least) one of the candidates to recognize the data subjects. This then raises the question of the correctness of the data and also the question why it is still being processed.
How were the recognizable data subjects, and their HR cases, presented to the interview candidates? And were the HR candidates interviewed to fill positions which may entail decision-making relating to those data subjects at any point in future?
Given that the data relates to “an ongoing grievance raised by a number of individuals with the HR department” and that “the matter is under purview of a forthcoming Employment Tribunal” there is obviously an on-going dispute about the facts, the correct version of which has not yet been established. There is therefore an on-going dispute too about the correctness of the data which the organisation is still processing about the data subjects.
So, has poor anonymization not effectively led the organisation to present to future HR employees data about other employees as if that data was factually correct (or historical), when that data is in fact still under dispute (and known to be under dispute)?
Presuming that the interview round led to hiring new HR colleagues, this may mean that until the dispute is settled, i.e. at the present time, the disputed information may still be influencing further HR-related decision-making about those employees.
TigerWhoCametoET · 5 January 2025 at 11:16
Feels like the word you are looking for here is: Victimisation.
Were it the case that prejudiced versions of disputed facts were used by HR to cause material harm to individuals exercising their legal rights, that seems to be the one, single word for what you describe here.
Latané Rodin · 6 January 2025 at 10:17
I am not a lawyer, so please do not take my words as any kind of legal advice, rather than good faith opinion. I welcome views from others if I am wrong on any of this.
But can employers ignore misconduct complaints on the ground that they reflect mere “disputed facts” in a legal case? I thought there was a basic duty to investigate all reports from the moment they are made, so as to mitigate potential harm. The employer can await a new investigation in court, but has to act right away… no?
So if an employer was found to maintain disputed facts in decisions (by HR), then that would already be an infringement – not least if those “disupted” facts turned out to be false and damaging for the individuals concerned?
I mean, just imagine if it were sexual harassment (or worse) instead of bullying. It would be a huge scandal to brush it aside for years on those grounds.
21percent.org · 6 January 2025 at 11:29
Our understanding (backed by legal advice) is that you are correct
An employer cannot just ignore a complaint.
It has to at least meet the complainant, to listen to the complaint & to assess matters (asking for any supporting evidence, witnesses, etc) and to explain what options the complainant has according to the Grievance policy in force.
(Of course, many universities have very successfully “brushed aside” sexual harassment claims)
N · 5 January 2025 at 10:40
As someone who has worked on this issue before, the reports concerning the failure of the ICO to uphold basic statutory guidelines in respect to the fair and full investigation of reports of GDPR and FOI non-compliance is deeply troubling to hear. It would especially concerning if this were a deliberate decision following exit from the European Union framework to undermine the exercise of informational rights, as is implied by the recent string of negative reviews you report. A compilation of evidence should be reported to ministers and parliamentary bodies for review.
If the ICO does not sanction organisations for failure to allow timely and complete access to information, how are faculty and staff supposed to enjoy full legal rights of access and hold malfeasance to account?
OCI · 12 January 2025 at 16:19
This all started with the passage of the Data Protection Act 2018 under the previous government: was putatively designed to implement the General Data Protection Regulation (GDPR) under UK law.
The implicit goal, however, was to water down GDPR so as to make the UK more “attractive” to business.
But they could not admit to that openly, so we ended up with an utterly botched system that both: a) undermines the rights of citizens and employees to access personal data from employers; and b) does nothing to reduce the actual scale of regulatory burden and cost (and probably increased it).
This happens because the ICO now simply tolerates obvious violations of GDPR.
So we now have a system of “compliance theatre”.
It has gutted basic legal protections for employees, but delivered no reduction in cost to either the taxpayer, or to businesses. The taxpayer still is paying for all these ICO employees to sit in their office and pretend to do their (fake) jobs, while businesses pay a tonne of money to contract DPOs who simply offer BS explanations for denying access to information of fundamental importance.
The whole thing is a sham. If they wanted to help business, they could have simply scrapped the law, and sent all these people to the dole queue until they obtain real IT jobs.
Instead they are maintaining a ridiculous theatre that denies basic rights and costs us all a tonne of wasted time and money – indeed, increases the cost due to appeals and subsequent lawsuits.
Anonymous · 13 January 2025 at 17:59
Yes, but… I think the universities might disagree, and it’s a bit hurtful to their feelings to call it theatre; it could even count as heresy. If I were you, I’d be careful, or you might upset some Widow Twankeys among the staff or administration, and they might make life difficult for you.
Uh-oh, too late…
“Well, I never! What are you like, you cheeky moon-faced ninny! You wouldn’t let your front door stay wide open with a big sign saying, ‘Take what you like, my darlings!’ would you? So why should we at the universities just let staff and students waltz off with their personal data? Democracy… oh you sweet child of summer, that’s just not how the world works, my lovely, and we can’t have a revolution overnight, CAN we?!”
Exbruck · 13 January 2025 at 20:16
So if I can summarise this blog post and the earlier one, the official position is
1. recording university officials admit gross misconduct = outrageous privacy violation
2. university officials who stalk whistleblower’s private movements via personal phone tracking = totally ok
Anonymous · 13 January 2025 at 22:29
Yep, you nailed it… And yes, we do, in fact, now live in the Panopticon, and it’s absolutely fine because they care about us and our well-being, and they have a dignity-at-work policy, I’ll have you know.
What’s more… the heinous 21 percent group and their dastardly associated advocate groups, who campaign against these kinds of institutional norms and practices, and corrupt the minds of students and staff, are, in fact, the heirs of the Provisional IRA and represent an existential threat to university functioning.
Now, I think it’s just about time for the Two Minutes Hate. Are you ready?