General Data Protection Regulations (GDPR) give you the right to request information held about you — for example, meeting minutes about your promotion, pay, complaints or even just malicious emails naming you. You may be unhappy about how your University has handled your own personal information. The Information Commissioner’s Office (ICO) is the last resort when Universities behave recklessly with your data and don’t comply with GDPR.
Trustpilot’s reviews of the ICO are shown above. They don’t inspire much confidence. 97 % of those who made a complaint to the ICO rate the service as 1 star (“… illusion of help …. Useless, don’t investigate anything … Communication is very poor, and it seems they do not care … They fail to take data breaches seriously … My MP is now questioning why they take tens of millions in taxpayers’ funding and don’t do anything … Not fit for purpose, intentionally … Why do they exist. When you advise them of a breach of your personal data, they say you have to deal with the problem … All these organisations supposedly there to protect people are just set up to create the impression that there is some form of regulation when there is not“).
This is entirely consistent with two stories reported to the 21 Group.
In the first, a Head of Department at a Russell Group university began tracking two members of staff with whom he disagreed. This involved monitoring the location of the members of staff by inappropriate access to the technical University wifi location logs which record mobile phones. This is a very clear breach of GDPR. An employer cannot track the locations of an employee unless the employee has given permission. In this instance, the matter was worse. The Head of Department was engaged in a bullying campaign against the employees and so was motivated by malice.
The ICO responded thus
A slap on the wrist for the university! Of course, the Head of Department suffered no ill effects for what would be a sackable offence in many professions.
The second example concerned material provided to candidates interviewing for a job as Human Resources (HR) Manager at the same Russell Group university. The candidates were asked to study interview materials for 30 minutes before answering questions. Extraordinarily, the materials were a thinly disguised description of an ongoing grievance raised by a number of individuals with the HR department. This material is confidential. Its use in a job interview process is unprofessional. Its use is legally improper, as the matter is under purview of a forthcoming Employment Tribunal. One of the interview candidates recognised the situation and forwarded the material to the individuals involved. Hence, any anonymisation was not done properly, as the individuals were readily identifiable to candidates.
The ICO responded thus
Here the ICO swallowed everything the University told it — which does not seem to be accurate. The most important error is that it is not a “previous real life case“. It is an ongoing real life case both in the university and in the Employment Tribunals. The ICO’s letter ends with another flick on the wrist for the university, though no individuals in HR are ever reprimanded or held to account.
Universities say they take bullying and harassment seriously. It should be obvious — but apparently it is not. So let’s spell it out. Individuals will be reluctant to raise Grievances with a HR department which recycles confidential matter into interview material and is then distributed to random job applicants.
17 Comments
Exuent · 26 December 2024 at 11:15
“When exposing a crime is treated as committing a crime, you are being ruled by criminals.”
Perturbed ptarmigan · 26 December 2024 at 18:15
“The whole educational and professional training system is a very elaborate filter, which just weeds out people who are too independent, and who think for themselves, and who don’t know how to be submissive, and so on — because they’re dysfunctional to the institutions.”
Anon · 27 December 2024 at 12:55
“When exposing a crime is treated as committing a crime, you are being ruled by criminals.”
So true. What makes the featured case of the psychopathic stalker more worrying is that this individual was in charge of IT and had “circumvented” the University’s “strong safeguards and procedures”.
Worse still, the “inappropriate” access was known to HR, features in a written investigation report, and was brought to the attention of the Head of School with a request to clarify the University’s policy on the use of wireless logs for tracking members of staff.
The University had to admit the inappropriate access to personal data to the ICO, stating that the senior member of staff had “used his pre-existing access to the Local logs” which –- but this is discretely put in brackets — “had been put in place erroneously several years ago by the departmental IT team”.
Surely such erroneously obtained access and the potential for its “inappropriate” use over several years should be setting off all sorts of alarm bells?
Not at all. Instead, the University’s hastily provided context of the complaint to the ICO, as one of a “long-running series of interpersonal disputes” was happily lapped up as an assurance that all is well in cyberstalking land.
Mapleist · 26 December 2024 at 21:29
As a former subject of academic bullying in UK academia (bye bye losers) I just want to say I really appreciate the work you guys are doing. Keep on going, and don’t let those bastards grind you down.
Hunni eunt domus · 27 December 2024 at 09:23
Hmm well actually this is true in a more fundamental sense, in that it is also an infraction not to report a crime, if you had been rendered previously aware. And hence a more severe crime, to actively frustrate and prevent the reporting of abusive conduct against students and staff.
Elias · 27 December 2024 at 20:13
Seems to me there is a very clear lesson here, which is that if your boss asks you to do something that raises ethical and legal concerns, immediately take a pause. Ask for opinions from colleagues, search online, post to a discussion forum, speak to Citizens Advice, even go to the local police station and sound out their views too.
And if your manager made you do something that you now realise was illegal, you should stop complying right away and start making plans to find another role as soon as possible. Plus, be ready to be the first person to blow the whistle, before they do so on you – because if that is how they treat others, have no doubts that they will throw you under the bus as their trail of misdeeds start to surface.
Veritas · 28 December 2024 at 07:57
Working for a toxic institution can really fuck up your career. A legal adviser asked to file vexatious claims can end up disbarred for life, an IT officer exposed for cyberstalking will not be getting future interviews.
The big mistake most people make in these situations, is to think that by keeping a record of their boss ordering them to engage in illegal deeds, this will absolve them when the shit hits the fan.
It will not. You have to prove that you reported them to the appropriate authorities, including external ombudsmen, regulators, MPs or investigatory bodies.
That is the rule. No matter how late, you have to show that you acted.
Anon · 28 December 2024 at 13:04
There’s evidently not enough shit hitting the fan… yet.
Uskadar · 28 December 2024 at 13:34
When you look at the famous cases of organizational abuse in western societies, there is a common pattern. By the time the “shit hits the fan” there has been a process of compliance decay over a period of many years or decades because cases were never exposed or prosecuted, perpetrators got away with small acts of abuse, and then the small acts got larger and larger.
This is the same whether it is sexual harassment by managers, excessive risk in finance, the disregard of safety rules (Boeing, NASA, Chernobyl) or in this case, bullying in academia.
Sadly it often takes a big disaster before people start opening up the files and seeing ok, who said what to who and when? How did we get here? How did it start, and why did no-one put up a big hand to say “stop”?
The decay has taken place in academia over several decades due to rising job precarity, growing workloads, and erosion of basic values: from viewing younger staff as apprentices to be mentored and trained to a disposable resource.
One thing you can be sure of, though, is that once questions start to be asked, the reckoning never stops.
After all, people are still making youtube videos about Challenger, Chernobyl, Enron, Lehman etc and these all happened decades ago. We are still digging up more and more evidence about these cases.
Anonymous · 29 December 2024 at 12:46
About the second ICO case in this blog:
GDPR provides to data subjects the right for rectification (of inaccurate personal data), and also the right to erasure (or right to be forgotten – once there no longer is a legitimate reason for the organization to process the data).
The data used by the institution for the purpose of interviewing had obviously been insufficiently anonymized since it enabled (at least) one of the candidates to recognize the data subjects. This then raises the question of the correctness of the data and also the question why it is still being processed.
How were the recognizable data subjects, and their HR cases, presented to the interview candidates? And were the HR candidates interviewed to fill positions which may entail decision-making relating to those data subjects at any point in future?
Given that the data relates to “an ongoing grievance raised by a number of individuals with the HR department” and that “the matter is under purview of a forthcoming Employment Tribunal” there is obviously an on-going dispute about the facts, the correct version of which has not yet been established. There is therefore an on-going dispute too about the correctness of the data which the organisation is still processing about the data subjects.
So, has poor anonymization not effectively led the organisation to present to future HR employees data about other employees as if that data was factually correct (or historical), when that data is in fact still under dispute (and known to be under dispute)?
Presuming that the interview round led to hiring new HR colleagues, this may mean that until the dispute is settled, i.e. at the present time, the disputed information may still be influencing further HR-related decision-making about those employees.
TigerWhoCametoET · 5 January 2025 at 11:16
Feels like the word you are looking for here is: Victimisation.
Were it the case that prejudiced versions of disputed facts were used by HR to cause material harm to individuals exercising their legal rights, that seems to be the one, single word for what you describe here.
Latané Rodin · 6 January 2025 at 10:17
I am not a lawyer, so please do not take my words as any kind of legal advice, rather than good faith opinion. I welcome views from others if I am wrong on any of this.
But can employers ignore misconduct complaints on the ground that they reflect mere “disputed facts” in a legal case? I thought there was a basic duty to investigate all reports from the moment they are made, so as to mitigate potential harm. The employer can await a new investigation in court, but has to act right away… no?
So if an employer was found to maintain disputed facts in decisions (by HR), then that would already be an infringement – not least if those “disupted” facts turned out to be false and damaging for the individuals concerned?
I mean, just imagine if it were sexual harassment (or worse) instead of bullying. It would be a huge scandal to brush it aside for years on those grounds.
21percent.org · 6 January 2025 at 11:29
Our understanding (backed by legal advice) is that you are correct
An employer cannot just ignore a complaint.
It has to at least meet the complainant, to listen to the complaint & to assess matters (asking for any supporting evidence, witnesses, etc) and to explain what options the complainant has according to the Grievance policy in force.
(Of course, many universities have very successfully “brushed aside” sexual harassment claims)
N · 5 January 2025 at 10:40
As someone who has worked on this issue before, the reports concerning the failure of the ICO to uphold basic statutory guidelines in respect to the fair and full investigation of reports of GDPR and FOI non-compliance is deeply troubling to hear. It would especially concerning if this were a deliberate decision following exit from the European Union framework to undermine the exercise of informational rights, as is implied by the recent string of negative reviews you report. A compilation of evidence should be reported to ministers and parliamentary bodies for review.
If the ICO does not sanction organisations for failure to allow timely and complete access to information, how are faculty and staff supposed to enjoy full legal rights of access and hold malfeasance to account?
OCI · 12 January 2025 at 16:19
This all started with the passage of the Data Protection Act 2018 under the previous government: was putatively designed to implement the General Data Protection Regulation (GDPR) under UK law.
The implicit goal, however, was to water down GDPR so as to make the UK more “attractive” to business.
But they could not admit to that openly, so we ended up with an utterly botched system that both: a) undermines the rights of citizens and employees to access personal data from employers; and b) does nothing to reduce the actual scale of regulatory burden and cost (and probably increased it).
This happens because the ICO now simply tolerates obvious violations of GDPR.
So we now have a system of “compliance theatre”.
It has gutted basic legal protections for employees, but delivered no reduction in cost to either the taxpayer, or to businesses. The taxpayer still is paying for all these ICO employees to sit in their office and pretend to do their (fake) jobs, while businesses pay a tonne of money to contract DPOs who simply offer BS explanations for denying access to information of fundamental importance.
The whole thing is a sham. If they wanted to help business, they could have simply scrapped the law, and sent all these people to the dole queue until they obtain real IT jobs.
Instead they are maintaining a ridiculous theatre that denies basic rights and costs us all a tonne of wasted time and money – indeed, increases the cost due to appeals and subsequent lawsuits.
Exbruck · 13 January 2025 at 20:16
So if I can summarise this blog post and the earlier one, the official position is
1. recording university officials admit gross misconduct = outrageous privacy violation
2. university officials who stalk whistleblower’s private movements via personal phone tracking = totally ok