Keeping secrets

Today’s reporting of the data protection leak at the University of Greenwich highlights the issues around information security for universities.

The BBC report is not explicit, but it seems that the papers for a university research committee were published on the university’s website, and that these papers included personal data relating to students.

There are disappointingly few
 files like this in most university offices

This highlights the twin pressures universities face in relation to information. On the one hand, the Information Commissioner expects universities to proactively publish lots of information, and this would include committee minutes and papers. On the other hand, universities – like all other bodies – have very clear responsibilities to properly protect personal data. Which would include not publishing it on the web.

Universities are habitually collegiate places. And despite their scale – and some are very large indeed – many decisions are people decisions, meaning that the collegiate bodies which take decisions have to have personal information in front of them. So they have to deal with personal data – and sometimes sensitive personal data – within a notionally public context.

Universities typically have procedures in place to square this circle – classifying papers in accordance with FoI schemes, so that when written, authors think about whether it should be disclosed. And then the papers are published or withheld depending on judgments made. This is, I expect, how the Greenwich situation occurred – a mis-classification, or a correct classification which slipped through the net. Or in fact slipped onto the net.

Some universities – notably the Russell Group – have been campaigning for exemption from the Freedom of Information Act. That argument is made more sharply in relation to research and the commercialisation of research, where the exemptions available under FoI legislation have, universities argue, been found wanting.

At heart this is a question of autonomy, and the extent to which universities are public bodies. Universities have autonomy because that enables them to be better universities. But autonomy doesn’t place them outside the law. The balance to be struck is between removing some of the nonsensical FoI burden – Paul Greatrix is always good value for money on this – whilst enabling public accountability.

If it were down to me, I’d happily see some tightening of FoI exemptions for universities around research, to help protect intellectual property and enable collaboration with industry, but in general openness is a good. A complete exemption will remove the sunlight from university business, and without that disinfectant things won’t always be as clean as one would like.