On Jan. 25, 50 students and 35 faculty and staff members within the Department of Health Services received an email with a spreadsheet that contained personally identifiable information (PII) of more than 9,000 people.
Amy Hagopian, associate professor in Health Services at the UW, unintentionally sent the email containing the spreadsheet to students in the Community Oriented Public Health Practices (COPHP) program. It contained data from graduate student applications to the Department of Health Services in the School of Public Health over a seventeen-year period, from 2000 to 2017.
“It’s very rare someone steals a filing cabinet or something like that,” Helen Garrett, registrar of the UW, said. “[Unintentional releases are] generally done when someone just clicked through and weren’t thinking.”
This email did not contain dates of birth, Social Security numbers, or financial information that could lead to identity theft, but it did contain name, gender, citizenship status, and ethnicity. The spreadsheet also included information pertaining to these individuals’ educational histories: prior institutions attended, discipline studied, GPA, GRE scores, and application status indicating whether or not they were accepted to the UW.
“We really regret that this happened because it was a lapse and does not follow our policies,” director of communications at the School of Public Health Jeff Hodson said. “Our immediate reaction was to ask all recipients of that email to delete the information right away, and then to confirm to us that they had actually done so. So far, nearly half of the students have confirmed that they have deleted the email.”
It might seem as though the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of students’ educational records, would protect those whose information was released if they had all been UW students. However, in this case, most of the PII that was released belongs to people who never attended the UW. Those individuals are not protected under FERPA.
“These were applications, so not all of these people are students at the UW,” senior director of media relations at the UW Victor Balta said. “But we’ve made really clear to [any UW students] potentially affected by this that they should be in touch with someone in the School of Public Health if they have particular concerns about their own information and those will be handled on a case by case basis. There’s no sort of blanket response or anything like that.”
Additionally, FERPA does not mandate that those whose information has been released be notified, although it is a “best practice” to do so.
“There isn’t a federal law that requires us to notify individuals in these circumstances,” Hodson said. “Nor are there state laws that apply … We are, however, currently evaluating if and how we should send notifications to the other students involved.”
So what exactly does FERPA mandate be done in the case of a release such as this one?
“What would be in violation of FERPA is if there were a release and we did not make note in the student records of how we mediated it,” Garrett said. “Is it technically not okay under FERPA to release information to non-school officials? Yes. But we’re going to be more concerned with finding out as soon as possible who was involved in the release. What was released?”
The consequence for releasing PII will ultimately be a FERPA refresher or more training, according to Garrett. She emphasized that this training isn’t punitive, but it’s preventative, with the goal of making FERPA violations less likely in the future. This specific situation has prompted leaders within the School of Public Health to consider making changes to try to prevent something like this from occurring again in the future.
“We’re reviewing all of our practices with regard to handling student information across the School [of Public Health] because there are a lot of questions about who has access,” Hodson said, “Faculty have a right to review student data, but why is it so easy to download?”
Balta and Hodson emphasized that the university and the School of Public Health are taking this matter very seriously.
“It’s unfortunate that it happened in the first place but we need to take care of it as best we can and make sure that people are aware and have the resources they need to have their individual situation addressed,” Balta said.
For more information on the UW policy for reporting information and privacy incidents, the UW policy directory is a good resource. Any applicants to the department who have concerns about the possibility of their personal data being released are encouraged to contact the department at 206-616-2928. If you ever encounter something you believe might violate FERPA or put PII at risk, report to uwprivacy@uw.edu.
Reach Editor-in-Chief Rebecca Gross at news@dailyuw.com. Twitter: @becsgross
(0) comments
Welcome to the discussion.
Log In
Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.