top of page
  • Writer's pictureThe Gaudie

University 'MAB-tracker' found to be in violation of GDPR rules

Updated: Sep 22, 2023

DHPA senior officials created a spreadsheet based on previous strike involvement- prohibited under data protection laws


By Josh Pizzuto-Pomaco

Photo Credit: The Gaudie


Senior officials in the School of Divinity, History, Philosophy, and Art History violated data protection laws while attempting to track staffers participating in the ongoing marking and assessment boycott.


The Gaudie was alerted to this issue by a number of DHPA staff. For their protection, these individuals will not be named.


In early May, staffers became aware of a spreadsheet created by DHPA Head of School Professor Beth Lord, after one was told they had been ‘put on a list’ and was being ‘watched’ by senior management.


The spreadsheet was created using strike forms submitted by staff engaging in prior industrial action.


Courses assessed or taught by these individuals were marked in amber, as an indication of the potential impact of staff participating in the marking boycott.


A sample reproduction of the spreadsheet can be seen below.


The list was then circulated among senior officials in the school.


University breached GDPR:


GDPR Article 9 prohibits the processing of personal data referring to involvement in a trade union. Relying on ‘previous strike action forms’ to ascertain future participation in industrial action, as DHPA officials did, is not allowed.


After an investigation, the University’s Data Protection Officer confirmed that a data breach had occurred.


The investigation found that:


‘Previous strike action forms were reviewed and courses were marked in amber if at least one individual had submitted a form previously. This spreadsheet was circulated to a limited number of senior colleagues to discuss further at a meeting. As courses listed all coordinators/markers, in some cases, due to the number of individuals listed, it is not possible to identify which individual had previously submitted a strike action form. However, for some courses it is possible to identify an individual due to the number of coordinators/markers… The circulated spreadsheet was deleted prior to that meeting and replaced with a non colour coded version. All those in receipt of the spreadsheet were asked to delete it.’


Furthermore, the DPO ascertained 'that the University breached the principles of the UK GDPR as the amber colour coding within the spreadsheet was informed from previous strike action forms, which is not compatible with the purpose of the spreadsheet. In addition, the use of this personal data was not made clear to members of staff.’

'The University breached the principles of the UK GDPR as the amber colour coding within the spreadsheet was informed from previous strike action forms...'

Staff feared spreadsheet could be used as ‘blacklist’:


Staff raised concerns over the potential use of the colour coded spreadsheet as a ‘blacklist’- which they feared could lead to the potential exclusion of boycott participants from promotions or contract renewals.

In early June, UCU members submitted a complaint to the Information Commissioner Office.

One staff member explained: ‘The non-color coded spreadsheet was perfectly acceptable, but once you code it for union action, you put people at risk for targeting, black listing, retributive action, etc.’


Another staffer added: ‘The university is entitled to keep information about our past participation in industrial action. But that information cannot legally be used to predict whether we are likely to participate in future actions. It is now up to the ICO to decide whether this is a 'serious' violation of GDPR rules.’


Staffers take issue with University investigation:


In letters responding to several grievances lodged by staff, Director of People Debbie Dyker told complainants that the investigation by the DPO had settled the matter, and as such, the University would not pursue the issue further.


Affected staff should ‘continue to work positively together’ with the Head of School in a ‘collegiate way,’ the HR chief added.


However, this answer was unsatisfactory for many of the staff affected by the breach, who believe the grievance process has been terminated prematurely.


One staffer told us: ‘I was also disappointed with the way in which the University handled the issue. Although the Data Protection Officer (DPO) agreed that a data breach has taken place and that steps have been taken to remedy this, the University has not engaged in the grievance process. In fact, it was unilaterally abrupted by a University Director. Members of staff were left without knowing the grounds for terminating the grievance process and staff have been left unsure about the implications of this spreadsheet in the future.’


Another staff member who submitted a grievance called on the University to retrain the Head of School on proper data protection in order to ensure a similar breach does not happen again.


They told The Gaudie: ‘Senior management has done nothing to reprimand or retrain the Head of School for DHPA responsible for the list itself. Instead, they have put the onus of collegiality onto us – the individuals placed onto this list; the individuals whose trust has been broken… That this was a breach of trust and collegiality on the part of the Head of School has been ignored. It adds to the widening gap between SMT and staff. We do not trust that they have our or our students’ best interest at heart.'

'I was also disappointed with the way in which the University handled the issue... the University has not engaged in the grievance process.'

UCU: University misused sensitive data


Responding to a request for comment, Aberdeen UCU leaders told us the violation indicated a ‘callous attitude’ by the University:


‘AUCU was shocked to learn that the university started misusing personal data to which they were entrusted, [by compiling] a list of lecturers they suspected of being involved in the trade union. Data on Trade union membership is protected by law. Worse were the subsequent attempts to deny and conceal the misuse and to this day their refusal to apologise. This speaks to a thuggish and callous attitude towards staff.’


A University spokesperson told The Gaudie: 'In accordance with University processes, the Data Protection Officer has undertaken an independent investigation. Those involved have been notified of the outcome and appropriate steps have been taken.'


The Gaudie also reached out to Head of School Beth Lord for comment, but had not yet received a response at the time of publishing.

Comments


bottom of page