By Lea Laursen Pasgaard, AAU Communikation. Translated by LeeAnn Iovanni, AAU Communication

Aalborg University (AAU) notified the Danish Data Protection Agency on 23 June of a personal data breach. A search of the AAU records system showed that a file with CPR numbers on more than 60,000 persons affiliated with the university had not been protected with restricted access for two years.

This means that the university’s staff members have had the opportunity to access the file containing CPR numbers. The university has examined the log information stored about the use of the records system and found no evidence that the CPR numbers were seen by any staff members who should not have access to them.

- It is the university’s assessment that the incident involves a low risk for the persons affected. The CPR numbers have not been public or otherwise visible or accessible to persons outside the university, and all staff members at AAU have a duty of confidentiality according to the rules of the Public Administration Act, University Director Søren Lind Christiansen explains.

The file in question contained an overview of titles on all 254,000 cases that were in the AAU records system in 2021. The vast majority of titles in the overview did not contain personal data. However, more than 60,000 CPR numbers appeared in the overview along with a keyword on the subject of the case, e.g. employment, degree certificate, state education grant (SU), sickness absence, unsolicited dismissal, etc. The cases the overview refers to were not accessible. But because the CPR numbers were visible, the university takes the matter seriously.

Human error

AAU guidelines state that cases with titles containing sensitive personal information such as CPR numbers must be protected with restricted access. The cases must only be visible and accessible to staff members who need to see the cases as part of their work. The fact that the guidelines were not followed was due to human error.

The university director says that AAU will review the guidelines for restricting access to the records system to eliminate the risk of a similar error happening again. More specifically, the university will update the monitoring function so that it is possible to investigate whether someone has searched for information in the system without having a work-related reason. Also, the university will systematically follow up on compliance with the guidelines.

The persons affected were informed of the incident via digital mail. Several subsequently contacted us to hear more about the case. All inquiries will be answered, but there may be some waiting time due to the scope of the case.