I don’t know much about this particular case, but speaking as someone who has experienced serious lapses of data protection in the UK university sector, there needs to be stronger enforcement of data protection laws, as the universities just don’t care. They make a huge fuss about privacy to students, but will just randomly hand out PII without a second thought. I’ve personally seen spreadsheets of people’s enrolment and disability status sent to entire mailing lists by mistake, egregiously violating data protection law. I’ve actually called the ICO before when I realised that literally hundreds of high privilege SU accounts had the same password (these accounts were used to handle expense claims for thousands of students, and had years of bank records). There was no enforcement action as far as I’m aware.
I doubt that the administrators who provided this information to the Met even thought about the students rights for a second.
According to the article the administration knew there were privacy concerns.
> In response to a request for the dates of birth of the protesters from the Met Police, an email from KCL read: "We've taken their details from our card security which does not have DoB. I would have to go to student services which would raise flags and cause chatter so would rather not as this is a sensitive around student freedosm!!! [sic]"
The police hadn't even requested the data. It's the security team going out of their way to bend over backwards in hope of pleasing the police despite knowing that it’s against data protection policy...
Why did this university have a list of "activist" students curated anyways? The article doesn't make it clear whether the police asked the uni for a list of students involved in x and y organizations or whether the uni just handed over a list of people on a watchlist. Either is disturbing.
The student organizations that these activists belonged to don't really sound that extreme, depending on who is asked of course.
Action Palestine, Cut the Rent, Justice for Cleaners, Intersectional Feminists and Climate Strike
> Why did this university have a list of "activist" students curated anyways? The article doesn't make it clear whether the police asked the uni for a list of students involved in x and y organizations or whether the uni just handed over a list of people on a watchlist. Either is disturbing.
Various front line staff in the UK (e.g.,) teachers have to shop anyone they suspect of havi g extremist views into the police. This is the Prevent programme which I think was brought in after the July 7 terror attacks.
In theory the PREVENT agenda is only concerned with groups that support terrorism or similarly extremist views. In practice a lot of people who are not violent hold extremist views, which is why there have been so many prevent agenda referrals.
They had the list because they've had problems with some students occupying buildings in demonstrations around pay and conditions of cleaning staff. Often cleaning is sub-contracted to a different company, and the cleaning staff have terrible pay and conditions.
Police requested the information, but did so informally. Police didn't specify specifically what information they needed. [EDIT: This is bad! The uni should have asked for a formal request, and then done a privacy impact assessment. This is mentioned in the report linked to below]
Yes! Sorry, I should have said that the uni was wrong to just dump that info to the police without a formal request and without doing an impact assessment first.
> The article doesn't make it clear whether the police asked the uni for a list of students involved in x and y organizations or whether the uni just handed over a list of people on a watchlist. Either is disturbing.
I'm not sure why the police asking for the list would be disturbing by itself. If they are investigating a crime and group X is suspected of being involved, finding out who belongs to group X seems prudent.
> The student organizations that these activists belonged to don't really sound that extreme, depending on who is asked of course.
I don't know how you can tell that from the name. In any case, the groups themselves may not be extreme, but there may be extremists within the group who police have reason to be interested in, but have not yet identified.
>"I'm not sure why the police asking for the list would be disturbing by itself."
Unless they have evidence that these individuals either committed a crime or intend to, then there are several reasons why that would be objectionable: it's a violation of privacy, it's disproportionate to the harm they pose, and it's an over-reach of police power.
>"In any case, the groups themselves may not be extreme, but there may be extremists within the group who police have reason to be interested in, but have not yet identified."
I don't think 'extremists' is the right word. It's extremely unlike that we are talking about terrorism, or even the destruction of property. I suspect that KCL feared the normal modes of student protest: occupation, no-platforming, and spectacle.
If you read the report, the list at issue is a list of 'student protestors', made up of names from an occupation at KCL opposed to the outsourcing of the university's cleaning staff, a series of climate changes protests, and a protest outside a lecture by a Colonel in the Israeli Defence Force. These kinds of things have occurred at most universities in the UK over recent years, and they are fairly innocuous.
> Unless they have evidence that these individuals either committed a crime or intend to...
Police routinely ask questions of and about people who are not suspected of a crime in the process of investigating a crime. If a crime occurs and they have reason to suspect that a person in group X knows something about the crime, it's completely reasonable for them to seek out and question members of that group.
Requiring police to not only suspect, but have actual evidence against a person in order to investigate is an unreasonable burden and would make all but the most trivial cases impossible to solve.
> then there are several reasons why that would be objectionable: it's a violation of privacy, it's disproportionate to the harm they pose, and it's an over-reach of police power.
Sure. There are several reasons why a request might be objectionable, but I don't see any of those reasons being seriously and credibly alleged; only assumed or implied.
>"There are several reasons why a request might be objectionable, but I don't see any of those reasons being seriously and credibly alleged"
KCL itself concluded that it was disproportionate and a breach of privacy. It is not only alleged; it is the result of an independent report commissioned by one of the two culpable institutions!
>"Police routinely ask questions of and about people who are not suspected of a crime in the process of investigating a crime."
KCL shared the names of protestors who they feared might disrupt a visit from the Queen. They did not share them pursuant to the investigation of some further crime. The report suggests that KCL had no evidence that the students would disrupt the visit, other than the fact that they had been part of past protests. Given that fact, the violation of the student's privacy appears entirely disproportionate, and an improper and wasteful use of police resources.
Yes, but you're talking about KCL. I'm talking about the police.
KCL shared the names with police of students who had already been involved in a protest that had resulted in damage and for which they were considering disciplinary action. The police, in response, asked for more information about those students.
Exactly what should the police have done differently in your opinion?
I’m not surprised that the police wanted this information. The police are perfectly welcome to want any information, and in most cases can ask you for it, regardless of if you’re allowed to give it away.
I’d support penalties for both the police and disclosing organisation if it turns out that the police are using information that was acquired unlawfully in some way.
> Why did this university have a list of "activist" students curated anyways? The article doesn't make it clear whether the police asked the uni for a list of students involved in x and y organizations or whether the uni just handed over a list of people on a watchlist. Either is disturbing.
Various front line staff in the UK (e.g.,) teachers have to shop anyone they suspect of having extremist views into the police. This is the Prevent programme which I think was brought in after the July 7 terror attacks.
It would take a strong positive commitment to privacy to not notice when people are publicly declaring their opposition to you and their intention to disrupt your operations.
>The student organizations that these activists belonged to don't really sound that extreme, depending on who is asked of course.
>Action Palestine, Cut the Rent, Justice for Cleaners, Intersectional Feminists and Climate Strike
Extreme organizations always give themselves genteel names. The whole point of such groups is to mainstream their views, so a mainstream-friendly name is just part of that effort.
First I thought you to be mostly right about that, how groups name themselves. But looking at the lists of extremist groups I was able to find, I was surprised to see that names (at least in languages I can read) are actually quitw often just as extreme as the groups, and follows some rather superficial patterns.
Further, almost all names that are not obviously extreme still referred to either nationality or religion one way or another. Quite surprising to be honest.
According to those patterns, most of those organisations are extremely unlikely to classify as extremists in the usual sense of the word. The might still have extremely unusual opinions, but that's a completely different matter.
Let's flip this around. If these were 'nazis' would you feel the same way?
In the US, alleged nazis are doxxed and given to the press, police, and anyone else and nobody seems to care. I don't think I've seen on complaint here on HN.
My point is that we should care about everyone's privacy..not just the people that you agree with politically.
Do these groups include, in their core beliefs, the idea that others should have no rights or worse?
No?
Nazi do. They aren't going to extend the same olive branch to talk things out if they have the power, but will hide behind "but your tolerance! DEBATE ME!!!" when they don't.
The only thing I'd extend to them is the right to due process and innocent until proven guilty - but walk around with Nazi paraphernalia or slogans and you're getting punched.
This will enable a better perspective about GDPR and exemptions, which would be most relevant in relation to the cops/police/security services/government/.......
Sharing data with LEOs even voluntarily isn’t a breach of the GDPR, this isn’t an ICO finding the ICO will come back to Kong’s Collage and say nope you didn’t violate the GDPR.
The sharing might not be a direct violation, but profiling the students for this purpose most likely is. They probably didn't sign up with something that said "you are being profiled with the purpose to share this information with the Government if you meet some arbitrary archetype"
I agree it's not a violation of GDPR. I still think the university is wrong to just hand over the data.
The university isn't covered by RIPA (I don't think so anyway, maybe I'm wrong), but the police are and I'd be interested to know if this police request was RIPA compliant.
I doubt that the administrators who provided this information to the Met even thought about the students rights for a second.