The error with Radboud University’s new travel module, which allowed hundreds of employees to see others’ travel information, was a ‘low-risk data leak’ according to the university. That is why they have refrained from making a report to the Dutch Data Protection Authority. However, privacy expert Gerrit-Jan Zwenne questions that qualification.

Roughly 650 university employees could access their coworkers’  information due to a clerical error with the new travel request system. They were accidentally provided with Travel Arranger credentials, which they could use to view, modify, or even cancel the travel information of random colleagues. Said information included flight- and seat numbers, as well as hotel room numbers. Personal information could also be viewed.

The error has since been rectified, after the travel agency received a report by an employee. Up to that point, 650 employees had unfettered access to the system. At the time, a little over 300 Radboud employees had arranged travels whose details were accessible to others via the platform.

‘Administrative carelessness’

A spokesperson has stated that the University has not made a report with the Dutch Data Protection Authority (DPA). ‘Our Data protection Officer was informed immediately after the report came in. They deemed it to be a low-risk data leak. According to regulations, those do not need to be reported to the DPA.

The officer reasoned that this leak did not concern ‘sensitive’ personal information, as stated by the spokesperson. According to him, accommodation details, full names, and (in some cases) phone numbers do not fall under sensitive personal information. ‘Additionally, only University employees were able to access the data.’

‘ “Data leak” is much too strong a term for what happened’  

A spokesperson for the VCK Travel agency emphasised that there was no data leak, according to them. The travel agency supplies the booking module which Radboud employees are required to use for arranging multi-day international travel, as of February 27^th.

‘This is simply a case of administrative carelessness’, as stated by the spokesperson. ‘We use certified systems to protect our data. There was no data leak according to our strict rules and regulations; “data leak” is much too strong a term for what happened.’

He agrees with the statements made by the University spokesperson: this only involved people within the organisation, and -to their knowledge- the data was not released publicly.

Log entries

When asked, Gerrit-Jan Zwenne, Professor of Privacy Law at Leiden University and the Open University, did still advise to report to the DPA in cases like this. That needs to be done within 72 hours after discovery. ‘It can be very hard to tell whether there was a major data leak’, he says.

‘After all, it depends on how many employees were able to access what sort of files, and how often it happened. The only way to know that is by looking at the websites’ log entries; these keep a careful record of everything any user clicks on. Only by looking at that data can we realise the scope of the problem.’

‘The fact that a system has been certified, does not guarantee that there was no leak’

Zwenne remarks that the University has made no mention of this. ‘The fact that a system has been certified, does not guarantee that there was no leak. The same is true of administrative errors. Rather, it can be assumed that many data leaks are caused by such errors.’

Always report

It is always wise to report any kind of leak, according to Zwenne; even when it involves little risk. A no-risk situation must be the baseline assumption. An organisation should report the leak themselves, demonstrate that it has been plugged, and show that there was little risk to those affected. If they do so, there is a large chance that the DPA will not follow-up, nor give out fines. But it does show that the organisation was transparent, Zwenne explains.

Finally, Zwenne emphasises that the University would do well to inform people of the situation. ‘And not just through a statement on their website; those affected need to be informed personally. Not even from a legal perspective, but as a demonstration of carefulness and proper employment practices. However, that is outside my area of expertise.’

In any case, the University will not be doing the latter. That would be unnecessary, according to the spokesperson, because there were no signs of any credible risk.

Translated by Jasper Pesch