The data protection problem continued for almost five months. During this time, there were more than 3,000 applications in the system, 21 of which were processed without authorization.

Turku An error was detected in the university’s electronic information system at the end of March, which allowed logged-in users to view other users’ information.

The error concerned an electronic form for applying for additional time to study at a university. Due to a privacy issue, students were able to read each other’s forms, which may contain sensitive information.

“The breach came to light when the student was in contact with the university and said that he had seen other students’ applications in the list view of the electronic form,” says the data protection officer of the University of Turku. Onerva Steudle by email.

For example, it may have been revealed from students’ applications that the reason for the extra time sought for studies is illness.

“However, the annexes to the application containing health information are instructed to be sent directly to the application handler during the second period.”

According to Steudle, the university is not aware of any misconduct related to the forms reviewed.

Error occurred in the in-house maintenance of the university’s digital services in connection with software changes when access to system data was inadvertently incorrectly defined.

The data protection issue lasted for almost five months between 8 November 2021 and 29 March 2022. During this period, there were a total of 3,051 applications in the system.

“Unfortunately, these types of errors are very difficult to completely avoid and find in a complex environment,” Steudle explains.

The error has been fixed and the system users have been notified.

University according to the report, 21 applications had been opened without permission. Students have been informed of the unauthorized review of their applications.

Steudle says the university is working with the police and the data protection commissioner. An individual student does not need to contact the authorities for no particular reason.

“The university has log data for the duration of the event, which can be used to find out who has viewed the data, if necessary.”

The data protection issue has been reported to the Data Protection Commissioner.

“The EDPS, as the supervisory authority, assesses whether the controller has acted properly in the situation and whether further action is needed.”