A third level institution reported a data breach to the DPC that related to a survey, it had carried out on former students. Each year recently graduated students were surveyed with a focus on their further studies and employment and this data was then used to publish a report on graduate outcomes. The summary statistics, which were not anonymised in this instance and included personal data, were published on the institution’s website. 

A member of the public reviewing the 2023 reports noticed that they were able to view the personal data of the survey respondents by right-clicking on the tables and brought this to the attention of the institution. This data included name, salary information and details of work or further studies. The third level institution removed the report and other externally available reports which were thought could experience the same issue. The third level institution also sought assurances that the personal data had not been saved or shared by the individual who discovered the dataset. 

As part of the investigation of this breach, the institution informed the DPC that a new system was introduced for producing reports in 2022 and that a lack of familiarity with the new system had led to the data being published in a non-anonymised format. To mitigate against a recurrence of this issue the institution reviewed its internal processes for generating reports, as well as liaising with their internal IT teams to ensure appropriate technological measures are now in place.