King's College London breached GDPR by sharing list of activist students with cops

Kings College London breached Europe's General Data Protection Regulation when it shared a list of student activists with the police and barred the activists from campus during a visit by the Queen, an independent report [PDF] has found.

Some 13 students and one member of staff were unable to access any of the campus sites as their cards had been deactivated to prevent access to the Bush House site, which was opened by the Queen on March 19.

In foreword to the report, Professor Evelyn Welch, acting principal at KCL, said the UK university accepts the findings and recommendations in full and is putting in place a plan to address all the issues raised:

Welch said that while some have interpreted the actions taken on the day as racial profiling, "this was not the case and I want to reiterate that discrimination on any grounds is unacceptable and is damaging to our community."

The report's author, Laura Gibbs, concluded that the security team had "overstepped the boundaries" when it compiled the list of activists and shared it with the Met Police.

She said "the barring of individuals against whom there was neither evidence of criminal activity nor any internal disciplinary findings, from "their campus" was disproportionate and "against King's stated values."

One student was blocked from entering a KCL building for an exam in south London, and was only able to enter when the on-site security staff reinstated the card.

The report stated:

"From the evidence provided, it appears that student accounts are set up in such a way that it was not technically possible, given the time constraints, to block access for a small number of students to a single building (in this case Bush House) and so the particular students’ cards were simply locked entirely, hence blocking them from all King’s campus buildings."

KCL's security team disclosed the information without police having made a formal written request.

The groups the protesters were involved in included: Action Palestine, Cut the Rent, Justice for Cleaners, Intersectional Feminists and Climate Strike.

In response to a request for the dates of birth of the protesters from the Met Police, an email from KCL read: "We've taken their details from our card security which does not have DoB. I would have to go to student services which would raise flags and cause chatter so would rather not as this is a sensitive around student freedosm!!! [sic]"

The report made 20 recommendations, including reporting the breach to the ICO. It also said: "Whilst clearly a very convenient communication tool, consideration should be given to the approritatenes [sic] of using WhatsApp for making operational decisions." ®