Student data privacy in universities: An overdue reckoning
Student data privacy in universities: An overdue reckoning
Publish Date: 2026-05-08 13:45:00
Source Domain: timesofindia.indiatimes.com
Many European universities still expose student data because they rely on outdated administrative methods, leading to repeated GDPR violations and sanctions. Even though legal rules have existed since 2018, some institutions continue to publish exam results, application outcomes, and academic standings with full names and ID numbers online for anyone to see. This is more than just a technical mistake; it shows a deeper problem with how universities meet their legal and ethical responsibilities to students.
From tradition to transparency and back again
For many years, universities posted exam results on bulletin boards, published lists of successful applicants in newspapers, and celebrated academic achievements in public. These practices made sense when records were kept on paper and student numbers were lower. Now, the same habits have moved online without enough protection, turning what used to be local and temporary into permanent, searchable, and worldwide personal data.
The General Data Protection Regulation established clear requirements in 2018: institutions need a legal reason to process data, must collect only what is necessary, use security measures, and respect privacy rights. Still, enforcement shows that many institutions publish student information, such as full names, scores, and application outcomes, without consent or a valid public interest. For example, a Spanish continuing education institution was fined for posting application results online with full names and scores just for administrative convenience. This is not a one-off event; it reflects a broader pattern of prioritising efficiency over student privacy. Names are unambiguously personal data under the GDPR. Publishing them in connection with exam results or academic standings constitutes processing that requires a lawful basis. Most universities claim a public task or legitimate…
