Two breaches of GDPR have occurred within Trinity College Dublin Students’ Union (TCDSU) over the last month, prompting action towards implementing a union-specific GDPR policy.
TCDSU Communications and Marketing Officer Aoife Cronin said in her report to council that one of the breaches was dealt with internally.
The other breach occurred on November 19th when second-year PPES class representative László Molnárfi used email addresses obtained through the union’s Slack channel to send emails about his independent campaign group Students4Change.
Cronin said she consulted with Trinity’s data protection officer who determined that while a breach had occurred, it had a “low impact on individuals”, so no report will be filed and the matter will be dealt with “internally”.
Molnárfi confirmed to The University Times that this breach was in relation to him obtaining union representatives’ email addresses through the union’s Slack. He apologised to council this evening for sending an email about Students4Change to these addresses.
Molnárfi’s email called on class representatives to “vote for the upcoming amendment to a motion at the third Council to mandate that TCDSU take direct action to oppose in-person exams for courses which have been largely held online in Semester 1″.
He also said the breach had been reported to the Union’s Oversight Commission (OC). The OC concluded that his actions had not breached the Union’s constitution.
The email also called for TCDSU to join forces with Students4Change and the Graduate Students’ Union in opposition to in-person exams.
In a statement to The University Times, Molnárfi said: “In this light, considering the emergency situation, it is justified to send an email to the Sabbatical Officers, the Union Forum and the other Union Members to ask the Union as a whole to oppose in-person exams and advocate for open-book, keyboard-mediated and flexible time-constraint-based exams for Semester 1 of 2021-2022”.
“The emails of all Union Members are publicly accessible on the Union Slack, so as to facilitate communication between representatives. However, I personally apologized to class representatives publicly in the Union Slack who felt offended by me, as Chairperson of Students4Change, contacting them unsolicited”, he said.
He told council this evening: “That was my mistake and it will not happen again.”
Cronin’s report said that the breaches “highlighted the importance of a Union-specific GDPR policy”.
In a discussion item which was brought before council, she noted that during the third Council of the 2020/21 academic year, the previous Communications and Marketing Officer had been mandated to formulate three executive policies, one of which was a GDPR executive policy.
Council mandated that “the Communications & Marketing officer formulate a Non-binding Policy on GDPR as it pertains to the Union and student data protection, including but not limited to information about Union GDPR best practice, information regarding how a student can report a data breach and protocol for data gathering and data sharing agreements”.
However, these policies were not completed upon her assumption of the role and are currently being revised. “As it stands, the Union does not have a cohesive, pre-existing GDPR policy, but defers to the college’s data protection policy”, Cronin’s discussion item noted.
Cronin said that she “will endeavour to make sure that the Union delivers on this mandate by consulting with important stakeholders such as the Union Solicitor, College Solicitor and Data Protection Officer”.