IOWA CITY (AP) — A University of Iowa employee mistakenly sent an email to 2,000 undergraduate students that included a document showing all of their grade-point averages, a privacy breach that school officials disclosed Thursday.
An administrative assistant new to her job at the Center for Diversity and Enrichment sent the email Wednesday afternoon that included a spreadsheet containing their names, number of credit hours and GPAs. School officials discovered the privacy breach Thursday morning after a student complained to a university vice president.
The employee was trying to send an email to students on the center’s email list about a new university club on philanthropy, said Georgina Dodge, the university’s Chief Diversity Officer. She improperly downloaded student information that included their grades and, for reasons that are baffling, mistakenly attached that to the email instead of the information about the club, Dodge said.
“It’s so unfortunate that it happened,” she said. “I really hope this does have a minimal impact on students. It may even inspire some of them to have a better GPA next time.”
The employee was working on a short-term temporary contract and will face disciplinary action, Dodge said. A decision on whether she will be fired has not been made.
“Needless to say, she has been crying her eyes out all day,” Dodge said.
The students affected are those who receive Advantage Iowa scholarships, a university program meant to promote a diverse student body. Recipients are chosen based on academic achievement, as well as factors such as their race and ethnic background, family income and whether they are first-generation college students. They are required to meet with the center’s academic counselors and attend some of its events.
Dodge said the university recalled the email after learning about it Thursday morning. Dodge and Center Director Nancy Humbles sent an email to students to apologize, which also directed them to delete the attachment if they still had it and to shred any copies that were printed out.
“Please know that corrective action is being taken to remedy the situation and to ensure that such mistakes do not occur again; however, our immediate concern is you,” read their email, which noted that university counselors were available to talk. “We understand that this situation may have caused undue stress.”
The email added that GPAs are only temporary indicators of academic performance, but are “privileged information that we do not necessarily wish to share with our peers or others.”
Dodge said that student grade information is supposed to be safeguarded under the federal Family Educational Rights and Privacy Act. She said it was unclear whether the university had to report the breach to federal regulators, and its lawyers were researching that subject.
Dodge said she would take several steps to prevent similar problems, such as improving training for new employees that work with student records and requiring all mass emails to be checked by a second person and copied to university staff. She described the breach as a wake-up call that would improve the safeguarding of student records.