Announcement: Aalborg University (AAU) has registered a breach of the university’s guidelines for personal data security, which has been notified to the Danish Data Protection Agency on 23 June 2023.

What has happened?

A search in AAU’s record-keeping system showed that a file containing civil registration numbers of approximately 60,000 individuals affiliated with the AAU has not been protected with access restrictions for two years. This is due to a human error.

The said file contained a list of titles for all 254,000 cases in AAU’s record-keeping system in 2021.

By far the majority of cases have ordinary case titles that do not contain personal data, but in the case of approximately 60,000 titles a civil registration number can be seen along with a topic keyword, e.g. employment, diplomas, student grants, sickness absenteeism, unsolicited dismissal, etc. There has been no access to the actual cases that the list refers to. But as civil registration numbers have been visible, the university looks at the matter with great concern. 

You can read the letter here

Why a public announcement?

As an international education and research institution AAU has many international employees and students who potentially have moved from Denmark since 2021, and therefore they are no longer able to receive digital mail in Denmark. Add to this that AAU no longer has valid addresses for these individuals. We have therefore concluded that the best way to notify these individuals without undue delay is a public announcement.