Student data collected without permission; course participant lists in Moodle are hidden temporarily

A personal data breach has occurred at the University of Helsinki. Student names were collected at the Faculty of Science from a Moodle platform into an Excel file, and it is possible that similar data acquisition has taken place at other faculties as well. The University was informed of the breach on 13 April 2026.

The file concerned contained student names and study tracks, together with information indicating whether individual students had signed the open letter or initiative associated with the Students for Palestine movement. The data did not include personal identity codes, student numbers or contact details. The file contained the data of over 2,000 students.

On 22 April, all University students whose data were included in the file and for whom contact details were available were informed of the breach. Forty individuals could not be reached.

The University of Helsinki is firmly committed to data protection. All breaches are reported to the Office of the Data Protection Ombudsman under Article 33 of the EU General Data Protection Regulation.

The matter was reported to the Office of the Data Protection Ombudsman on Friday, 17 April. To prevent further such data collection, students have been temporarily restricted from viewing their course participant list in Moodle. Course participants could previously see each other's names, as this was considered beneficial for study completion, facilitating, for example, the planning and coordination of group work.

As the file refers to the Students for Palestine movement, the movement has been contacted and requested, should it be responsible for the data collection, to cease such collection immediately and delete the data acquired.

Further information:

Hanna Wink, Data Protection Officer 

p. 050 479 7200, hanna.wink@helsinki.fi

Photo: Anniina Sjöblom (University of Helsinki)