Please be very careful if you use MyEngagement

The branch has received multiple concerns from members about the introduction of the MyEngagement student tracking software. Several of our colleagues have been trying to work with the team who are rolling it out, but the results have not been reassuring.

The university has established information governance processes which include the need to agree a Data Protection Impact Assessment with a panel the university has constituted for this purpose. It is our understanding that this panel has not yet received appropriate information about the MyEngagement project to be confident that the University is meeting its legal responsibilities regarding the handling of personal data. It is also important to conduct an equality impact assessment before rollout to ensure that we comply with the public sector equality duty; we have been unable to find evidence that any characteristics other than disability have been addressed.

Advice for staff

The staff interface allows any member of staff who teaches or has tutees to view detailed information about every student in the university. Not only is this unwise, and likely of concern to students, it also puts colleagues at risk.

In a recent disciplinary case of alleged misconduct, one of the matters alleged was that our member “displayed his work emails/ Teams chat on the main screen in front of the students”. Even though no specific confidential items were alleged to have been shown, this was claimed to be a violation of the compulsory GDPR training he had received. Sadly, the situation with the MyEngagement staff interface is much worse; we understand it immediately displays personal student information when it is opened.

For now,  is essential that you only access the MyEngagement software in private and where you cannot be overlooked. Do not use the software during any sort of student contact. You should not risk trying to
access the per-session codes (numeric or QR) during student contact.

We have been told that this problem will at some future time be addressed by the supplier.

The university has issued dangerous advice about this problem in the MyEngagement – Getting started guide for academics and administrative staff guidance at:
It contains a section How to change the default home screen when you log into SEAtS. We have tested this advice and found that the system stores the new Landing Page preference in a local browser cookie; it is not saved to the underlying server. The consequence is that, when you next access SEAtS from a fresh browser instance with new cookies, it reverts to the old dangerous landing page.
Do not rely on this “fix”.
Since we first posted this warning, the knowledge base article has  been corrected by adding the phrase Please note that changing this settings sets a cookie in your browser. This means that the filter may need to be set up again if that cookie expires or is not available on the computer you are using.”
Sadly, the article still contains the misleading phrase “This means that if you load up the SEAtS website in public, there is no danger of displaying that information to others” which is not true as the first indication most users will get that their cookie has gone is the display of the original landing page with student details. Users will not be able to restore the cookie without first visiting this page.

If you do accidentally find yourself showing personal information to students by using the software in front of them, you are required to report it using this form:
You might want to consult a UCU caseworker before filling it out; UCU members can obtain a caseworker by emailing

It is possible that you would be committing a data breach merely by viewing the MyEngagement landing page yourself. If you are worried about this, you should instead be able to request QR and numeric session codes by emailing

You should already be aware that, while you are enabled to access personal information about all our students, you are only permitted to do so on legitimate university business. The lack of role based access controls also makes the overall system vulnerable to accidental changes by individual colleagues; it seems that each of us can change, create, or delete any module in MyEngagement.

Please let the UCU Branch know if operating the MyEngagement system generates significant additional workload for you. There are manual “over-rides” that allow staff to add individual student attendances to the system; if this facility is used extensively, it is likely to create a considerable additional burden on colleagues.

We would also warn you not to offer students any assurances about the privacy of their data or the security of their devices in connection with MyEngagement.
Refer them to the student hub at

Advice for students

It is our understanding that participation in this system is optional for students who are not subject to Home Office visa monitoring. If you are not required to use MyEngagement, you might prefer not to do so.

Many of us are uncomfortable with the installation of tracking software on our personal devices. There is the risk that it might compromise the use of other personal software, it might leak information about us to third parties, or it might lead to financial loss through banking applications. As an example of what can happen, Android users who installed the Teams app. have had had difficulty making emergency calls.

Our ideal choice would be to obtain a cheap Android device to use exclusively for MyEngagement. We are told that the version of SEAtS used at Southampton does not need an actual phone and will run on a basic internet-connected “tablet” running Android version 5 or later; there is no need for Bluetooth or GPS support. Once you have identified an appropriate device, confirm with the student hub that it is supported by emailing Keep it turned off when you are not using it to register your attendance, to discourage it from accumulating tracking data via GPS or local WiFi hot-spots.

It is possible that the university might be required to pay for this device. Many of the protections for students are matters of consumer law; this is one of the effects of “marketization”. It seems likely that it is unlawful for the university to force students to pay for an Android/Apple device for the purpose of installing the app:

other extra costs you are likely to incur, for example field trips, bench fees or studio hire. Universities should also indicate how much these extra costs are or are likely to be. Where they are unknown or uncertain, universities should set out how they will be calculated and whether they are optional or mandatory for undertaking or passing the course.

[This blog was updated on 2023-10-02 to accommodate recent changes in staff access.]
[It was further updated on 2023-10-04 to insert additional information.]
[Yet another update was on 2023-10-06, clarifying the risks of changing your default landing page.]

Data Breaches, Fraud, and USS

Further advice from a real expert

I was at the Cambridge Cybercrime Conference in June and I had the opportunity to discuss the USS breach with Richard Clayton . His research interests are much closer to cybercrime than mine; he is an acknowledged leader in this field. His key takeaways are:

  • This is a very large breach: consequentially, your individual risk is very low. It is not easy for a criminal to do much with the stolen data. In practical terms, the data loss is not likely to lead directly to an attack. Even your National Insurance number, which is alleged to be confidential, does not present a serious risk.
  • On balance, you probably should take up the free Experian offer, but there are two important caveats:
    • Do not be frightened by the warnings they send to you. Experian’s business model for this product depends on scaring you into continuing with a paid subscription after the free period.
    • Make certain that the sign-up process does not embroil you in “inertia selling” with a requirement that you actively cancel at the end of the free year.
      As you will see below, it does!
  • The benefits of the Experian product are limited; it is probably not good value for you to continue with the paid-for service after the free year. UCU negotiators should confirm with USS that there will be no “inertia selling” or “scare tactics” to induce members to pay for ongoing Experian service.
  • Think hard before you “freeze” your credit; it may have unexpected consequences. For example, it will likely prevent you hiring a car.
  • As always, watch your bank and credit card statements for anything unexpected.
  • There has been frightening publicity about unauthorised student loans or property transactions through the Land Registry. These are not widespread; in most cases you will be sent a physical letter to your home before anything seriously bad happens.

Experian sign-up

I signed up for the “free” Experian “Identity Plus” membership. After I turned off cookies, the site asked for my title, first and last name, date of birth, email address, contact phone number, and mother’s maiden name. At the bottom of this page, it displayed the worrying small print:
The next page wanted my current address, a password, and a memorable word, along with agreement to the Experian terms and conditions. It then made a rather crude identity check, asking me to confirm a credit card supplier I use, and how long I have had it. After that, I was in, with the promise of a Daily Experian Fraud Report.

It encouraged me to enter extra information, including driving licence, passport, credit card and bank account numbers along with additional emails, phones and addresses; I declined. I was then presented with my report. I might be rather boring, but mine contained just five entries, with nothing older than three months. Three were associated with insurance renewals in April; the other two were because I had signed up to this service. They were all marked Won’t impact your credit score. Experian also knew about my credit card (and credit limit) and gas/electric account.

Oddly, they then presented a list of “useful addresses”. These were mainly organisations with whom I used to have some sort of account many years ago; it was not clear why they might still be helpful.

Overall, I did not learn anything useful, and the report seemed more interested in my credit rating than my security. Richard Clayton’s concern seems justified; it looks as if Experian really do hope that I will forget about this “offer” by next year, and find myself paying them nearly £180 per year for a service which appears to be of very little value.

I will post them a letter asking them cancel my membership automatically when the year is up, and to confirm that they will be doing so. It would be good if our USS negotiators could make sure that none of our members are tricked into this substantial annual payment.

Yet another data leak

If you have used MyView recently, you will have seen that it now hosted by Zellis; the URL is now and we are no longer required to enter a “favourite colour” or any other second factor authentication. Sadly, Zellis have also suffered a data breach as part of the wider problem with the MOVEit file transfer software.

We have not been notified that any Southampton staff have been affected.

Fair treatment

To further protect yourself, you might think about moving to a bank which prioritises fair treatment in the event of a loss. The TSB is one of Matin Lewis’s top bank accounts for new switchers. At the Cybercrime conference, Ross Anderson told us that the TSB, uniquely, offers the TSB Fraud Refund Guarantee. Many other banks will routinely accuse customers of “gross negligence” and refuse a refund. These decisions are hard to fight.

USS as an activist investor

UCU HE Sector Conference has passed motions seeking to influence USS investment strategy in 2022, 2021, 2020, 2018 and 2016. Our ethical concerns have included climate change, armaments, and international conflicts. We have made little progress in influencing USS’s behaviour.

While we may not believe that the public water supply should be in private hands, such utilities would, under normal circumstances, be typical of the safe, long-term investments that would be made by a fund such as USS. USS has holdings in both Thames Water and South West Water: the latter through Pennon Group PLC. Sadly, our water and sewerage services are neither the safe custodians of our national infrastructure, not the steady investments for which we might hope.

In this sector, USS is an activist investor. Bill Galvin has said:

We remain of the view that, with an appropriate regulatory environment, the long-term objective of repairing important UK infrastructure and paying pensions to our members are in strong alignment.

Now what can that mean? Is he asking Ofwat not to be too rigorous in cleaning up our rivers? Something similar has come from Thames Water itself:

Shareholders have also acknowledged that delivery of the Turnaround Plan will require the provision of further equity support in AMP8, significantly in excess of the current AMP7 commitment. Indicatively, the AMP8 equity support is expected to be in the region of £2.5 billion, but the nature and level of such medium-term support will depend on the finalisation of the business plan and the regulatory framework that will apply to the AMP8 period.

The USS JNC met last Friday, but our negotiators were unable to learn much:

We pressed USS on Thames Water on Friday at the JNC including on our views on good governance, ethical investment and nationalisation particularly given that USS had invited the former Thames Water CEO Sarah Bentley as their poster-child for successful investment/intervention to the institutions meeting. We did not make much headway, and due to the concerns about requirements under market abuse regulation etc, they were unable to comment on their position. But we will press again at the next JNC as things unfold.
[report by Deepa Govindarajan Driver]

We may feel fortunate that here in Southampton we are not in Thames Water’s area. Sadly, Macquarie Asset Management, who did much to put Thames Water in its current position, have bought a majority stake in our Southern Water.

Denis Nicole