Oxford's oldest student newspaper

Independent since 1920

EXCLUSIVE: OxMatch breached data protection law

Students who used OxMatch may have received more than they signed up for, Issy Kenney-Herbert reports.

Trinity Term saw the creation of OxMatch, a matchmaking service with the tagline “remote Trinity doesn’t have to be lonely”. Cherwell has found that this service has violated GDPR laws along with their own privacy policy (shared with those who sign up at the beginning of their matchmaking form). All data regarding these infringements was obtained in the public domain. 

Students who signed up received unexpected emails; OxMatch’s November Privacy Policy (used for Michaelmas matching) states: “We add you to our mailing list so that we can let you know about your match” and that “we use your email and contact information to communicate with you regarding your match.” Furthermore, Chapter 2, Article 5 of the General Data Protection Regulations notes that data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” and declares that all data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

While the “purposes” outlined in OxMatch’s privacy policy pertained to communicating regarding their match, students also received emails about signing up to MyTutor, a new version of Oxfess and new rounds of OxMatch. Students were also identified by name in some of these emails. One email, sent on the 1 January 2021, included the name of the student emailed in the subject line, asking if they wanted to join the OxMatch team and “become the next Cupid?” Another was sent urging students to like a variation of the Oxfess page – this was not described by OxMatch as a “sponsored post”. A third, which was described as a “sponsored post” by OxMatch, sent on 13 December 2020, included the name of the student emailed in the subject and body of the email and continued: “We’re writing to let you know about MyTutor, where you can earn up to £20 an hour, all within reaching distance of the kettle”. The footer of the email read: “You are receiving this email because you signed up for OxMatch… Sponsored posts like this allow us to run OxMatch and also go towards supporting our access initiative”.

OxMatch did not respond to Cherwell’s queries regarding why such emails would be sent, especially as they appear to be “incompatible” with the purpose of communicating regarding a match and this use was not specified within the sign-up form. However, MyTutor confirmed to Cherwell that the email was sponsored – although not for a “substantial” amount. They continued: “OxMatch reached out to propose we sponsor one of their emails, and we were disappointed to learn that the message may not have been sent in line with their privacy agreement with users. As such we won’t be working with them again, and will be updating our due diligence process when sending sponsored messages via third parties in future. We note that OxMatch have updated their privacy guidelines to refer to third party marketing but that should not be taken as meaning that we endorse or have approved this update.”

OxMatch told Cherwell: “In accordance with GDPR, we process and release data only in anonymous forms for statistical analysis. All data is kept anonymous and identifiable data is not shared with any third parties.”  OxMatch refused to confirm how long data is kept or how data is stored.

In December 2020, OxMatch collaborated with student paper The Flete to release an “OxMatch Campus Report”,  running through the answers of those who signed up, including answers to a series of questions like which subjects signed up, political leanings, crushes and a diagram of kinkiness levels at each college. 

OxMatch’s own Privacy Guidelines and Data Practices, effective from November 20th 2020, were shared with each of the participants at the beginning of their form. It stated: “We also gather metadata: statistics about how the student population as a whole answered. This is just for fun posts on our Facebook: it’s always anonymised, and we’ll only use data aggregated across at least 15 people.”

While the data was anonymised and no individual student response was revealed, this “metadata” was released to an online student publication with an unclear transfer of data – not “fun posts on our Facebook”. Beyond this, OxMatch promised that “we’ll only use data aggregated across at least 15 people”. OxMatch told The Flete that they had “over 4500 signups since its inception in Trinity Term 2020” and then broke down the subject makeup for signups. The smallest groups were “Physics and Philosophy as well as Classics with Modern Languages, accounting for just 0.2% and 0.3% of sign-ups respectively”. Making the generous assumption that the full signup figure was 5000 – and that all of these were included within the RAG and standard Michaelmas versions to which the statistics pertain, rather than any being made in Trinity Term 2020 – this is equivalent to 10 Physics and Philosophy students, below the 15 promised in OxMatch’s Privacy Policy. For Classics with Modern Languages, this sums to exactly 15 students. In OxMatch’s Privacy Policy, they also wrote that: “We will not publish any information that could lead to personal identification (such as the case of small colleges/subject groups)”. The Flete confirmed to Cherwell that they were not informed this data was in breach of OxMatch’s privacy regulations.

OxMatch has now returned for another round of matchmaking with an updated privacy policy which explicitly states sponsored emails to be sent to those who sign up: “By signing up to OxMatch, you consent to us occasionally sending you sponsored emails.”

Individuals who wish to know what data any company holds on them can make a subject access request under GDPR law. This request can be made via email, social media or any other reasonable means of communication. By the same method, these individuals can request that their data is deleted.

Check out our other content

Most Popular Articles