Re: No consent for data sharing in the first place
If you want the University to be able to confirm you actually attended there, and what the result was, they are going to need to store some basic data which identifies you and distinguishes you from other David M's who might also have been there. The problem here is that that data wasn't secured properly, not that they stored it.
It would -- I assume -- be more than a little annoying to find that your alma mater said "Nope, got no record of that dude whatsoever" when an employer was doing a few basic CV checks [1], just because the university had over-enthusiastically tried to minimise its store of personal info.
[1] Or, for that matter, refused to replace your gone-missing/eaten-by-dog degree certificate for the same reason :-)