University of York breaches Data Protection Act
By Cloud Direct • 12 Aug 2011
The University of York breached the Data Protection Act by failing to close a test area on its website that contained thousands of students' personal details, the Information Commissioner's Office (ICO) said today. While no direct link was available for the test area from the University's website, 148 records were inappropriately accessed.
The information included students' names, dates of birth, A-level results, mobile telephone numbers and addresses.
The breach occurred in September 2009 when a member of staff failed to realise they had made an error while carrying out work on the University's IT system. The error meant that students were able to access information about their classmates for over a year before the problem was identified and the security of the system restored.
Director of Operations at the ICO, Simon Entwisle, said:
"We recognise that people can make mistakes when handling data – that's why it is so vital that adequate checks and security measures are put in place. This breach could have been avoided if the University had properly assessed the risks that this work posed to the security of their students' details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.
"Fortunately for the University, the information made available wasn't likely to cause the students substantial damage or distress, therefore a monetary penalty would not be appropriate in this case. We are satisfied that the University of York has now taken action to improve the security of its IT system, including carrying out regular testing."
The ICO wants to raise awareness of information rights issues among students and young people. The Information Commissioner will shortly launch the 2011 Student Brand Ambassador campaign aimed at spreading the word on how people can exercise their rights under the Data Protection Act, including tips on how to keep personal information secure. 15 students from universities across the UK will act as champions and ambassadors.
Professor Brian Cantor, Vice Chancellor of the University of York has signed an undertaking to improve data security at the institution. This includes making sure that appropriate security is in place following any maintenance work being carried out on their system. Any parts of the University's IT system containing personal information should also be subject to annual testing to ensure the information remains secure.
Share this post