ICO Raps Durham University For Publishing Student Details

Steve McCaskill,
ICO

University promises to review data handling procedures after posting details of 177 students and staff on its official website

Durham University breached the Data Protection Act by publishing personal information about former students and staff on its website… in screenshots used to demonstrate university systems .

The names, addresses and dates of birth of up to 177 people were shown in screenshots that should have been anonymised before being published in tutorial material on the University’s site.

Accidental upload

The information was made live in February 2011 and the error was not discovered until July later that year.  The university reported the breach to the ICO, who launched an investigation into how the academic institution handled personal data.

This investigation found that just 20 percent of the university’s staff were aware of the organisation’s data protection guidance and learnt that one to one training was provided for a limited number of staff who were then responsible for distributing the information to colleagues. It also discovered that the university failed to keep track of which employees received this training.

Durham has signed an undertaking which commits it to improving the way in which it handles personal data. Staff whose work involves access to sensitive information will be required to undertake training as a matter of priority by 30 September, and the university has promised never to publish documents with this information on its website ever again.

Education at all levels

“All documents should be checked for personal information before being made available on a website,” commented Steve Eckersley, head of enforcement at the ICO. “This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.”

“It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.”

Earlier this month, the ICO fined Cheshire East Council £80,000 for failing to have adequare security measures in place following a serious breach of the Data Protection Act in May 2011. The ICO taken a keen interest in a number of aspects of education, saying that school children should be taught how to protect their own privacy and has also made inquiries into claims that the education secretary Michael Gove uses Gmail to conduct official government business.

How well do you know Internet security? Try our quiz and find out!