THE University of York has been found to have breached the Data Protection Act by accidentally leaking students’ personal details online.
In March, The Press reported that the details of 17,000 students, including names, ages, addresses, A-level results and phone numbers, were freely accessible on the internet. Following an investigation into the leak, the Information Commissioner’s Office (ICO), has found the breach was committed when a member of staff failed “to close a test area on its website that contained thousands of students’ personal details”.
The breach happened in September 2009, and was unnoticed, meaning tudents were able to access information about their peers for more than a year.
While no direct link was available to the test area from the university’s website, 148 records were inappropriately accessed, the ICO found.
The Government monitoring body asked Vice Chancellor Professor Brian Cantor to sign an agreement to improve data security.
Simon Entwisle, director of operations at the ICO, said: “We recognise that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place.”
He said the breach could have been avoided if the university had properly assessed the risks of its work, and said it failed to test the security of its IT system once the work was complete.
Mr Entwisle said the information was not likely to cause the students “substantial damage or distress” and said a monetary penalty would not be appropriate.
He said: “We are satisfied that the University of York has now taken action to improve the security of their IT system, including carrying out regular testing.” The university has been asked to make sure that security is in place if any maintenance work is carried and to carry out annual security checks out on its system.
The university apologised to those affected and said it had taken steps to improve its systems, acting on recommendations from an internal investigation and three internal audits.
Dr David Duncan, the university registrar and secretary, said: “This was an unfortunate incident which was rectified expeditiously and with professionalism by university staff.
“We have already taken action to enhance the security of our systems, and we have made a number of undertakings to the ICO for a range of further measures to safeguard our information governance.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereComments are closed on this article