The Information Commissioner (ICO) has today announced that Durham University has entered into an undertaking following an unusual data breach incident.
The university posted training materials on its website that contained a number of screenshots. Unfortunately, the screenshots contained personal information (including names, addresses and dates of birth) about former students and staff. The information had been neither pixelated or anonymised, and was online for five months before it was discovered.
When the university finally discovered the error, it took the materials off the website and notified the ICO.
In the course of its investigations, the ICO discovered that only 20% of the university’s staff had actually accessed online data protection training materials. The university had intended to provide training through local training sessions in different departments (on a train-the-trainer basis), but had not kept records of what training had actually taken place, the quality of that training, or who had attended.
Accordingly, the university was unable to demonstrate to the ICO that its staff had been made aware of the university’s data protection policies, and therefore that it had taken appropriate steps to protect the personal data in its possession.
Once again, this data breach appears to have arisen out of human error, albeit one that could have been avoided had the staff in question been properly aware of the university’s obligations under the Data Protection Act.
Good practice guidance
The undertaking given by the university contains some useful recommendations that all organisations should adopt:
- All staff shall be made aware of the data controller’s policies for the processing of personal data and appropriately trained how to follow those policies;
- Compliance with the data controller’s policies on data protection and IT security issues shall be appropriately and regularly monitored;
- Compliance with the above training requirements shall be appropriately monitored and recorded and those staff whose work involves access to personal data and have not undertaken such training shall be required to do so as a matter of absolute priority;
On March 1, 2012