University ‘broke law over website details’

YORK University breached the Data Protection Act by allowing thousands of students’ personal details including dates of birth and addresses to go on its website, the Information Commissioner’s Office (ICO) has ruled.

However it has escaped a fine as the ICO decided the information was unlikely to cause the students’ distress.

While no direct link was available for the test area of the university’s websites where the information was available, 148 records were “inappropriately accessed” while the details were online, the ICO said.

Hide Ad
Hide Ad

The information included students’ names, dates of birth, A-level results, mobile telephone numbers and addresses.

The breach happened in September 2009 when a member of staff failed to realise they had made an error while carrying out work on the University’s IT system.

This mistake meant that students were able to access information about their peers for more than a year before the problem was identified and the security of the system restored.

The ICO’s operations director Simon Entwisle said: “We recognise that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place.

Hide Ad
Hide Ad

“This breach could have been avoided if the university had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.

“Fortunately for the university, the information made available wasn’t likely to cause the students substantial damage or distress, therefore a monetary penalty would not be appropriate in this case.

“We are satisfied that York University has now taken action to improve the security of its IT system, including carrying out regular testing.”

York University’s vice chancellor Prof Brian Cantor has signed an undertaking to improve data security at the institution. This includes making sure that appropriate security is in place following any maintenance work being carried out on the system.