News release: 20 July 2011
The University of York breached the Data Protection Act by failing to close a test area on its website that contained thousands of students’ personal details, the Information Commissioner’s Office (ICO) said today. While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.
The information included students’ names, dates of birth, A-level results, mobile telephone numbers and addresses.
The breach occurred in September 2009 when a member of staff failed to realise they had made an error while carrying out work on the University’s IT system. The error meant that students were able to access information about their classmates for over a year before the problem was identified and the security of the system restored.
Director of Operations at the ICO, Simon Entwisle, said:
“We recognise that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place. This breach could have been avoided if the University had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.
“Fortunately for the University, the information made available wasn’t likely to cause the students substantial damage or distress, therefore a monetary penalty would not be appropriate in this case. We are satisfied that the University of York has now taken action to improve the security of its IT system, including carrying out regular testing.”
The ICO wants to raise awareness of information rights issues among students and young people. The Information Commissioner will shortly launch the 2011 Student Brand Ambassador campaign aimed at spreading the word on how people can exercise their rights under the Data Protection Act, including tips on how to keep personal information secure. 15 students from universities across the UK will act as champions and ambassadors.
Professor Brian Cantor, Vice Chancellor of the University of York has signed an undertaking to improve data security at the institution. This includes making sure that appropriate security is in place following any maintenance work being carried out on their system. Any parts of the University’s IT system containing personal information should also be subject to annual testing to ensure the information remains secure.
View all of our data protection undertakings here
Notes to Editors
The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
Contact our press office on 0303 123 9070 and at ico.gov.uk/press