After warning the Lancashire Police Authority over its negligence in publishing sensitive data in January, the Information Commissioner’s Office (ICO) has said that the University of York has breached the Data Protection Act in September 2009.
The ICO said that the university failed to close a test area on its website that contained thousands of students’ personal details.
It added, "While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed."
The information included students’ names, dates of birth, A-level results, mobile telephone numbers and addresses.
The breach occurred in September 2009 when a member of staff failed to realise they had made an error while carrying out work on the University’s IT system.
The error meant that students were able to access information about their classmates for over a year before the problem was identified and the security of the system restored.
The ICO had said about the Lancashire Police that the four day delay in fixing the error was concerning.
Now, ICO director of operations Simon Entwisle said that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place.
Entwisle said the university’s error "could have been avoided if the University had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected."
However, the ICO has let go the university with a rap and no fine.
It said, "Fortunately for the University, the information made available wasn’t likely to cause the students substantial damage or distress, therefore a monetary penalty would not be appropriate in this case.
"We are satisfied that the University of York has now taken action to improve the security of its IT system, including carrying out regular testing."
The ICO said that University of York vice-chancellor Professor Brian Cantor has signed an undertaking to improve data security at the institution.
"This includes making sure that appropriate security is in place following any maintenance work being carried out on their system. Any parts of the University’s IT system containing personal information should also be subject to annual testing to ensure the information remains secure," said ICO.
The ICO also said that the Information Commissioner will shortly launch the 2011 Student Brand Ambassador campaign aimed at spreading the word on how people can exercise their rights under the Data Protection Act, including tips on how to keep personal information secure.
Fifteen students from universities across the UK will act as champions and ambassadors in the event.
Earlier this week, the ICO warned all public authorities and ordered Lancashire Police Authority to sign an undertaking that every information published by the authority would be vetted by a suitably trained official.
The ICO said in a statement that the Lancashire Police Authority had breached the Data Protection Act by accidentally publishing details of an individual’s complaint on their website.
The details were disclosed after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online.
