The University of Greenwich is currently being investigated by the UK data watchdog, the Information Commissioner’s Office (ICO), after it emerged that details belonging to hundreds of research students had been disclosed online in a data breach. Personal information belonging to students including full names, dates of birth, phone numbers and even signatures could be found on the university’s website.
The personal details of students were uploaded onto the site alongside minutes from the Faculty Research Degrees Committee. This committee monitors the work of research students; therefore information regarding the progress of research students had also been published. In some instances sensitive medical information, such as mental health issues, pertaining to students were disclosed if it had been affecting students’ work. Emails between staff and students were also posted.
A student reported the data breach to the BBC and students also notified the ICO. The information has now been taken offline and the university has contacted Google to ensure that the information cannot be found via the search engine. Despite this some students have expressed their concern that the university didn’t notice the error earlier.
The mishap could lead to the university being fined by the ICO; the ICO is able to fine an organisation up to £500,000 for a data breach. However as one legal expert has pointed out the university is perhaps lucky that the data breach has been discovered now rather than later. New EU legislation will come into force soon which will mean organisations could be fined up to 10 million euros for not complying with data processing regulations.
It is probable that some action will be taken against the university, as it has fallen foul of a number of provisions found in the Data Protection Act, such as the clause that states an individual must ‘be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller’. It is evident that the students affected were unaware that their personal information had been disclosed online.
Greenwich is not the first London University to have a run in with the ICO. In the summer Brunel and Kings College had to sign undertakings promising to comply with the seventh data protection principle. More recently the ICO reviewed Kings’ progress to make sure that the undertaking was still being adhered to. The ICO is incredibly vigilant when it comes to the regulation of higher education institutions and it is therefore recommended that universities follow their guidelines carefully.
Of course it is not just universities that need to be on their guard. The ICO has already investigated an NHS Trust, an Alzheimer’s charity, an accountancy firm and a local council since the start of this year.
The ICO’s most important role is to act as a deterrent for those organisations that are prone to ignoring data protection regulations; for this reason the ICO publishes details of ongoing investigations it is involved in as a warning to others. This recent data breach once more highlights how human error continues to be one of the greatest risks to data security. Cyber criminals may be on the prowl, but data breaches are normally caused by problems closer to home. The breach underlines the importance of having sufficient employee data security training in place but also the need for information management support that will ensure mistakes are quickly rectified.