PERSONAL details of more than 100 former staff and students have been disclosed on a university’s website.
Durham University displayed the details, including the names, addresses and dates of birth, of 177 individuals on its website for six months before the error was spotted.
Yesterday, the Information Commissioner’s Office (ICO) said the disclosure was a breach of the Data Protection Act and ordered the university to tighten up its procedures.
The university said that, since the lapse last year, action had been taken to improve data protection training for staff and improve information security.
The personal information was included in an online training manual published on the university’s website in February last year and remained online until the error was discovered by university staff in July.
The university removed the material and reported the matter to the ICO.
A subsequent ICO investigation found that only about 20 per cent of the university’s nonmanual staff had accessed the online training materials made available to them.
One-to-one training was only given to a limited number of staff, who were then responsible for passing on that training to their colleagues.
However, investigators said the university undertook no monitoring to confirm if this was done or, if it was, whether the information was conveyed correctly.
The university has since agreed to ensure that all staff receive appropriate training on how to follow data protection guidance and to make sure that documents containing personal data will not be published on its website.
Steve Eckersley, head of enforcement at the ICO, said: “All documents should be checked for personal information before being made available on a website.
“This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.”
A university spokesman said: “The university takes its responsibilities as a data controller very seriously.
“The undertaking we have signed with the Information Commissioner’s Office is a public statement of our intention to ensure that robust security measures are in place and that personal data is protected.
“The university is already implementing enhanced staff awareness and training provision as well as continuing to strengthen its information security policies and procedures.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here