Winchester Vacancies

University avoids fine despite inappropriate access to personal details of students

A university has escaped a monetary penalty from the Information Commissioner's Office despite failing to close a test area on its website that contained personal details on thousands of its students.

An investigation by the ICO into the incident at the University of York found that while no direct link was available for the test area from the university website, some 148 records were still inappropriately accessed.

The personal information included students’ names, dates of birth, A-level results, mobile telephone numbers and addresses.

According to the ICO, a member of staff had failed to realise they had made an error when working on York’s IT system in September 2009. It took more than a year before the breach was identified and resolved.

Simon Entwisle, Director of Operations at the watchdog, said: “We recognise that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place. This breach could have been avoided if the University had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.”

The fact that the information made available was not likely to cause the students affected substantial damage or distress meant a monetary penalty was not appropriate, Entwisle said.

He added: “We are satisfied that the University of York has now taken action to improve the security of its IT system, including carrying out regular testing.”

Professor Brian Cantor, York’s Vice Chancellor, has signed an undertaking to improve data security at the institution. This includes:

  • Making sure that appropriate security is in place following any maintenance work being carried out on their system; and
  • Any parts of the university’s IT system containing personal information should  be subject to annual testing to ensure the information remains secure.

Philip Hoult