Uni rapped for Data Protection breach

Prof Alan Gilbert

The University of Manchester has landed itself in trouble with the Information Commissioner’s Office (ICO) after a staff member’s blunder resulted in the personal deatils of more than 1,700 students being e-mailed to 469 other students.

The university’s vice-chancellor Prof Alan Gilbert has now had to sign a formal undertaking to improve data security to ensure that a similar incident does not occur in the future.

The formal undertaking (link) reveals that a chain of mistakes within the University led to the e-mail being sent out to students.

It says: “The Information Commissioner was provided with a report from the data controller, regarding the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students.

This data included information relating to certain students ‘disabilities’ (“sensitive personal data” as defined by the Act). The information was published when a member of the University staff accidentally sent it as an attachment to an email, forwarded to some 469 students.

The information accidentally published was forwarded to the staff member by a colleague, when they had requested a list of the email addresses of certain students.

An extract of the full student record was provided, despite the fact that the staff member had no business need to acquire the full information, which included “sensitive personal information”. This was due to a fault in the relevant procedure, which has since been addressed.

The data controller did not on this occasion ensure adequate measures were taken, including ensuring compliance with training and procedures, to prevent the inappropriate internal transfer of the information, and its subsequent publication via the email attachment.

The Commissioner has taken into account the fact that the personal data in question related to details of disability, and could therefore potentially result in significant distress being caused to the individuals concerned.”

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “The Data Protection Act clearly states that organisations, including universities, must take appropriate measures to ensure that personal information is kept secure. This case reinforces the importance that only those authorised should have access to sensitive personal information such as a student’s disabilities and other health details. Despite the absence of a justifiable reason, the staff member was able to access the information and send it to students and peers which could cause significant distress to individuals concerned.

“Under the Data Protection Act, organisations must ensure that their policies on the transfer, sharing and publication of personal information are adequate and that staff members are aware and understand those policies. Manchester University recognises the seriousness of this case and has agreed to take immediate remedial action.”