23 February, 2016
The unusual occurrence of data breaches are a thing of the past. 2014 was dubbed "the year of the data breach' (report by Experian) and it seems more and more we are seeing a range of organisations including educational institutions affected by data breaches.
The Information Commissioner's Office defines it as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service".
It can cover a range of situations from someone obtaining unauthorised access to the data controller's data, unauthorised access within an organisation or if a data controller's employee accidentally alters, deletes or disclosers personal data.
The University of Greenwich was recently reported to have caused a data breach whereby the personal data of its students had ended up being posted online.
The data disclosed included personal and sensitive data. The personal data included: names, addresses, dates of birth, mobile phone numbers and signatures of students, supervisor's comments about students' progress and email correspondence between university staff and students. Whereas sensitive personal data related to mental health and other medical problems including explanations as to why students had failed to maintain high academic standards.
Whilst the University of Greenwich was quick in its response to apologise for the blunder, it was only prompted to act after students raised this issue with news agencies and the university. The University explained "this was a serious error, in breach of our own policies and procedures. The material has now been removed" and "we are now acting urgently to identify those affected. I will be contacting each person individually to apologise…….we are co-operating fully with the Information Commissioner and we will take all steps necessary to ensure that we have the best systems in place for the future."
An investigations by the Information Commissioner's Office has been launched and is at an early stage. Due to the range and volume of personal information that has been disclosed it is likely that this may cause distress to individuals and it is important that the University has acted quickly to mitigate further damage being caused.
There may be a range of causes resulting in data breach including:
There are a number of consequences that may flow from a data breach including:
Experience of organisations who have faced a data breach indicates how exceptionally important planning is to prepare, manage and respond to data breaches. In this regard, educational institutions and providers should consider their internal systems, processes and procedures to ensure that they have mechanisms in place to contribute to prevention, managing and responding to data breaches. This may include considering issues as wide ranging as having:
Some educational institutions are also subject to the Freedom of Information Act 2000, which may increase their liability in terms of wrongfully disclosing personal and/or sensitive data causing a data breach. To ensure that personal and sensitive data are handled properly and reduce the risk of data breaches, educational institutions just like businesses and other organisations should carefully consider how prepared they are in this field because if you fail to plan, you plan to fail.
Forbes Solicitors regularly advise a range of educational institutions and providers in relation to data protection and freedom of information law and practice. This includes reviewing policies, providing training, providing assistance with subject access request and freedom of information requests and conducting data protection audits. If you have any questions please contact Daniel Milnes.