University’s data breach emphasises importance of staff training

The Information Commissioner (ICO) has today announced that Durham University has entered into an undertaking following an unusual data breach incident.

The university posted training materials on its website that contained a number of screenshots. Unfortunately, the screenshots contained personal information (including names, addresses and dates of birth) about former students and staff. The information had been neither pixelated or anonymised, and was online for five months before it was discovered.

When the university finally discovered the error, it took the materials off the website and notified the ICO.

Staff Training
In the course of its investigations, the ICO discovered that only 20% of the university’s staff had actually accesssed online data protection training materials. The university had intended to provide training through local training sessions in different departments (on a train-the-trainer basis), but had not kept records of what training had actually taken place, the quality of that training, or who had attended.

Accordingly, the university was unable to demonstrate to the ICO that its staff had been made aware of the university’s data protection policies, and therefore that it had taken appropriate steps to protect the personal data in its posession.

Once again, this data breach appears to have arisen out of human error, albeit one that could have been avoided had the staff in question been properly aware of the university’s obligations under the Data Protection Act.

Good practice guidance
The undertaking given by the university contains some useful recommendations that all organisations should adopt:

  • All staff shall be made aware of the data controller’s policies for the processing of personal data and appropriately trained how to follow those policies;
  • Compliance with the data controller’s policies on data protection and IT security issues shall be appropriately and regularly monitored;
  • Compliance with the above training requirements shall be appropriately monitored and recorded and those staff whose work involves access to personal data and have not undertaken such training shall be required to do so as a matter of absolute priority;

1 Response to “University’s data breach emphasises importance of staff training”

  1. 1 University's data breach emphasises importance of staff training … Trackback on March 2, 2012 at 9:27 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

March 2012
« Feb   Apr »

%d bloggers like this: