Durham University reports Data Protection breach to ICO

Durham University breached the Data Protection Act after disclosing personal information of up to 177 former students and staff on its website.  The individuals' names, addresses and dates of birth were displayed on screen shots that had been used in training materials to demonstrate the use of the University's systems.  The information was online for 5 months before the University discovered it, removed the information and reported the matter to the Information Commissioner's Office (b>ICO).  The ICO then launched an investigation into how the University handled personal data.

The ICO found that only 20% of the University's staff were aware of, and had accessed, the University's data protection guidance and on-line training materials available to them.  It had a system in place whereby one-to-one training was provided to a limited number of staff who would then train their colleagues.  This system was not monitored and so the University was unable to demonstrate to the ICO that it had been followed correctly, if at all.

The University has since committed to ensuring that all of its staff receive comprehensive data protection training and that personal information shall not be shown on its website again.  There has so far been no indication that the University is to be fined. 

This case demonstrates the importance, for organisations handling personal information, of:
Square ensuring that all staff are aware of existing data protection policies and have received adequate training;
Square monitoring such training, to ensure that it is being carried out effectively; and
Square keeping records of your organisation's compliance with the Data Protection Act so that, if required, it is possible to demonstrate that appropriate steps have been taken to protect personal information in your possession.