University published personal data in online training manual
News release: 1 March 2012
Durham University breached the Data Protection Act after disclosing personal information in training materials published on its website, the Information Commissioner’s Office (ICO) said today.
The personal data was contained in screenshots used to demonstrate the use of particular University systems and included details such as names, addresses and dates of birth of up to 177 former students and staff. The information - which had not been anonymised - was made available on the University’s website in February 2011. The University discovered the error in July 2011 and removed the material before reporting the matter to the ICO.
The ICO’s investigation also uncovered that only around 20% of the University’s non-manual staff had accessed the online training materials available to them.
One to one training was only provided for a limited number of staff who were then responsible for disseminating their learning to colleagues. The University undertook no monitoring to confirm if this was done or, if it was, whether the information was conveyed correctly.
The University has now committed to ensuring that all staff receive appropriate training on how to follow the organisation’s data protection guidance. It will also make sure that documents containing personal data will not be published on the University’s website.
Steve Eckersley, Head of Enforcement said:
“All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.
“It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.”
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press.