This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

School and union's Data Protection Act breach 'inexcusable'

Share this article:
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
The Information Commissioner's Office (ICO) has reported that a school and a school union breached the Data Protection Act following the loss of laptops.

It reported that the Association of School and College Leaders (ASCL) breached the act in May 2011 when a laptop was stolen from an employee's home. Enquires found that while the laptop had encryption software installed on it, the decision on whether or not to encrypt individual documents was left to the employee.

At the time of the theft, the laptop included unencrypted personal information relating to approximately 100 individuals, which included details of their membership of the union and, in some cases, details of their physical and mental health.

The ICO also reported that an unencrypted laptop was stolen from an unlocked office at Holly Park School in Barnet. The device contained pupils' names, addresses, exam marks and some limited information relating to their health.

Sally Anne Poole, acting head of enforcement at the ICO, said: “The ICO's guidance is clear: all personal information, the loss of which is liable to cause individuals damage and distress, must be encrypted.

“This is one of the most basic security measures and is not expensive to put in place, yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people's personal information at risk unnecessarily.”

Mike Smart, product and solutions director at SafeNet, said: “Two recent stories of serious data breaches at UK educational institutions suggests some school IT administrators need to go back to school on data protection strategies.

“Perhaps that's too strong a line, but it does beggar belief that encryption isn't being used either widely enough or at all. This is especially concerning given the sensitivity of the information at risk and the severe damage to a school's reputation and finances from falling foul of the regulators and the media.”

Chris McIntosh, CEO of ViaSat UK, said: “It still seems that too many organisations are learning to improve their data protection policies through being subject to a data loss: a clear case of locking the stable door even though the horse has not only bolted but wrecked the door in doing so.

“The ICO is right to keep banging the drum on encryption, as we can see from these cases it's not enough to simply place encryption software on a device and hope that workers will automatically know what data needs to be encrypted.

“Organisations need to employ the best encryption they can afford in tandem with rigorous policies to ensure that no sensitive data is left unencrypted, while educating employees on the need for data security and the consequences if it is ignored. Leaving devices unprotected, or protecting them but leaving the decision to encrypt to the individual worker simply isn't good enough: organisations must be able to guarantee that their data is protected at all times.”  

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.