This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

School and union's Data Protection Act breach 'inexcusable'

Share this article:
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
The Information Commissioner's Office (ICO) has reported that a school and a school union breached the Data Protection Act following the loss of laptops.

It reported that the Association of School and College Leaders (ASCL) breached the act in May 2011 when a laptop was stolen from an employee's home. Enquires found that while the laptop had encryption software installed on it, the decision on whether or not to encrypt individual documents was left to the employee.

At the time of the theft, the laptop included unencrypted personal information relating to approximately 100 individuals, which included details of their membership of the union and, in some cases, details of their physical and mental health.

The ICO also reported that an unencrypted laptop was stolen from an unlocked office at Holly Park School in Barnet. The device contained pupils' names, addresses, exam marks and some limited information relating to their health.

Sally Anne Poole, acting head of enforcement at the ICO, said: “The ICO's guidance is clear: all personal information, the loss of which is liable to cause individuals damage and distress, must be encrypted.

“This is one of the most basic security measures and is not expensive to put in place, yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people's personal information at risk unnecessarily.”

Mike Smart, product and solutions director at SafeNet, said: “Two recent stories of serious data breaches at UK educational institutions suggests some school IT administrators need to go back to school on data protection strategies.

“Perhaps that's too strong a line, but it does beggar belief that encryption isn't being used either widely enough or at all. This is especially concerning given the sensitivity of the information at risk and the severe damage to a school's reputation and finances from falling foul of the regulators and the media.”

Chris McIntosh, CEO of ViaSat UK, said: “It still seems that too many organisations are learning to improve their data protection policies through being subject to a data loss: a clear case of locking the stable door even though the horse has not only bolted but wrecked the door in doing so.

“The ICO is right to keep banging the drum on encryption, as we can see from these cases it's not enough to simply place encryption software on a device and hope that workers will automatically know what data needs to be encrypted.

“Organisations need to employ the best encryption they can afford in tandem with rigorous policies to ensure that no sensitive data is left unencrypted, while educating employees on the need for data security and the consequences if it is ignored. Leaving devices unprotected, or protecting them but leaving the decision to encrypt to the individual worker simply isn't good enough: organisations must be able to guarantee that their data is protected at all times.”  

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.

Hackers smuggle out stolen data disguised as videos

Hackers smuggle out stolen data disguised as videos

Around a dozen organisations, including at least one financial sector company, have been hit by a new form of hacking where attackers hide stolen corporate data inside video files that ...