This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

School and union's Data Protection Act breach 'inexcusable'

Share this article:
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
Schoolboy errors in Hampshire school hack attack, 20,000 at risk
The Information Commissioner's Office (ICO) has reported that a school and a school union breached the Data Protection Act following the loss of laptops.

It reported that the Association of School and College Leaders (ASCL) breached the act in May 2011 when a laptop was stolen from an employee's home. Enquires found that while the laptop had encryption software installed on it, the decision on whether or not to encrypt individual documents was left to the employee.

At the time of the theft, the laptop included unencrypted personal information relating to approximately 100 individuals, which included details of their membership of the union and, in some cases, details of their physical and mental health.

The ICO also reported that an unencrypted laptop was stolen from an unlocked office at Holly Park School in Barnet. The device contained pupils' names, addresses, exam marks and some limited information relating to their health.

Sally Anne Poole, acting head of enforcement at the ICO, said: “The ICO's guidance is clear: all personal information, the loss of which is liable to cause individuals damage and distress, must be encrypted.

“This is one of the most basic security measures and is not expensive to put in place, yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people's personal information at risk unnecessarily.”

Mike Smart, product and solutions director at SafeNet, said: “Two recent stories of serious data breaches at UK educational institutions suggests some school IT administrators need to go back to school on data protection strategies.

“Perhaps that's too strong a line, but it does beggar belief that encryption isn't being used either widely enough or at all. This is especially concerning given the sensitivity of the information at risk and the severe damage to a school's reputation and finances from falling foul of the regulators and the media.”

Chris McIntosh, CEO of ViaSat UK, said: “It still seems that too many organisations are learning to improve their data protection policies through being subject to a data loss: a clear case of locking the stable door even though the horse has not only bolted but wrecked the door in doing so.

“The ICO is right to keep banging the drum on encryption, as we can see from these cases it's not enough to simply place encryption software on a device and hope that workers will automatically know what data needs to be encrypted.

“Organisations need to employ the best encryption they can afford in tandem with rigorous policies to ensure that no sensitive data is left unencrypted, while educating employees on the need for data security and the consequences if it is ignored. Leaving devices unprotected, or protecting them but leaving the decision to encrypt to the individual worker simply isn't good enough: organisations must be able to guarantee that their data is protected at all times.”  

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...