The BBC is reporting that personal details about hundreds of London-based research students were posted online in an apparent breach of data privacy laws.
The University of Greenwich has apologised and said it is in the process of contacting those affected.
The matter was brought to the BBC’s attention by one of the students, who discovered the information could be found via a Google search.
They also flagged the matter to the UK’s data watchdog.
The Information Commissioner’s Office has confirmed that an investigation is under way.
One legal expert warned there could be financial consequences.
“It does look as though there has been a significant breach of the Data Protection Act’s obligations to process personal data securely, fairly and lawfully,” said Ruth Boardman from the law firm Bird & Bird.
“[The university] may face enforcement action by the Information Commissioner (ICO) and claims by affected individuals.
“Under new rules due to be adopted in Brussels later in March, it would face a penalty of up to 10m euros [$11.2m; £7.8m].”
Students’ names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university’s website…
…. In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work…
“I am very sorry that personal information about a number of postgraduate research students has been accessible on the university website,” said Louise Nadal, the university’s secretary.
“This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light.
“We are now acting urgently to identify those affected. I will be contacting each person individually to apologise and to offer the support of the university.
“At the same time,I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.
“We are co-operating fully with the Information Commissioner and we will take all steps necessary to ensure that we have the best systems in place for the future.”…
Ms Boardman said the affair served as a warning to other organisations who might not be properly reviewing the material they posted online.
“Public bodies do have obligations to publish information,” the lawyer said.
“However, they must do so in a way which meets their obligations under data protection legislation.
“This breach shows the importance of doing this properly, so as to avoid causing significant distress to those whose information has been made available in this way.
Clearly this is a university story but we hear of accidental data breaches in schools too and it sounds like the penalties could be getting stiffer and stiffer.
The key lesson has to be that they are most often down to people and processes and if organisations aren’t taking steps to manage these then the ICO probably won’t look too kindly upon them.
Your thoughts and reactions?
Are you a trainee teacher, NQT, teacher, headteacher, parent or just someone who cares about education and has something to get off your chest in a Schools Improvement Guest Post? Follow this link for more details at the bottom of the page.Don’t forget you can sign up to receive our daily email bulletin (around 7am) with all the latest schools news stories. Your details will never be given to anyone else and you can unsubscribe at any stage. Just follow this link.
We now have a Facebook page - please click to like!