University’s Data Protection Breach

March 1, 2012

Durham University breached the Data Protection Act after disclosing personal information in training materials published on its web site, the Information Commissioner’s Office revealed on 1 March. It also published details of undertaking from three other organisations found to have been in breach.

The Durham University personal data was contained in screenshots used to demonstrate the use of particular University systems and included details such as names, addresses and dates of birth of up to 177 former students and staff. The information – which had not been anonymised – was made available on the University’s website in February 2011. The University discovered the error in July 2011 and removed the material before reporting the matter to the ICO.

The ICO’s investigation also uncovered that only 20% of the University’s staff were aware of the organisation’s data protection guidance. One to one training was only provided for a limited number of staff who were then responsible for disseminating their learning to colleagues. The University also failed to keep a record of which employees had received training.

The University has now committed to ensuring that all staff receive appropriate training on how to follow the organisation’s data protection guidance. It will also make sure that documents containing personal data will not be published on the University’s website.

Steve Eckersley, Head of Enforcement at the ICO, said:

‘All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff. It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.’

Other undertakings have been signed by:

  • Community Integrated Care, a national social care charity – this follows the theft of an unencrypted laptop containing personal and sensitive personal data
  • London Borough of Croydon- this follows the theft of a bag belonging to a social worker from a public house in London and was widely covered earlier
  • Dr Pervinder Sanghera of Arthur House Dental Care –  this follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.


View the Durham University undertaking

Read all the new data protection undertakings

Guidance from the ICO for the education sector on how they can comply with the Data Protection Act