Indeed, I did initially wonder how a disclosure of this nature could in fact be accidental. It would take both glaring ignorance of the law and crucially, as is my complete guess, a lack of ability to distinguish a spreadsheet with hidden columns and an AutoFilter enabled (I'm presuming Microsoft) from one in which the visible data set was the complete data set.
Evidently such a circumstance is entirely plausible. I hope this doesn't offend my colleagues too much.
Interesting to me in this case is that there appears to be an IT training issue as well as a DPA one.
Ian
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Andrew Cormack
Sent: 01 May 2009 12:55
To: [log in to unmask]
Subject: Re: [data-protection] ICO takes enforcement action against Manchester University for data breach
> -----Original Message-----
> From: Simon Howarth [mailto:[log in to unmask]]
> Sent: 30 April 2009 12:44
> To: Andrew Cormack; [log in to unmask]
> Subject: RE: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> Ignorance is no defence.
I didn't mean to suggest it was. I was just noting that the assumption that both Ian ("This doesn't sound particularly accidental?") and I had made from reading the ICO's press release didn't seem to be correct from the text of the university's undertaking.
Cheers
Andrew
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Andrew Cormack
> Sent: 30 April 2009 12:24
> To: [log in to unmask]
> Subject: Re: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> Manchester's undertaking (on the ICO website) suggests it was misguided
> rather than malicious:
>
> (from
> http://www.ico.gov.uk/upload/documents/library/data_protection/notices/
> mache
> ster_uni_undertaking.pdf)
> "
> 2. The Information Commissioner (the "Commissioner") was provided with
> a
> report from [name removed] acting on behalf of the data controller,
> regarding the accidental publication of a computerised spreadsheet
> which
> contained the personal data of some 1,755 students. This data included
> information relating to certain students 'disabilities' ("sensitive
> personal
> data" as defined by the Act). The information was published when a
> member of
> the University staff accidentally sent it as an attachment to an email,
> forwarded to some 469 students.
>
> 3. The information accidentally published was forwarded to the staff
> member
> by a colleague, when they had requested a list of the email addresses
> of
> certain students. An extract of the full student record was provided,
> despite the fact that the staff member had no business need to acquire
> the
> full information, which included "sensitive personal information". This
> was
> due to a fault in the relevant procedure, which has since been
> addressed.
> "
>
> Andrew
>
> --
> Andrew Cormack, Chief Regulatory Adviser
> JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
> Campus, Didcot, OX11 0SG, UK
> Phone: +44 (0) 1235 822302
> Fax: +44 (0) 1235 822399
>
> JANET, the UK's education and research network
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
>
>
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Griffiths, Ian
> > Sent: 29 April 2009 16:46
> > To: [log in to unmask]
> > Subject: Re: ICO takes enforcement action against Manchester
> University
> > for data breach
> >
> > Thanks Chris.
> >
> > I wonder about the motive for such a thing? This doesn't sound
> > particularly accidental?
> >
> > Ian
> >
> >
> >
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of chris pounder
> > Sent: 29 April 2009 14:33
> > To: [log in to unmask]
> > Subject: [data-protection] ICO takes enforcement action against
> > Manchester University for data breach
> >
> > I know there are a lot of academics on the list.
> >
> > C
> >
> > From: ICO Press Office [mailto:[log in to unmask]]
> > Sent: 29 April 2009 13:59
> > Cc: ICO Press Office
> > Subject: ICO takes enforcement action against Manchester University
> for
> > data breach
> >
> >
> >
> >
> >
> > Press Release
> >
> > 29 April 2009
> >
> >
> > ICO takes enforcement action against Manchester University for data
> > breach
> >
> > The Information Commissioner's Office (ICO) has taken regulatory
> action
> > against the University of Manchester following a breach of the Data
> > Protection Act.
> >
> > The personal records of over 1,700 students, including information on
> > some students' disabilities, were published when a member of the
> > university staff had unauthorised access to the information. The
> staff
> > member emailed the information as an attachment to 469 other
> students.
> >
> > The University of Manchester has signed a formal undertaking
> outlining
> > that it will process personal information in line with the Data
> > Protection Act. The university will ensure all its staff have
> adequate
> > training to prevent the inappropriate transfer of information and
> take
> > all reasonable measures to safeguard personal data from accidental
> loss
> > or destruction.
> >
> > Mick Gorrill, Assistant Information Commissioner at the ICO, said:
> "The
> > Data Protection Act clearly states that organisations, including
> > universities, must take appropriate measures to ensure that personal
> > information is kept secure. This case reinforces the importance that
> > only those authorised should have access to sensitive personal
> > information such as a student's disabilities and other health
> details.
> > Despite the absence of a justifiable reason, the staff member was
> able
> > to access the information and send it to students and peers which
> could
> > cause significant distress to individuals concerned.
> >
> > "Under the Data Protection Act, organisations must ensure that their
> > policies on the transfer, sharing and publication of personal
> > information are adequate and that staff members are aware and
> > understand those policies. Manchester University recognises the
> > seriousness of this case and has agreed to take immediate remedial
> > action."
> >
> > Failure to meet the terms of the undertaking is likely to lead to
> > enforcement action by the ICO. A copy of the undertaking can be
> > downloaded from
> > http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
> >
> > ENDS
> >
> > If you need more information, please contact the ICO press office on
> > 020 7025 7580 or visit the website at: www.ico.gov.uk
> > ________________________________________
> > All archives of messages are stored permanently and are available to
> > the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > Selected commands (the command has been filled in below in the body
> of
> > the email if you are receiving emails in HTML format):
> > * Leaving this list: send leave data-protection to
> > [log in to unmask]
> > * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> > [log in to unmask]
> > * To receive emails from this list in text format: send SET data-
> > protection NOHTML to [log in to unmask]
> > * To receive emails from this list in HTML format: send SET data-
> > protection HTML to [log in to unmask]
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the
> body
> > of an otherwise blank email to [log in to unmask]
> > Any queries about sending or receiving messages please send to the
> list
> > owner [log in to unmask]
> > (Please send all commands to [log in to unmask] not the list or
> > the moderators, and all requests for technical help to
> > [log in to unmask], the general office helpline)
> > ________________________________________
> > ---------------------------------------------------------------------
> --
> > ---------------------
> > Please consider the environment before printing this email
> > ---------------------------------------------------------------------
> --
> > ---------------------
> > This email and any attachments are confidential and intended solely
> for
> > the use of the individual to whom it is addressed. Any views or
> > opinions presented are solely those of the author and do not
> > necessarily represent those of Liverpool Community College or
> > associated companies. You must not, directly or indirectly, use,
> > disclose, distribute, print, or copy any part of this message if you
> > are not the intended recipient.
> >
> > The message content of in-coming emails is automatically scanned to
> > identify Spam and viruses otherwise Liverpool Community College does
> > not actively monitor content. However, sometimes it will be
> necessary
> > for Liverpool Community College to access business communications
> > during staff absence.
> >
> > Liverpool Community College has taken steps to ensure that this email
> > and any attachments are virus free. However, it is the
> responsibility
> > of the recipient to ensure that it is virus free and no
> responsibility
> > is accepted by Liverpool Community College for any loss or damage
> > arising in any way from its use.
> > ---------------------------------------------------------------------
> --
> > ---------------------
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask]
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm
> > Any queries about sending or receiving messages please send to the
> > list owner
> > [log in to unmask]
> > Full help Desk - please email [log in to unmask] describing
> your
> > needs
> > To receive these emails in HTML format send the command:
> > SET data-protection HTML to [log in to unmask]
> > (all commands go to [log in to unmask] not the list please)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------------------------------------------------------------
Please consider the environment before printing this email
--------------------------------------------------------------------------------------------
This email and any attachments are confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Liverpool Community College or associated companies. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.
The message content of in-coming emails is automatically scanned to identify Spam and viruses otherwise Liverpool Community College does not actively monitor content. However, sometimes it will be necessary for Liverpool Community College to access business communications during staff absence.
Liverpool Community College has taken steps to ensure that this email and any attachments are virus free. However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Liverpool Community College for any loss or damage arising in any way from its use.
--------------------------------------------------------------------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|