> -----Original Message-----
> From: Simon Howarth [mailto:[log in to unmask]]
> Sent: 30 April 2009 12:44
> To: Andrew Cormack; [log in to unmask]
> Subject: RE: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> Ignorance is no defence.
I didn't mean to suggest it was. I was just noting that the assumption that both Ian ("This doesn't sound particularly accidental?") and I had made from reading the ICO's press release didn't seem to be correct from the text of the university's undertaking.
Cheers
Andrew
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Andrew Cormack
> Sent: 30 April 2009 12:24
> To: [log in to unmask]
> Subject: Re: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> Manchester's undertaking (on the ICO website) suggests it was misguided
> rather than malicious:
>
> (from
> http://www.ico.gov.uk/upload/documents/library/data_protection/notices/
> mache
> ster_uni_undertaking.pdf)
> "
> 2. The Information Commissioner (the "Commissioner") was provided with
> a
> report from [name removed] acting on behalf of the data controller,
> regarding the accidental publication of a computerised spreadsheet
> which
> contained the personal data of some 1,755 students. This data included
> information relating to certain students 'disabilities' ("sensitive
> personal
> data" as defined by the Act). The information was published when a
> member of
> the University staff accidentally sent it as an attachment to an email,
> forwarded to some 469 students.
>
> 3. The information accidentally published was forwarded to the staff
> member
> by a colleague, when they had requested a list of the email addresses
> of
> certain students. An extract of the full student record was provided,
> despite the fact that the staff member had no business need to acquire
> the
> full information, which included "sensitive personal information". This
> was
> due to a fault in the relevant procedure, which has since been
> addressed.
> "
>
> Andrew
>
> --
> Andrew Cormack, Chief Regulatory Adviser
> JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
> Campus, Didcot, OX11 0SG, UK
> Phone: +44 (0) 1235 822302
> Fax: +44 (0) 1235 822399
>
> JANET, the UK's education and research network
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
>
>
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Griffiths, Ian
> > Sent: 29 April 2009 16:46
> > To: [log in to unmask]
> > Subject: Re: ICO takes enforcement action against Manchester
> University
> > for data breach
> >
> > Thanks Chris.
> >
> > I wonder about the motive for such a thing? This doesn't sound
> > particularly accidental?
> >
> > Ian
> >
> >
> >
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of chris pounder
> > Sent: 29 April 2009 14:33
> > To: [log in to unmask]
> > Subject: [data-protection] ICO takes enforcement action against
> > Manchester University for data breach
> >
> > I know there are a lot of academics on the list.
> >
> > C
> >
> > From: ICO Press Office [mailto:[log in to unmask]]
> > Sent: 29 April 2009 13:59
> > Cc: ICO Press Office
> > Subject: ICO takes enforcement action against Manchester University
> for
> > data breach
> >
> >
> >
> >
> >
> > Press Release
> >
> > 29 April 2009
> >
> >
> > ICO takes enforcement action against Manchester University for data
> > breach
> >
> > The Information Commissioner's Office (ICO) has taken regulatory
> action
> > against the University of Manchester following a breach of the Data
> > Protection Act.
> >
> > The personal records of over 1,700 students, including information on
> > some students' disabilities, were published when a member of the
> > university staff had unauthorised access to the information. The
> staff
> > member emailed the information as an attachment to 469 other
> students.
> >
> > The University of Manchester has signed a formal undertaking
> outlining
> > that it will process personal information in line with the Data
> > Protection Act. The university will ensure all its staff have
> adequate
> > training to prevent the inappropriate transfer of information and
> take
> > all reasonable measures to safeguard personal data from accidental
> loss
> > or destruction.
> >
> > Mick Gorrill, Assistant Information Commissioner at the ICO, said:
> "The
> > Data Protection Act clearly states that organisations, including
> > universities, must take appropriate measures to ensure that personal
> > information is kept secure. This case reinforces the importance that
> > only those authorised should have access to sensitive personal
> > information such as a student's disabilities and other health
> details.
> > Despite the absence of a justifiable reason, the staff member was
> able
> > to access the information and send it to students and peers which
> could
> > cause significant distress to individuals concerned.
> >
> > "Under the Data Protection Act, organisations must ensure that their
> > policies on the transfer, sharing and publication of personal
> > information are adequate and that staff members are aware and
> > understand those policies. Manchester University recognises the
> > seriousness of this case and has agreed to take immediate remedial
> > action."
> >
> > Failure to meet the terms of the undertaking is likely to lead to
> > enforcement action by the ICO. A copy of the undertaking can be
> > downloaded from
> > http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
> >
> > ENDS
> >
> > If you need more information, please contact the ICO press office on
> > 020 7025 7580 or visit the website at: www.ico.gov.uk
> > ________________________________________
> > All archives of messages are stored permanently and are available to
> > the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > Selected commands (the command has been filled in below in the body
> of
> > the email if you are receiving emails in HTML format):
> > * Leaving this list: send leave data-protection to
> > [log in to unmask]
> > * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> > [log in to unmask]
> > * To receive emails from this list in text format: send SET data-
> > protection NOHTML to [log in to unmask]
> > * To receive emails from this list in HTML format: send SET data-
> > protection HTML to [log in to unmask]
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the
> body
> > of an otherwise blank email to [log in to unmask]
> > Any queries about sending or receiving messages please send to the
> list
> > owner [log in to unmask]
> > (Please send all commands to [log in to unmask] not the list or
> > the moderators, and all requests for technical help to
> > [log in to unmask], the general office helpline)
> > ________________________________________
> > ---------------------------------------------------------------------
> --
> > ---------------------
> > Please consider the environment before printing this email
> > ---------------------------------------------------------------------
> --
> > ---------------------
> > This email and any attachments are confidential and intended solely
> for
> > the use of the individual to whom it is addressed. Any views or
> > opinions presented are solely those of the author and do not
> > necessarily represent those of Liverpool Community College or
> > associated companies. You must not, directly or indirectly, use,
> > disclose, distribute, print, or copy any part of this message if you
> > are not the intended recipient.
> >
> > The message content of in-coming emails is automatically scanned to
> > identify Spam and viruses otherwise Liverpool Community College does
> > not actively monitor content. However, sometimes it will be
> necessary
> > for Liverpool Community College to access business communications
> > during staff absence.
> >
> > Liverpool Community College has taken steps to ensure that this email
> > and any attachments are virus free. However, it is the
> responsibility
> > of the recipient to ensure that it is virus free and no
> responsibility
> > is accepted by Liverpool Community College for any loss or damage
> > arising in any way from its use.
> > ---------------------------------------------------------------------
> --
> > ---------------------
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask]
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm
> > Any queries about sending or receiving messages please send to the
> > list owner
> > [log in to unmask]
> > Full help Desk - please email [log in to unmask] describing
> your
> > needs
> > To receive these emails in HTML format send the command:
> > SET data-protection HTML to [log in to unmask]
> > (all commands go to [log in to unmask] not the list please)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|