Manchester's undertaking (on the ICO website) suggests it was misguided rather than malicious:
(from http://www.ico.gov.uk/upload/documents/library/data_protection/notices/machester_uni_undertaking.pdf)
"
2. The Information Commissioner (the "Commissioner") was provided with a report from [name removed] acting on behalf of the data controller, regarding the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students. This data included information relating to certain students 'disabilities' ("sensitive personal data" as defined by the Act). The information was published when a member of the University staff accidentally sent it as an attachment to an email, forwarded to some 469 students.
3. The information accidentally published was forwarded to the staff member by a colleague, when they had requested a list of the email addresses of certain students. An extract of the full student record was provided, despite the fact that the staff member had no business need to acquire the full information, which included "sensitive personal information". This was due to a fault in the relevant procedure, which has since been addressed.
"
Andrew
--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
JANET, the UK's education and research network
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Griffiths, Ian
> Sent: 29 April 2009 16:46
> To: [log in to unmask]
> Subject: Re: ICO takes enforcement action against Manchester University
> for data breach
>
> Thanks Chris.
>
> I wonder about the motive for such a thing? This doesn't sound
> particularly accidental?
>
> Ian
>
>
>
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of chris pounder
> Sent: 29 April 2009 14:33
> To: [log in to unmask]
> Subject: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> I know there are a lot of academics on the list.
>
> C
>
> From: ICO Press Office [mailto:[log in to unmask]]
> Sent: 29 April 2009 13:59
> Cc: ICO Press Office
> Subject: ICO takes enforcement action against Manchester University for
> data breach
>
>
>
>
>
> Press Release
>
> 29 April 2009
>
>
> ICO takes enforcement action against Manchester University for data
> breach
>
> The Information Commissioner's Office (ICO) has taken regulatory action
> against the University of Manchester following a breach of the Data
> Protection Act.
>
> The personal records of over 1,700 students, including information on
> some students' disabilities, were published when a member of the
> university staff had unauthorised access to the information. The staff
> member emailed the information as an attachment to 469 other students.
>
> The University of Manchester has signed a formal undertaking outlining
> that it will process personal information in line with the Data
> Protection Act. The university will ensure all its staff have adequate
> training to prevent the inappropriate transfer of information and take
> all reasonable measures to safeguard personal data from accidental loss
> or destruction.
>
> Mick Gorrill, Assistant Information Commissioner at the ICO, said: "The
> Data Protection Act clearly states that organisations, including
> universities, must take appropriate measures to ensure that personal
> information is kept secure. This case reinforces the importance that
> only those authorised should have access to sensitive personal
> information such as a student's disabilities and other health details.
> Despite the absence of a justifiable reason, the staff member was able
> to access the information and send it to students and peers which could
> cause significant distress to individuals concerned.
>
> "Under the Data Protection Act, organisations must ensure that their
> policies on the transfer, sharing and publication of personal
> information are adequate and that staff members are aware and
> understand those policies. Manchester University recognises the
> seriousness of this case and has agreed to take immediate remedial
> action."
>
> Failure to meet the terms of the undertaking is likely to lead to
> enforcement action by the ICO. A copy of the undertaking can be
> downloaded from
> http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
>
> ENDS
>
> If you need more information, please contact the ICO press office on
> 020 7025 7580 or visit the website at: www.ico.gov.uk
> ________________________________________
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> * Leaving this list: send leave data-protection to
> [log in to unmask]
> * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask]
> * To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> * To receive emails from this list in HTML format: send SET data-
> protection HTML to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
> Any queries about sending or receiving messages please send to the list
> owner [log in to unmask]
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
> ________________________________________
> -----------------------------------------------------------------------
> ---------------------
> Please consider the environment before printing this email
> -----------------------------------------------------------------------
> ---------------------
> This email and any attachments are confidential and intended solely for
> the use of the individual to whom it is addressed. Any views or
> opinions presented are solely those of the author and do not
> necessarily represent those of Liverpool Community College or
> associated companies. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you
> are not the intended recipient.
>
> The message content of in-coming emails is automatically scanned to
> identify Spam and viruses otherwise Liverpool Community College does
> not actively monitor content. However, sometimes it will be necessary
> for Liverpool Community College to access business communications
> during staff absence.
>
> Liverpool Community College has taken steps to ensure that this email
> and any attachments are virus free. However, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Liverpool Community College for any loss or damage
> arising in any way from its use.
> -----------------------------------------------------------------------
> ---------------------
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|