Details were disclosed after the Lancashire Police Authority (LPA) failed to redact the information – which was marked as restricted – from two documents before they were published online.
The LPA also failed to remove the information after the complainant made them aware of the breach on 24 January this year. This meant that the information was available online for a further four days before it was removed.
The Information Commissioner’s Office (ICO) has now ordered the LPA to make sure that any information due for release on its website is checked and correctly redacted before it’s made available.
In addition, the LPA has agreed to introduce a new policy for staff which explains the actions they must take when informed of a possible data breach.
Director of operations at the ICO, Simon Entwisle, told SMT Online: “While it’s important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual’s rights to privacy. There can be no excuse for publishing someone’s personal information online, and the fact that the LPA failed to remove the detail when told makes this case all the more concerning.”
Entwisle added: “We are pleased that the Lancashire Police Authority will now make sure any documents due for release are properly checked by suitably trained staff. This case should act as a warning to all public sector authorities that information security must be seen as a priority across the organisation.”
Miranda Carruthers-Watt, chief executive of the Lancashire Police Authority, has now signed an undertaking to ensure that procedures are introduced to make sure that all minutes and agendas are quality assured by an appropriate member of staff prior to being published on the LPA’s website.
The LPA will also develop a policy for staff explaining the actions they should take when receiving notice of a data breach as well as providing appropriate training and support on how to follow it.
University breached law by making students’ details available online
The University of York has breached the Data Protection Act by failing to close a test area on its website that contained thousands of students’ personal details, the ICO has reported.
While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.
The information included students’ names, dates of birth, A-level results, mobile telephone numbers and addresses.
The breach occurred in September 2009 when a member of staff failed to realise they had made an error while carrying out work on the university’s IT system. The error meant that students were able to access information about their classmates for over a year before the problem was identified and the security of the system restored.
Simon Entwisle commented: “We recognise that people can make mistakes when handling data – that’s why it’s so vital adequate checks and security measures are put in place. This breach could have been avoided if the university had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.”
He added: “Fortunately for the university, the information made available wasn’t likely to cause the students substantial damage or distress. Therefore a monetary penalty would not be appropriate in this case. We are satisfied that the University of York has now taken action to improve the security of its IT systems, including carrying out regular testing.”
The ICO wants to raise awareness of information rights issues among students and young people. To this end, the Information Commissioner Christopher Graham will shortly launch the 2011 Student Brand Ambassador campaign aimed at spreading the word on how people can exercise their rights under the Data Protection Act, including tips on how to keep personal information secure.
It’s reported that 15 students from universities across the UK will act as champions and ambassadors.
Professor Brian Cantor, Vice Chancellor of the University of York, has now signed an undertaking to improve data security at the institution. This includes making sure that appropriate security is in place following any maintenance work being carried out on their system.
Any parts of the university’s IT system containing personal information should also be subject to annual testing to ensure the information remains secure.