What is a data breach?
The Information Commissioner’s Office defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
It can cover a range of situations from someone obtaining unauthorised access to the data controller’s data, unauthorised access within an organisation or if a data controller’s employee accidentally alters, deletes or disclosers personal data.
The case of the University of Greenwich
In 2016 the University of Greenwich was reported to have caused a data breach whereby the personal data of its students had ended up being posted online.
The data disclosed included personal and sensitive data. The personal data included: names, addresses, dates of birth, mobile phone numbers and signatures of students, supervisor’s comments about students’ progress and email correspondence between university staff and students.
Whilst the University of Greenwich was quick in its response to apologise for the blunder, it was only prompted to act after students raised this issue with news agencies and the university. The University explained “this was a serious error, in breach of our own policies and procedures. The material has now been removed” and “we are now acting urgently to identify those affected. I will be contacting each person individually to apologise…….we are co-operating fully with the Information Commissioner and we will take all steps necessary to ensure that we have the best systems in place for the future.”
An investigations by the Information Commissioner’s Office has been launched and is at an early stage. Due to the range and volume of personal information that has been disclosed it is likely that this may cause distress to individuals and it is important that the University has acted quickly to mitigate further damage being caused.
What are the causes of a data breach?
There may be a range of causes resulting in data breach including:
- Inadvertent disclosure by staff whether electronically or otherwise;
- Unauthorised access to a data controller’s information system; and/or
- Cyber security incidents.
What are the consequences of a data breach?
There are a number of consequences that may flow from a data breach including:
- Damage to reputation including lack of trust from students or consumers;
- Fines being imposed by the ICO – the regulator at present has the power to impose monetary penalties up to £500,000 for serious breaches of data protection legislation. This is likely to be much more once the General Data Protection Regulation comes into force which is likely to impose a tiered fine system of either 4% or 2% of global turnover for businesses; and
- Claims by data subjects who have either been distressed or have suffered material damage because of the breach and who may seek compensation for either or both.
How to prepare and respond to a data breach?
Experience of organisations who have faced a data breach indicates how exceptionally important planning is to prepare, manage and respond to data breaches. In this regard, educational institutions and providers should consider their internal systems, processes and procedures to ensure that they have mechanisms in place to contribute to prevention, managing and responding to data breaches. This may include considering issues as wide ranging as having:
- Policies in place and providing sufficient training to staff;
- Sufficient internet security safeguards to detect and block threats;
- Specialised cross-organisational teams in place to manage and respond to data breaches including engaging management and external expertise;
- A data breach response plan including self-reporting;
- Specific budgets set aside for data breaches; and
- Insurance policies to cover breaches or cyber-attacks.
Some educational institutions are also subject to the Freedom of Information Act 2000, which may increase their liability in terms of wrongfully disclosing personal and/or sensitive data causing a data breach. To ensure that personal and sensitive data are handled properly and reduce the risk of data breaches, educational institutions just like businesses and other organisations should carefully consider how prepared they are in this field because if you fail to plan, you plan to fail. Telkeda is here to help you, please contact to discuss further.