The ICO announced this week that a former headteacher has been fined over £1000 by a magistrate’s court for unlawfully obtaining children’s personal data from previous schools where he had been employed.
Darren Harrison, took the information from two primary schools where he had been employed and then transferred to the computer system at his new school. As he had no lawful reason to do such data processing, he was found to be in breach of the data protection legislation.
Six months into his role as Deputy Head at Isleworth Town Primary School, Harrison was suspended. A subsequent IT audit showed large volumes of sensitive personal data present on the Isleworth server from his previous schools, Spelthorne Primary and The Russell School in Richmond.
During the course of the investigation, Harrison provided no valid explanation as to how the information had appeared on his system, which was via an upload from his USB stick, stating he had deleted the personal data from it.
In a subsequent interview with the Information Commissioner’s Office (ICO) Harrison read from a prepared statement advising the information had been taken for professional purposes.
Appearing before EalingMagistrates’ Court, Harrison admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998.
He was fined and with additional costs including a victim surcharge and court costs this totalled over £1000
In another incident, The University of Greenwich was fined £120,000 by the Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 people.
The personal data included contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers. However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.
This was caused by a microsite created on the University infrastructure, created by an academic with the University’s consent to facilitate a training conference as long ago as 2004. The site had an anonymous upload function to allow delegates to upload conference papers. Following the conference, this was not removed or disabled and it didn’t receive regular security updates. In 2013 it became apparent that the site had been compromised.
Im mid January 2016, hackers exploited this micro site using SQL injection to gain access to an account with sufficient permissions to upload PHP exploits. These exploits in turn allowed the attackers to gain access to other databases hosted on the web server. The attacker then extracted the data.
The case of Harrison is symptomatic of careless IT and lack of care with regards to personal data. We have always recommended not using portable storage devices for reasons like the Harrison case but also for cyber hygiene. He took large amounts of data and admitted taking it for ‘professional reasons’ and that he had no right to process the data. For the latter, he was in breach of the DPA. Not only did he face a fine and costs, he also lost his job!
A representative of the ICO said: that “they (the ICO) will continue to take action against those who they find have abused their position of trust.”
What could the three schools have done to prevent this happening?
- Ban and block the use of USB storage devices to prevent anything being saved to them
- Cloud services where documents are accessed and worked on ‘in the cloud’ with download functions turned off
- Carry out data discovery to understand where data is being stored and by whom.
- Put in place an ‘Acceptable Use Policy’ to make the use of USB storage a disciplinary matter
- Create a security culture to encourage staff to discourage bad practices and behaviours.
How could the University have prevented their incident?
- Conducting an exercise to understand exactly was on their network. This would have revealed the presence of more than one microsite that were simply not needed.
- An audit to show risk of where student and other personal data was stored would have revealed how easily a theft could take place.
- Understanding the age of the data and why it was stored might have heled reduce the impact. If this data, or some of it, was historic and not required, then surely it would have been worth deleting and therefore reducing the size and impact of the breach
So, why do educational establishments need a Data Protection Officer?
- A good DPO is truly independent. An external DPO is even better
- To data map and discover data silos
- Understand the flow of data around the establishment
- Audit systems and users and their behaviours
- Record data breaches and repot where appropriate
- Handle DSAR’s in a complaint manner and record all requests and outcomes
- Ensure the supply chain is complaint and monitor this
- Help create a GDPR culture and train all the people in the school