ICO raps Durham University over online data breach

Durham University has been slapped on the wrist by the UK's data protection watchdog after posting the personal information of around 170 former students and staff online.

The university posted screenshots of the people's names, addresses and dates of birth in February 2011, in an attempt to "demonstrate the use of particular university systems", the Information Commissioner's Office (ICO) said on Thursday.

"The university discovered the error in July 2011 and removed the material before reporting the matter to the ICO," the watchdog said in a statement. "The university has now committed to ensuring that all staff receive appropriate training on how to follow the organisation’s data protection guidance."

"It will also make sure that documents containing personal data will not be published on the university's website," the ICO added.

When the ICO investigated the data breach, it found that only a fifth of the university's "non-manual" staff had accessed the institution's data-protection online training materials. Some staff were trained and were then expected to educate their colleagues, but the university did not monitor whether this actually happened.

"All documents should be checked for personal information before being made available on a website," ICO enforcement chief Steve Eckersley said. "This case also highlights the importance of organisations having comprehensive data protection training in place for all staff."