• Jump to Content [Accesskey 'c']
  • Jump to Navigation [Accesskey 'n']
  • Jump to Homepage [Accesskey '0']
TLT Solicitors
  • Resources
  • Events and Seminars
  • Seminars - Special Requirements
  • Publications
  • Links
  • Accessibility
  • Need to Know
  • Contact
  • Sitemap
  • Send to a colleague/friend
  • Print this page
  • Home
  • Expertise
  • Sectors
  • People
  • Careers
  • Resources
  • About TLT
  • Contact

Page Content

School data breach caused by inadequate enforcement procedures

Updated September 2011

A hacking incident at Bay House School in Hampshire was due to the school's breach of the Data Protection Act, the Information Commissioner's Office (ICO) has announced.

The incident from March this year exposed pupils' names, addresses, photographs and medical history as well as personal information of parents and staff. The ICO discovered the school's website security was compromised by a staff member who used identical passwords to access both the school's website and its data management systems. The school has now signed an undertaking to take all reasonable measures to encrypt and separate confidential information and ensure an appropriate password policy is followed.

This incident shows the importance of testing and enforcing data protection procedures. The school had told staff not to use duplicate passwords, but there were no checks in place to ensure the policy was being enforced. The school was also required to commit to testing the website regularly to ensure the systems remain secure. The ICO noted that it is particularly important to police these procedures in situations where there is sensitive information relating to young adults.

If you require any assistance in relation to data protection matters, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.


Back to publications

Related information

  • Data Protection & Privacy

Contact

  • Alison Deighton
    Partner
    Tel: +44 (0)117 917 8016

  • Email

Related publications

  • Data breach by Lush sends warning to retailers
  • Google to improve privacy policies after ICO audit
  • Poor physical security controls leads to data breach at London hospital
  • Subscribe to legal updates

© 2012 TLT LLP