ICO fines University of Greenwich £120,000

The Information Commissioner’s Office (ICO) has fined the University of Greenwich £120,000 for a data breach involving the personal data of nearly 20,000 people, including students and staff.

Greenwich is the first university to be fined by the ICO under the existing data protection legislation, which is soon to be replaced by new data protection legislation that is closely aligned to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which becomes enforceable by law on 25 May. 

The new legislation making its way through parliament provides for much greater fines of up to £17m or 4% of an organisation’s global turnover, compared with the maximum of £500,000 allowed under the Data Protection Act 1998.

The ICO’s investigation centred on a microsite developed by an academic and a student in the then-devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the ICO said the site was not subsequently closed down or secured and was compromised in 2013. In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

The personal data included contact details of 19,500 people – including students, staff and alumni – such as names, addresses and telephone numbers. However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records, and was subsequently posted online.

Head of enforcement at the ICO, Steve Eckersley, said although the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely, and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine,” he said.

The ICO found that the university did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that its systems could not be accessed by attackers.

The ICO said if it receives full payment of the monetary penalty by 15 June 2018, the monetary penalty will be reduced by 20% to £96,000.  However, this discount is not available if the university decides to exercise its right of appeal.