recent work

School signs formal undertaking after website hack

Bay House School in Hampshire has been found to have breached the Data Protection Act following investigations carried out by the Information Commissioner’s Office (ICO).

Computer hackers, who are known to include at least one of Bay House School’s own pupils, accessed the school’s internal information management system via an attack on the school’s remotely-hosted website. As a result, almost 20,000 people’s personal details were put at risk.

Policies and procedures put in place by the school were meant to ensure that individual’s usernames and passwords were different, but the nothing was put in place to ensure this, and as a result, the personal details of 20,000 individuals, including teachers, parents and around 7,600 pupils risked being exposed online. The data included names, addresses, photographs and some sensitive medical history information.

“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to log in to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults,” said Sally Anne Poole, acting head of enforcement at the ICO.

The school has now agreed to ensure that confidential information is encrypted, and that procedures are enforced to protect sensitive data.

Comment
The failure that led to the breach was entirely human. Of course technical measures to safeguard data are absolutely vital and a critical part of data protection strategies; but policy and processes are just as important and often overlooked, probably because they are the most difficult aspect of data protection for organisations to manage. We are being asked more and more to provide support and assistance in this area and we’re able to provide an internal audit system which routinely reviews the healthy operation of work practices and their adherence to policy and procedure. Not only would we have been able to present a systematic data system review to the ICO to demonstrate good data governance, we might also have been able to help Bay House School identify process failure early on and avoid the breach in the first place.

The 4 P’s – Policy, Process, Procedure, and Practice – are going to become more and more important in the next few years.