The University of Greenwich is under fire after it accidentally posted sensitive information on postgraduate students including details on health issues to its public-facing website.
The incident appears to have breached the Data Protection Act and watchdog the Information Commissioner’s Office (ICO) is said to be investigating.
The matter was brought to the attention of the BBC by a student at the university who came across the information through a simple Google search.
Details included students' names, addresses, dates of birth, mobile phone numbers and signatures, alongside minutes from a university committee governing research students.
These notes apparently included information on mental health and other medical problems as well as details of one student whose brother was fighting in a Middle Eastern army – with references made to an asylum application, the BBC claimed.
Emails between staff and students were also said to have been exposed online.
The university has contacted Google to remove cached copies of the data from the web, and apologized for the error.
"This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light,” said secretary Louise Nadal.
"At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.”
Experts were quick to highlight the case as a failure of policy and procedure.
Michael Hack, senior vice president of EMEA operations at Ipswitch, argued that forthcoming European data protection regulations will levy severe financial penalties on this kind of thing in the future if it’s found to stem from negligence.
“Whether private or public sector, when it comes to securing, storing and sharing confidential data, organizations must make sure they have the right policies and process in place,” he added.
“This includes using secure data management and transfer technologies, security systems and most importantly, providing essential staff training across the board.”
Greg Hanson, VP business operations EMEA at Informatica, argued that a data-centric security strategy is a must in today’s climate.
“In order to protect data, wherever it may be, organizations need to be able to identify where it originates in order to secure it, whether it is in transit or at its destination. For many organizations, a complete reassessment of security procedures is required,” he added.