The University of Greenwich was issued with a fine of £120,000 by the ICO (Information Commissioner’s Office) for its failure to comply with the Data Protection Act 1998.
The fine was issued only days before the GDPR (General Data Protection Regulation) came into effect in England. The GDPR has since superseded the Data Protection Act. Under this previous Act, it was arguably more difficult to establish a claim for a data protection breach. This fine by the ICO also marked the first time a university had been at the receiving end of such a penalty.
The breach related to 19,500 individuals (made up of students, lecturers and alumni) having their data made available, including their names, addresses and phone numbers. The information had first been uploaded from inside the university as part of a training conference. However, the microsite where the information had been stored was never closed down correctly making it accessible and subject to an attack.
When deciding whether a business should be issued with a penalty the ICO will take into consideration if the organisation has technical and organisational practices in place to reduce the risk of any data protection breach. The ICO felt that the university didn’t have these practices in place and that a financial penalty was therefore appropriate.
In supporting its decision to issue the £120,000 fine the ICO stated that the individuals who had shared their data had the right to expect that their data would be held securely. The ICO also stated that it had taken into account the nature of the data and the number of the individuals who had been affected. Under the GDPR the financial penalties have been increased to fines of up to €20 million or 4% of annual global turnover, which means the university could have been faced with a much more substantial fine if the breach had occurred under the new rules. The university chose not to appeal the decision.
If you’re concerned that your business is not complying with the GDPR or you need help understanding its impact on your business, then contact Matt Worsnop on 0116 281 6235 or email firstname.lastname@example.org.