Greenwich University fined £120,000 for data breach

The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner.

The fine was for a security breach in which the personal data of 19,500 students was placed online.

The data included names, addresses, dates of birth, phone numbers, signatures and - in some cases - physical and mental health problems.

It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.

The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as "serious".

"Whilst the microsite was developed in one of the University's departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution," said Steve Eckersley, head of enforcement at the ICO.

"Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.

"The nature of the data and the number of people affected have informed our decision to impose this level of fine."

In a statement, external, the university said it would not appeal against the decision.

It said it had carried out "an unprecedented overhaul" of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.

It also said the fine would be reduced to £96,000 with a prompt payment discount.

"We acknowledge the ICO's findings and apologise again to all those who may have been affected," said University Secretary Peter Garrod.

"No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.

"We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice."

The university was also involved in a separate data breach, which the BBC reported in 2016.

That case involved the personal details of postgraduate research students being made accessible via the university's website.

In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application.

However, the university said that the ICO had concluded that no enforcement action was necessary in this instance.

Correction 22 May 2018: An earlier version of this report incorrectly attributed details of the second data breach to the one involved in the fine.