School broke Data Protection Act

Bay House School in Hampshire has been criticised by the Information Commissioner's Office (ICO) for a breach of the Data Protection Act in which the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website. The ICO said the hack – which happened in March and involved one of the school's pupils – exposed pupils' names, addresses, photographs and some sensitive information relating to their medical history. Personal information relating to the pupils' parents and teachers was also compromised during the breach. The problem was identified shortly after the hack occurred and the security of the website was immediately restored. The school reported the breach to the ICO on 17 March. The ICO's investigation revealed that the security of the school website had been compromised by a member of staff who had used the same password to access both the school's website and data management systems. This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords, but no checks were in place to make sure this policy was being followed. Sally Anne Poole, acting head of enforcement, said: "While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to log-in to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults. "We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold." Ian Potter, the school's head teacher, has now signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on its management system. The school is to make sure that all of its staff understands the school's guidance on the use of passwords, and its website will be regularly tested to ensure that personal information remains secure. This article is published by Guardian Professional. For weekly updates of news, debate and best practice on public sector IT, join the Government Computing Network here.