A school in Hampshire has been found in breach of the Data Protection Act (DPA) after sensitive personal data it held on pupils and others was hacked.
The Information Commissioner's Office (ICO), which regulates DPA compliance, announced today that Bay House School had breached the data security and privacy law when it was hacked in March.
The breach put the personal details of nearly 20,000 individuals, including some 7,600 pupils, at risk. The details included names, addresses, photographs and some sensitive information relating to the pupils' medical history.
Personal information relating to the pupils' parents and teachers was also compromised during the breach.
Ian Potter, head teacher of Bay House School, stated in an undertaking he was required to sign by the ICO that hackers, including one of the school's own pupils, gained access to the data controller's internal information management (IM) system via an attack on its remotely hosted website.
"Despite having a policy in place prohibiting the use of duplicate passwords, the data controller failed to identify that a staff member was employing the same password to access both the school's web and management systems," the undertaking said.
The duplicate password breach was identified shortly after the original hacking incident and the security of the website was restored. But the password was then used by a pupil to access other parts of the system.
The school had advised staff to avoid the use of duplicate passwords. However, the ICO said no checks were in place to make sure this policy was being followed.
The ICO also said the school reported the breach on 17 March.
Sally Anne Poole, the ICO acting head of enforcement, said that while it can be difficult to remember lots of different passwords, it wasessential that individuals do not use the same password to login to secure data systems.
"This is particularly important when the systems allow access to sensitive information relating to young adults," she added.
"We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold."
The undertaking requires the Portsmouth comprehensive to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the its management system.
The school must also make sure that all of their staff understands the school's guidance on the use of passwords. And its website must be regularly tested to ensure that the personal information remains secure.
Bay House School becomes another in a long line of public sector organisations to be reprimanded for breaching the DPA. The ICO also has the power to issue fines.
