Personal data breach hits 9,000 Barnet schoolchildren

Barnet Borough Council has confirmed a data breach surrounding 9,000 Year 11 students attending its schools between 2006 and 2009. The data breach occurred when a council worker experienced a domestic burglary earlier in March, resulting in the loss of encrypted computer equipment and unencrypted CD-ROMs and USB memory sticks holding the data.

The breadth of the personal data lost in the breach is wide, and includes surnames, forenames, gender, date of birth, address, postcode, telephone number, ethnicity, in-care indicator, language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, and school.

The council worker in question has now been suspended.

Meanwhile, Barnet Borough Council has implemented a number of steps in order to prevent another occurrence in the future, including a full risk assessment on the information on the stolen CDs; made software changes to prevent staff saving any data onto unsecure memory devices (including CD-ROMs); confirmed every council computer used by staff outside of the office is securely encrypted; and ordered a full independent enquiry into how this incident came to take place and how the council protects confidential information.  The results of the enquiry will be reported back directly to Nick Walkley, CEO at Barnet Council.

The council also sent out a letter to parents whose children have been affected by the data breach, informing them of the measures taken, together with details of a hotline if they have any further questions. Furthermore, Barnet’s website has confirmed that based on advice from the police the burglary was opportunistic, rather than carried out by someone looking to specifically steal data.

"While Barnet council's lax rules may have allowed this data loss to happen, it did ensure that the stolen laptop was encrypted. Beyond this, the council's reaction puts the actions of many other organisations that have lost data, from other councils to multinational corporations, to shame,” said Chris McIntosh, CEO of encryption vendor Stonewood.

“The council has responded in exactly the way it should have. Data security has been put under draconian controls, the ICO and at risk individuals have been informed post haste, and it is evident that Barnet Council is acting to both minimise the effects of this theft and to tighten controls and prevent any further incidents in the future.”

He added, “This is a model that organisations should be more keen to follow, especially with the ICO's new punitive powers. However, an even better model would be preventing the loss in the first place."

PublicTechnology.net has also contacted the Information Commissioner’s Office, which subsequently released the following statement. "The ICO takes breaches of individuals' privacy very seriously,” a spokesperson for the Information Commissioner’s Office said. “Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure.”

“The ICO encourages organisations to report any serious data security breaches so that the nature of the breach or loss can be considered.”