School breaches Data Protection Act

A SCHOOL was found to have breached the Data Protection Act after a 15 year old pupil hacked into its website and exposed the personal details of 20,000 people, including medical information on more than 7,000 pupils.

The 15-year-old from Hampshire broke into Bay House School, Gosport's, private database in March after he obtained the password from a member of staff.

The student then revealed the names, addresses, photographs and medical information of 7,600 past and present pupils, plus confidential details on about 13,000 adults. The cheeky youngster has since been suspended.

The school was ruled to have breached the Data Protection Act after an investigation by the Information Commissioner's office (ICO) found it used the same password for both its website and its data management systems

Although the school had advised its staff to avoid duplicate passwords, it did not enforce the policy. Luckily for the school, no further action has been taken after its head teacher, Ian Potter, signed an undertaking to ensure reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's systems.

The ICO said there was "no evidence" the student had done any more than expose the details to his friends.

A statement from Bay House school said, "We are pleased to learn from the ICO that it is taking no further steps, because we have fully co-operated with the commissioner's office. We take very seriously the security of our data system. In this case we were able to act very quickly to identify the hacker and take appropriate action." µ