September 18 2014 Latest news:
by Tom Marshall
Friday, January 17, 2014
A school has reported itself to a government watchdog after a data protection blunder affecting hundreds of pupils was unearthed by the writers of a student website.
The personal details of more than 400 pupils were accidentally left in a shared folder on the school network at Hampstead School in Westbere Road, Cricklewood.
The admin error, which was the result of a botched mailshot, only came to light when it was discovered by The Hampstead Trash, a self-styled “satirical” blog run by pupils that is often critical of the school’s management.
The secondary, which has a “good” Ofsted rating, has reported the matter to the Information Commissioner’s Office, which can impose fines of up to £500,000 for data protection breaches.
The spreadsheet in question, which included names of pupils along with their parents’ names, addresses, phone numbers and in some cases emails, was available to every pupil at the school for nearly 18 months before anyone realised.
In a blog post published on Monday, an anonymous writer for The Hampstead Trash said it was “highly immoral” to leave personal details “susceptible to copying” and warned of potentially dire consequences.
The blogger said: “Not only is the list available to copy by any student at Hampstead, the students and their parents could be vulnerable to possible blackmailers, who could have had access to the list.
“It is distressing that a school, that is trusted by members of society and children, who are legally entrusted with personal details, would be so lacklustre with such things.”
The document has now been deleted, but the blogger added: “If we hadn’t intervened, it would be only a matter of time before someone, perhaps less mature with the information, would have got their hands on it.”
The school said the document was created in July 2012, but claimed nobody accessed the file until the bloggers did so.
A school spokesman said: “We take security of personal information very seriously and this is the first time that a data protection breach has occurred.
“We have reminded all existing staff of their responsibilities around data protection, and are carrying out refresher training.”