University of York leaks student details

ICO makes professor sign an undertaking after 148 student records were wrongly made accessible to classmates for more than a year

The Information Commissioner's Office (ICO) has reprimanded the University of York for failing to close a test area on its website that contained thousands of students' personal details.

This breach of the Data Protection Act saw 148 records made public, including names, dates of birth, A-level results, mobile telephone numbers and addresses.

The breach occurred when a member of staff made an error while working on the university's IT system in September 2009.

As a result, students were able to access information about their classmates for more than a year before the problem was identified and the system's security restored.

Simon Entwisle, director of operations at the ICO, said: "This breach could have been avoided if the university had properly assessed the risks this work posed to the security of their students' details.

"The university also failed to test the security of its IT system once the work was complete, leading to an unnecessary delay in the error being corrected.

"Fortunately for the university, the information wasn't likely to cause the students substantial damage or distress. Therefore, a monetary penalty would not be appropriate in this case."

Professor Brian Cantor, vice chancellor at the University of York, has signed an undertaking to improve data security at the institution.