York University data leak unnecessary

George Knox reiterates the message around information security

Students' addresses, phone numbers, dates of birth, emergency contact details and A-level results were leaked recently through a University of York web site.

This privacy breach is potentially damaging. Not only could the Information Commissioner fine the institution up to £500,000, but the brand could be harmed and the university is liable.

Requesting personal data is a serious business. Every university, hospital, retailer, government agency or financial services company should not only have policies and procedures for employees accessing content, but also a risk management strategy.

A centralised system for mitigating online risk, and identifying and managing online data and information security vulnerabilities, should be part of the automated IT insurance policy to ensure breaches such as the one at the University of York are not possible.

While the full details of the event were not disclosed at the time of writing, the situation should have been preventable.

Nothing should have been posted on the web site unless it complied with the information security policies of the university. And this, I believe, should not be left up to employees. Human error can be one of the biggest culprits in content leakage situations.

An automated compliance process should be in place to ensure personal data cannot be posted online.

Users of an organisation's web sites, intranets, document libraries, email and social computing should be provided with a way to have content monitored automatically for potential compliance issues across the application, keeping information safe, appropriate and within regulatory guidelines.

This is especially important as more regulations on personal data use come into force across the UK's education, financial services, retail, pharmaceutical and healthcare sectors. Resellers should take note.

George Knox is managing director for the international division of HiSoftware