A follow-up to a breach reported back in April involving Godalming College e-mailing sensitive medical details on 300 students to an entire year group: the college has now signed an undertaking with the ICO to improve its data protection practices. The undertaking provides a bit more detail on how the breach occurred:
The Information Commissioner (the ‘Commissioner’) was provided with a report in early April that an email with an attachment containing sensitive personal data had been sent inadvertently to lower-sixth form students. The email should have been sent to their tutors and the sender had not intended to send the attachment, but merely a link to it.
Enquiries revealed that the data controller had made efforts to recall or delete the email, but some students had already saved or forwarded the attachment, and some media publicity resulted. The Commissioner formed the view that the data controller lacked adequate data protection policies and considered that further staff training was also warranted.