King’s College London fell afoul of the Data Protection Act, it seems. The Information Commissioner’s Office (ICO) learned that a spreadsheet containing personal data -including exam results – of 1831 students and applicants was sent in error to 22 students.
Of note, the spreadsheet had been worked on by and transferred between several employees prior to being sent out in error, but no formal checking process had been in place, so no one caught the mistake.
Further inquiries revealed that there was an absence of written supporting procedures for staff to follow around sending personal data to students, and also a lack of mandatory data protection training in place. Training was available “on demand,” but only 461 of approximately 6000 staff (7.7%) had taken this during the year prior to the incident. King’s College London stated that they intended to roll out a system of mandatory data protection training which all staff will be required to complete every two years, “however it was not anticipated that all staff will have received this training until October 2016.”
The ICO clearly did not find that 2016 date acceptable, as the resultant undertaking specifies that training for all staff must be completed this year.