Peter A Clarke

The Age reports on yet another depressing and altogether avoidable data breach.  The accessing of medical conditions, photographs, names and identifying data of year 7 – 12 students at Manor Lakes P -12 College in Wyndham Vale in Melbourne.

The Education Department has adopted a standard straight bat response of “human error” and not due to a vulnerability in the school and IT systems. The excuse is, it could be a lot worse (as in a systemic fault involving a costly fix).  What is not, and won’t be, disclosed as to how the breach occurred, what remedial action is taken and what punishment is administered.  Without consequences, there is little incentive to take real and decisive steps to minimise poor data practices. Unfortunately the regulators at both the state and Federal level take little action.  Whey they do the resolution is quietly resolved between the regulator and malefactor.  It is the antithesis of effective regulation.

The article provides:

Confidential files detailing high school students’ medical conditions, including anxiety issues and those at risk of suicide, have been found on a Melbourne schoolgirl’s iPad.

The document contains photos, names and medical and family details of years 7 to 12 students at Manor Lakes P-12 College in Wyndham Vale in Melbourne’s south-west.

It lists students’ mental health issues and also reveals which students have been expelled from previous schools and are in out-of-home care.

One file states: “behaviour can become erratic first thing in the morning … ensure he has taken his medication… document any odd behaviours”.

Another describes a student as “argumentative” and says he will not follow instructions.

One child’s photo is accompanied with the words “anger, aggression and non-compliance”.

“Mixing with the ‘wrong’ group of kids. Is smoking and drinking outside of school,” another entry reads.

The 14-year-old girl discovered the document on her iPad last month and said she had no idea how it got there.

Her father said he was shocked by the privacy breach and that personal information about his daughter’s friend was included in the document.

“It’s appalling,” he said.

After reporting the issue to the school, the girl’s father said she was vigorously questioned about how she accessed the document. He said she was interrogated about the incident and also accused of hacking into the school’s IT system.

Earlier this month, the school contacted parents whose children were impacted by the breach.

An Education Department spokesman said the incident occurred due to human error and was not due to any vulnerability in the school or department’s IT systems.

“We unreservedly apologise for the way this issue was initially handled by the school and acknowledge that the student involved was in no way to blame for the incident,” he said.

He said the private student information had been inadvertently shared with one student.

He said in May, the student borrowed a teacher’s laptop because she did not have her own device. The teacher sat next to the student while she completed an assignment on the borrowed computer, the spokesman said.

The student accessed her own Google documents on the machine.

The spokesman said that when the teacher later used her laptop the document they opened synced with the student’s account. This meant it turned up on the student’s own Google drive.

The spokesman said there was no evidence that private and personal school documents had been obtained by anyone other than the individual student.

But the girl’s father said that his daughter never used the teacher’s laptop.

“She doesn’t recall using a teacher’s device at all this year,” he said.

He said his daughter had been punished for doing the right thing.

“The school and the Department of Education should be thankful that our 14-year-old daughter is mature and respectful enough to go to the school about this. Many other children of this age may have posted the document on social media,” he said.

“Imagine how the students named in this document would feel if this information was made public, considering the severity of the health/behavioural concerns outlined in the document. Not only would these students feel embarrassed, but also may be bullied about it.”

The Department spokesman said there was no evidence that private and personal school documents had been obtained by anyone other than the individual student.

It’s not the first time a Melbourne school has inadvertently released confidential student details.

A similar incident occurred at Strathmore Secondary College earlier this year, with sensitive details about hundreds of student’s medical conditions accidentally uploaded onto the school intranet. One child was described as having an “extremely low IQ”.

And last year, the personal details of families were illegally accessed at Camberwell High School and Blackburn High.