Barnet Council loss of personal data about former Students

Barnet Council reports a data loss affecting about 9,000 Students who were in year 11 across 3 Academic Years from 2006 - 2009 which was stolen in a domestic burglary earlier in March.

The computer equipment was encrypted in line with council policies, so cannot be used to access confidential information. But this was not the case with a number of  CDs & memory sticks. This was a clear breach of  policies and the member of staff concerned has been suspended.

Barnet Council has confirmed that the data stored on the CD ROMs and memory sticks included Surname, Forename, Gender, Date of Birth, Address, Postcode, Phone number, UPN (a unique identification number), Ethnicity, free school meals eligibility, in-care indicator, Language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, school, attainment data for English, Maths and Science at end of years 6 and 9, attendance rate.

Barnet have carried out a full risk assessment on the information on the stolen CDs, made software changes to prevent staff saving any data onto unsecured memory devices (including CDs), confirmed that every council computer used by staff outside of the office is securely encrypted and ordered a full independent enquiry into how this incident came to take place and how the council protects confidential information.

The data is described as being held for statistical purposes comparing trends amongst all students with the school performance of the children with which they were working.

However, I have to ask if it was for purely statistical purposes, why was the data not scrubbed of any identifying information? They could have relied upon their UPN for tracking purposes, and removed Name, Address, Phone Number, perhaps leaving in Date of Birth (would Month & Year have sufficed?) and Postcode?

Moreover, if this data is being collected on behalf of the Department of Children, Schools and Families, have they issued any guidelines, or is it possible that thousands of other schools are doing exactly the same thing, and there is a time bomb ticking away?