Lost Sydney Uni laptop held unencrypted student data

A Sydney University-issued laptop lost earlier this year by a software developer contained unencrypted personal details of 6700 students who had accessed disability services, an internal review has found.

In early March the university admitted a notebook containing a copy of its Disability Assist software had gone missing when a software developer who was making changes to the program realised he had misplaced the computer on his way home. 

The university was unable to electronically locate the laptop or remotely wipe it.

The database holds names, dates of birth, disability conditions and contact details for past and present students who had accessed disability services.

NSW Police and the Privacy Commissioner were alerted at the time and Sydney Uni commenced an internal investigation. It received a "number" of privacy complaints from affected students in the aftermath.

The university released the results of the internal review, leaked to iTnews and student paper Honi Soit, on Monday. The document reveals the sensitive student details were stored unencrypted on the laptop.

But Sydney Uni group secretary Alex Maitland argued the university had not breached a health privacy principle (HPP 5) related to the secure storage of personal health data, laying the blame squarely at the feet of the developer.

He said the university had policies in place regarding the security of personal and health information on portable devices, which employees were obliged to adhere to.

"I am of the view, that, if followed, the university's policies provide adequate and reasonable security safeguards," Maitland wrote.

"On this occasion the software developer did not properly follow the policies which were in place."

However, he did find that the data contained on the laptop should have been de-identified before being used for test and development, and was in breach of health privacy principle 10 relating to the use of such data.

"... individuals would have reasonably expected the organisation to have de-identified their information before using it for software development," Maitland wrote.

He said there was no evidence of unauthorised access or disclosure of the details.

As a result of the breach, Maitland said Sydney Uni had posted detailed guidance about the handling of sensitive data on portable devices on its staff intranet.

The software developer had been counselled about adherence to the university's policies and procedures, he said.

Sydney Uni has also updated procedures regarding the use of personally identified data for development and test, and encryption is now standardised on all laptops within the IT department, the report stated.

The university is awaiting the recommendations of an external review into the breach.