A third level institution reported a data breach to the DPC relating to the storage of student medical certificates for a particular course. A student had discovered medical certificates relating to other students when attempting to upload their own certificate to the institutions Virtual Learning Environment (VLE).  The institution immediately informed the DPO and their IT department  removed the files. 

The DPC assessed the notification and, given the nature of the special category (health) data involved, requested further information from the organisation. The investigation by the organisation determined that human error had led to a misconfiguration on the VLE, which meant that medical certificates were displayed to a group of students, rather than solely to the course coordinator/lecturer. 

The breach was originally deemed high risk by the organisation but following a review of the breached data and the risks posed to the rights and freedoms of the affected individuals, it was deemed to of lesser risk than originally assessed. The organisation decided to notify the impacted individuals about the breach out of an abundance of caution.  

In order to prevent a recurrence of this situation, the institution issued an email to all staff to remind them not to use the VLE for the submission of personal data. The institution also added messages to the VLE platform to remind both staff and students of their data protection obligations when using the system.

The organisation engaged with the provider of the VLE to introduce measures to ensure that personal data is stored and processed securely, and security settings configured appropriately.