Law student ‘unfairly disciplined’ after reporting data breach blunder


A former student at the Inns of Court College of Advocacy (ICCA) says he was hauled over the coals by the college for having acted responsibly and “with integrity” in reporting a security blunder that left sensitive information about students exposed.

Bartek Wytrzyszczewski faced misconduct proceedings after alerting the college to a data breach exposing sensitive information on hundreds of past and present ICCA students.

Wytrzyszczewski, 32, said the experience caused him to unenroll from the ICCA’s course and restart his training at another provider.

The ICCA, which offers training to future barristers, informed data protection regulator the Information Commissioner’s Office (ICO) of a breach “experienced” in August 2023 after Wytrzyszczewski alerted the college that sensitive files on nearly 800 students were accessible to other college users via the ICCA’s web portal.

The breach saw personal data such as email addresses, phone numbers and academic information – including exam marks and previous institutions attended – accessible to students at the college. Students using the ICCA’s web portal were also able to access ID photos, as well as student ID numbers and sensitive data, such as health records, visa status and information as to whether they were pregnant or had children.

The college sought to play down the significance of the data breach at the time, describing it as a “technical issue” in a statement provided to Computer Weekly. The ICCA’s director of operations, Andy Russell, said: “Due to a technical issue, certain registered students submitting search requests in their [email protected] email accounts were returned results that included some files from the ICCA’s staff-only SharePoint site.”

Disciplinary proceedings

After the college secured a written undertaking from Wytrzyszczewski not to disclose any of the information he had discovered, it launched misconduct proceedings against him. He had stumbled across the files in error, he said, and viewed a significant number to ensure he could report their contents with accuracy.

The barrister-in-training said he was afforded no representation at the subsequent panel hearing in November 2023. Wytrzyszczewski told Computer Weekly that facing disciplinary proceedings over the incident was distressing. He said he felt the college simply wanted to “silence” and “punish him” for having pointed out its mishandling of the breach.

“I don’t think I committed any misconduct whatsoever,” he said. “I displayed integrity by alerting them to this problem. And I did it promptly. I feel they reacted in the way they did because they wanted to silence me and wanted to punish me. I think the way they acted completely lacks integrity. I don’t think it’s ethical.”

“I don’t think I committed any misconduct whatsoever. I displayed integrity by alerting [the college] to this problem. And I did it promptly. I feel they wanted to silence me and punish me. I think the way they acted completely lacks integrity. I don’t think it’s ethical”

Bartek Wytrzyszczewski, law student

Wytrzyszczewski added that it shook his belief and motivation in becoming a legal professional, saying that going public has impacted recent applications for pupillage – a crucial part of an advocate’s training for the bar.

He is now studying at the University of Leeds’ bar course, which he began in January 2024.

“I really did lose motivation to get into the legal world because I realised how much they could get away with and how destructive that behaviour could be to individuals,” he said.

“If these proceedings were upheld, all my career could have been in tatters. It would have been really difficult for me to do anything about it because, however irrational the outcome of the misconduct panel could be, you can’t really overturn it. It’s there as a misconduct finding against you and it stays with you for life,” he added.

“In the legal profession, your reputation is really important. Every time you file a pupillage application, you have to disclose it and no one would really inquire into it. So that was completely soul-destroying.”

The ICCA told Private Eye it “followed its internal misconduct procedures where necessary”, after the panel cleared Wytrzyszczewski and found it had no jurisdiction to hear the matter.

Computer Weekly asked the college which of the grounds in its student conduct policy Wytrzyszczewski was considered to have potentially breached when it launched proceedings against him. At the time of publication, the ICCA had not responded.

Forgoing natural justice?

Data lawyer Dai Davis told Computer Weekly that the ICCA had forgone natural justice principles in the way it brought misconduct proceedings against Wytrzyszczewski.

“Natural justice [a recognised concept in English Law] would require that the defendant in any disciplinary proceedings be informed of the nature of the rule which he is accused of breaking,” he said. 

“Clearly, since … the college was unable to determine a rule which Mr Wytrzyszczewski was supposed to have broken, the tribunal had no option other than to discharge him.”

The ICCA said the ICO has opted not to take any further action, after the college “self-reported” details of the August 2023 data breach incident that Wytrzyszczewski had flagged with it.

Andy Russell, the college’s director of operations, told Computer Weekly: “While the ICO found that the ICCA did not respond to a connected subject access request within the statutory timescales, it has confirmed that it does not intend to take any further action regarding this matter.”

Lawyer Davis added that the ICCA was obliged to have referred itself to an EU regulator since the UK’s General Data Protection Regulation (GDPR) is European legislation.

“The fact that the college reported itself to the ICO is irrelevant, as it was obliged to do so,” he said. “Interestingly, it also should have reported itself to at least one EU regulator, but I wonder whether it has done so.”

Computer Weekly asked the ICCA whether it had self-reported to any EU regulators. At the time of publication, there had been no response from the college.

Outstanding complaints

Wytrzyszczewski has challenged the college on statements it has issued about the August 2023 data breach and is pursuing further complaints with the ICO.

Last year, the ICCA gave assurances it had contained the August 2023 breach.

However, Wytrzyszczewski said the college could not maintain this since there was a 90-day limit on the data audit logs it held and the leaked data had been available to view on its web portal since 2022.

This, he said, meant the college could search for file access attempts made “only for the period between 18 May 2023 and 16 August 2023”. These logs showed that at least seven people had accessed the files.

The ICO is investigating several other complaints made by Wytrzyszczewski relating to the ICCA. These are understood to include sharing his personal health data with book publisher Thompson Reuters; sharing details of around 350 applicants for an ICCA course with Wytrzyszczewski; asking Wytrzyszczewski, then a former student, to identify all documents it may have sent him in the 72 hours after he reported the August 2023 data breach, rather than identifying them itself; sending Wytrzyszczewski an email with sensitive information intended for another student.

The ICO upheld a separate complaint made by Wytrzyszczewski concerning a late response to a data subject access request he had submitted.

Wytrzyszczewski told Computer Weekly he was disappointed by the ICO’s decision not to investigate the college further over the August 2023 data breach.

“I feel uneasy about the ICO’s finding concerning the first data breach on the ICCA’s part, because I am not sure whether it has taken the full context of the ICCA’s conduct into account,” he said.

“I am, however, pleased that the ICO upheld some of my other GDPR complaints post-dating the first data breach and I understand that they are still investigating some of the other GDPR breaches at this point. None of those breaches were self-reported by the ICCA.

“Hundreds of students entrusted their sensitive information to the ICCA and it is only right that the ICO holds them to account,” he said.

The ICO has been contacted for comment. 



Source link