Data breach via old school guides
Recently, there appeared to be a large-scale data breach via websites that download and republish organisations' documents. Such websites collect, copy and publish unsolicited hundreds of thousands of documents (often PDFs) containing very large amounts of personal data, often dating from before 2018 (when the AVG came into force). Removal requests often go unanswered. Schools, among others, appear to be victims of this.
Privacy at School
Privacy Award winner Privacy at School came across this through the report of an ex-pupil who had seen his details listed in an old school guide on the website adoc.pub. Privacy at School then started investigating this. It turned out that there were thousands of old school guides with all kinds of personal data online. Privacy at School contacted the Algemeen Dagblad (AD) about this, which published a article on this issue published.
Evelijn Jeunink of Privacy at School tells Privacy First:
"Privacy at School" has alerted numerous schools to this data breach and asked them to let us know if any of their school's guides can be found. So far, after checking, more than 60 school boards have indicated that this is indeed the case. Not only school guides by the way, but also school and policy plans, newsletters and a lot of visual material turns out to be online. Depending on the extent and nature of the data found, the school notified the Personal Data Authority (AP). Removal requests have also been submitted to the relevant site in almost all cases. However, when these requests were made, it was found that adoc.pub gives no sign of life. The mail to the contact address is bounced and other options to submit a request do not give any result. So as a duped individual or organisation, you run into the fact that you have nowhere to turn: the site itself has fake contact details and the hosting party shields the site owner. So where can you turn?
Privacy at School collects the information from all schools that have reported to it. In a response in the AD, the AP expressed its deep concern about the 'scraping' practices of sites such as adoc.pub. By collecting the information from schools, Privacy at School aims to show the AP, advocates within the education sector and privacy organisations such as Privacy First the extent of the problem. And also that in the case of adoc.pub, there is no remedy that school or the data subject can apply themselves. Of course, we do this without naming specific schools or information found."
Privacy First advises duped schools to report to Privacy at School. This can be done via the following link: https://forms.office.com/e/HuEiyyMkyP