A former student at the Inns of Court College of Advocacy (ICCA) was reprimanded by the college for responsibly reporting a security error that exposed sensitive information about students. Bartek Wytrzyszczewski faced misconduct proceedings after discovering a data breach affecting nearly 800 past and present ICCA students. As a result, he decided to leave the ICCA and continue his training elsewhere.
The college notified the Information Commissioner’s Office (ICO) of the breach, which allowed students to access personal data such as email addresses, phone numbers, academic records, ID photos, and sensitive information like health records and visa status. Despite Wytrzyszczewski’s prompt reporting of the issue, the college downplayed it as a “technical issue”.
Wytrzyszczewski was required to give a written undertaking not to disclose any information he found before facing misconduct proceedings. He expressed frustration with the college’s handling of the situation, feeling that they were attempting to silence and punish him for his actions. This experience impacted his career aspirations and motivated him to start over at a different institution.
The ICCA clarified that they followed internal procedures when clearing Wytrzyszczewski of misconduct allegations. However, data lawyer Dai Davis criticized the college for not adhering to natural justice principles in the case. The ICO decided not to take further action on the breach but is investigating additional complaints raised by Wytrzyszczewski against the college.