Western Oregon University responded today to news reports of disciplinary actions against a student who discovered that the institution had not secured private data about some applicants. The actions, taken last week, have attracted attention as a dispute over freedom of the press because the student was affiliated with a student-run newspaper and helped that newspaper expose the security lapse.

But today Mark Weiss, Western Oregon’s vice president for finance and administration, told The Chronicle that “this was not about press freedom — it was about violating clear policies designed to safeguard confidential information.”

The student, a senior named Blair W. Loving, told campus officials in June that he had accidentally stumbled on a computer file with 100 names of applicants to the university’s College of Education, along with their Social Security numbers. He copied the file, which became the basis for an article published in the student paper, the Western Oregon Journal.

Mr. Weiss noted, however, that “while I’m grateful we found there was a route for people to access this data,” Mr. Loving nontheless violated the institution’s computer-use policies in a number of ways. First, he accessed the file while logged onto the network under another student’s ID, and then he made a copy of the file. Copying sensitive information raises the risk of identity theft. Mr. Weiss said that Mr. Loving could have published an article in the student newspaper without copying the file.

Susan Wickstrom, an administrator who was also the newspaper’s adviser — she was not a faculty member, contrary to some press reports — held a copy of the file for a period of time, also violating the computer-use policy, Mr. Weiss said. Ms. Wickstrom was dismissed from the institution this past summer.

A disciplinary committee, meeting last Friday, decided that Mr. Loving should publish a commentary in the newspaper on the importance of privacy policies and should propose ways to better get students to adhere to them.

What about the security lapse and the university’s responsible for it? “Immediately after the discovery, our computer system was audited and this was the only unprotected file found,” Mr. Weiss said. “It was a file from 2003,” before Western Oregon began enforcing a policy that prohibited the use of Social Security numbers. It now requires university personnel to use student and staff ID numbers, which are completely different.

The university also sent letters to all 100 people listed in the file, informing them of the breach. The institution then sent out campuswide memos about the ban on using Social Security numbers. “I believe we are much more aware of our responsibilities now,” Mr. Weiss said. —Josh Fischman