Inadvertent disclosure of students’ personal data via email by a university – DPP 4 – security of personal data
Background
A faculty staff member intended to email the faculty’s non-local students about the university’s quarantine arrangements. However, when retrieving the email addresses of the non-local students from the faculty’s master list of students, the staff member mistakenly attached the master list in the email.
The master list contained names, dates of birth, nationalities, email addresses, correspondence addresses and contact numbers of about 2,500 students of the faculty. As a result, the personal data was unnecessarily disclosed to the recipients of the email concerned. The university reported the incident to the PCPD.
Remedial Measures
The university now requires all outbound emails containing personal data be checked by another staff member before they are sent. Besides, work files containing personal data, for example, the master list, must be encrypted.
Lesson learnt
Universities possess a large volume of students’ personal data and should therefore take reasonably practicable measures to ensure that staff handling such data are properly trained. Staff should observe relevant personal data privacy policies and exercise due diligence in applying those policies. Universities should establish procedures to ensure staff’s compliance with those policies.
(Uploaded in June 2022)