1,900 pupils' personal data leaked by accident

Submitted by admin on Fri, 04/17/2015 - 15:20 The Straits TimesPublished on Mar 24, 2015
Primary school sends file to 1,200 parents; procedures being tightened
By Irene Tham, Technology Correspondent
 
THE personal data of more than 1,900 pupils from Henry Park Primary School was leaked two weeks
ago, in the second major case reported here since patrons of karaoke chain K Box had their details
exposed last September. An Excel spreadsheet containing the children's particulars was mistakenly sent out to about 1,200
parents on March 12 as part of an update about a school event.
 
The file contained the names and birth certificate numbers of all 1,900 pupils in the school, and the
names, phone numbers and email addresses of their parents. A day after the leak, the school's principal, Mr Chia Soo Keng, sent an email
apology to all parents, asking them to delete the Excel file and not to use the data. He told The Straits Times: "This should not
have happened." This was the school's first data breach and it is reviewing all personal data handling procedures to
prevent a recurrence, he said. "For a start, all confidential information files are now passwordprotected," said Mr Chia.
 
A Ministry of Education (MOE) spokesman said: "All schools have been reminded to use encryption as
an additional means to protect personal data stored in files." Apologising for the incident, she said the employee who made the mistake has been counselled and
the school has been asked to tighten its controls. Still, several parents contacted by The Straits Times said they were concerned. "How do you ensure
that the data is not used?" said a 39 year old IT consultant, giving her name only as Ms Wong.
 
Another parent asked why sensitive files were not encrypted. "The school should have tighter
processes," said the 30 year old sales manager, who wanted to be known only as Mr Soh.
Last year, the names, addresses and mobilephone and identitycard numbers of K Box's 300,000
members were posted online in the biggest breach of personal data here. The Personal Data
Protection Commission has not released investigation findings.
 
Three parents told The Straits Times they hoped the commission could step in.
However, the privacy watchdog said MOE schools such as Henry Park are exempted from the Personal
Data Protection Act, fully enforced from July 2 last year. The Act requires organisations to take "reasonable measures" to protect personal data in their possession.
Instead, MOE schools are governed by public sector rules.
These have not been made public, though the MOE spokesman said its internal rules require sensitive
information such as personal data to be encrypted and not be disclosed to unauthorised parties.
Lawyer Bryan Tan, a technology partner at Pinsent Masons MPillay, said in situations not covered by
the Act, the public has no recourse and "only moral suasion".
 
But lawyer Gilbert Leong, a partner at Rodyk & Davidson, said if parents suspect their data has, for
example, been sold to a tuition agency, they can complain to MOE and the commission, which can
investigate and charge wrongdoers in court.
Privacy advocate Ngiam Shih Tung, 47, said it is timely to review the exemption of government
agencies from the Act.
"There are many areas where the Government may have fallen short of the standards imposed on the
private sector," said the engineer. "Is there a requirement for public agencies to state the purpose of
data collection?"
 
Copyright © 2015 Singapore Press Holdings