The Office of the Privacy Commissioner for Personal Data has discovered that sensitive personal information of students has inadvertently been exposed online, potentially affecting as many as 8,505 students from 11 local schools, including tertiary institutions.
Following up on a media report in April, the office launched compliance checks on 12 secondary schools alleged to have leaked student data on their websites. The results confirmed that nine of the 12 schools had exposed personal information on their websites, affecting 2,115 students. The information included identifiable data such as names, student reference numbers, telephone numbers, and e-mail addresses. Such data could potentially be used for fraud.
The Privacy Commissioner for Personal Data conducted a 20 man-hour data search on the Internet based on certain keywords, and found 39 documents containing personal data from 21 educational institutions, of which three were tertiary institutions.
It followed up by conducting compliance checks against the Hong Kong Institute of Education’s School of Continuing & Professional Education and the Lingnan Institute of Further Education, revealing a data breach at the latter involving 6,256 students’ records.
Privacy Commissioner for Personal Data Allan Chiang said
the data leakages are cause for alarm.
“Bearing in mind that we have only spent a limited amount of our time in the exercise and our search was only based on some unsophisticated means, the extent of the cyber security problem we have identified is disproportionate. It reflected a serious lack of vigilance and adequate security measures on the part of the educational institutions in safeguarding personal data,” he said.
The commissioner has written to inform the Education Bureau of the findings of the compliance action, and will invite the educational institutions to attend seminars on data protection and the proper use of information technology.
The institutions have removed the data from their websites, and asked an Internet search engine company to remove cache copies from its servers.
Click
here for the guidance note on the collection and use of personal data through the Internet.