Eleven schools and institutes leak sensitive student data

Schools slammed for publishing students' ID card and telephone numbers on websites

PUBLISHED : Wednesday, 16 January, 2013, 12:00am
UPDATED : Wednesday, 16 January, 2013, 3:45am

The privacy watchdog has criticised a "serious lack of vigilance" among schools that have put students' personal data on the internet.

This follows an investigation by the Office of the Privacy Commissioner for Personal Data, which found 11 education institutions had put 8,505 students' data on their websites. In the worst case, at an unnamed school, the information has been available since 2004, the office said.

"It reflected a serious lack of vigilance and adequate security measures on the part of the education institution in safeguarding personal data," commissioner Allan Chiang Yam-wang said.

The breach involved two primary, seven secondary and two tertiary institutions.

Data from the nine schools included names, e-mail addresses, student reference numbers and telephone numbers. Most of the information was in contact lists for school clubs and alumni.

Chiang said for most Hong Kong-born students, the reference number given by the Education Bureau is the same as the their Hong Kong identity card or birth certificate number.

"If the data was obtained by law-breakers, there is a chance they could pretend to be the [students] and swindle other people out of their money," Chiang said.

The two schools that posted the student reference numbers are the St Antonius Girls' College and the St Francis' Canossian School.

The nine schools removed the personal data soon after the office told them about it.

The Lingnan Institute of Further Education and the Hong Kong Institute of Education's School of Continuing and Professional Education put the data of 6,256 and 134 students, respectively, on their websites. The information included student names, student numbers assigned by the institutes and partial identity card numbers.

A spokesman for the Lingnan Institute said: "After examining the details [the institution] admits the information was not handled properly and has implemented remedial measures."

The offending information on the institute's website has now been removed.

Secretary for Education Eddie Ng Hak-kim said his bureau had issued guidelines to schools on how to protect students' privacy.

But after the Privacy Commissioner's report, he would now consider how the guidelines can be improved.