Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2021DB02

Inadvertent disclosure of students’ personal data via email by a university – DPP 4 – security of personal data


A faculty staff member intended to email the faculty’s non-local students about the university’s quarantine arrangements. However, when retrieving the email addresses of the non-local students from the faculty’s master list of students, the staff member mistakenly attached the master list in the email.

The master list contained names, dates of birth, nationalities, email addresses, correspondence addresses and contact numbers of about 2,500 students of the faculty. As a result, the personal data was unnecessarily disclosed to the recipients of the email concerned. The university reported the incident to the PCPD.

Remedial Measures

The university now requires all outbound emails containing personal data be checked by another staff member before they are sent. Besides, work files containing personal data, for example, the master list, must be encrypted.

Lesson learnt

Universities possess a large volume of students’ personal data and should therefore take reasonably practicable measures to ensure that staff handling such data are properly trained. Staff should observe relevant personal data privacy policies and exercise due diligence in applying those policies. Universities should establish procedures to ensure staff’s compliance with those policies.

(Uploaded in June 2022)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :