Media Statements

Compliance Check Report: School Website Flaw Exposed Student Privacy

1. Compliance actions carried out by the Office of the Privacy Commissioner for Personal Data (“PCPD”) have unearthed inadvertent online exposure of sensitive personal information of students that could be used for fraudulent ends. The personal information of as many as 8,505 students of 11 local educational institutions, including tertiary institutions, could be compromised.

2. Following on a media report in April 2012, the PCPD commenced compliance checks on 12 schools alleged to have leaked student data on their websites. The results confirmed that 9 of the 12 schools had inadvertently exposed personal information on their websites. 2,115 students were affected. (see Table 1)

3. The personal information revealed includes identifiable data such as name, Student Reference Number (STRN), telephone number of the student and parents, and email address. Notably, the STRN number is a unique code assigned by the Education Bureau for individual students. In the majority of cases of Hong Kong-born students, the STRN is the same as their HK identity card or birth certificate number. In these cases, the STRN is not random number but definitively referable to the student’s identity. In several cases, confidential information such as user name and password for login-in to the school IT systems for online facilities was also exposed.

4. The said 9 schools explained the data breaches were due to misplacement or prolonged retention of the information. The remaining 3 schools reported that the data concerned was fictitious and compiled for teaching purpose.

5. To ascertain whether the problem of data leakage on the Internet is prevalent among local educational institutions, the PCPD conducted a 20 man-hour data search on the Internet based on certain keywords. It found 39 documents containing personal data from 21 educational institutions, of which 3 are tertiary institutions. The PCPD followed up by conducting compliance checks against 2 of these tertiary institutions, namely Hong Kong Institute of Education’s School of Continuing and Professional Education and Lingnan Institute of Further Education. The results (see Table 1) reveal that the data breach of Lingnan Institute of Further Education involved some 6,256 students’ records.

6. According to Data Protection Principle 4 of the Personal Data (Privacy) Ordinance, data users must take all practical steps to protect the data against unauthorised or accidental access.

7. Mr. Allan Chiang, the Privacy Commissioner for Personal Data remarked at today’s press briefing, “The student/parent data leakage revealed in the compliance actions is cause for alarm. Bearing in mind that we have only spent a limited amount of our time in the exercise and our search was only based on some unsophisticated means, the extent of the cyber security problem we have identified is disproportionate. It reflected a serious lack of vigilance and adequate security measure on the part of the educational institutions in safeguarding personal data.”

8. “I am particularly disappointed at the tertiary institutions caught in this exercise as the public hold high expectations of tertiary institutions to serve as role models in safeguarding online data privacy by reason of their relative advantage in IT know-how and resources compared to secondary schools.”

9. Mr. Allan Chiang further commented, “I am worried that our findings merely represent the tip of the iceberg because during the same 20 man-hour data search on the Internet we have also identified a similar data breach problem in the commercial domain, albeit to a lesser extent.”

10. “While organizations reap the benefits of information technology, they must not lose sight of its attendant risks to privacy and data protection. I urge all information officers and website managers to be vigilant about the risk of data leakage on the Internet. Top management should be committed to ensure that the organizations have policies and procedures in place to protect the personal data they collect and manage on the Internet. Ultimately they are accountable for the risk of data access by untrustworthy parties, which may cause distress and harm to the data subjects such as exposing them to identity fraud and possible financial loss.”

11. The PCPD has written to inform the Education Bureau of the findings in the compliance action, with a request for appropriate follow-up in respect of all educational institutions under its general administrative purview.

12. Separately, the PCPD will invite the subject educational institutions to attend PCPD’s seminars on data protection and the proper use of information technology. Meanwhile, their attention has been drawn to PCPD’s “Guidance for Data User on the Collection and Use of Personal Data through the Internet” (www.pcpd.org.hk/english/resources_centre/publications/files/guidance_internet_e.pdf).

13. As a result of the PCPD’s compliance action, the institutions identified had already mitigated the breach by removing the data from their websites and requested the relevant web search engine company to remove cache copies from its servers.

14. The PCPD confirms no complaints from the affected students or parents have been received. Accordingly, no investigation or further enforcement action against the institutions is intended at this stage.

Table 1: Summary of compliance check results

- End -