THE personal data of more than 1,900 pupils from Henry Park Primary School was leaked two weeks ago, in the second major case reported here since patrons of karaoke chain K Box had their details exposed last September.
An Excel spreadsheet containing the children's particulars was mistakenly sent out to about 1,200 parents on March 12 as part of an update about a school event.
The file contained the names and birth certificate numbers of all 1,900 pupils in the school, and the names, phone numbers and e-mail addresses of their parents.
A day after the leak, the school's principal, Mr Chia Soo Keng, sent an e-mail apology to all parents, asking them to delete the Excel file and not to use the data. He told The Straits Times: "This should not have happened."
This was the school's first data breach and it is reviewing all personal data handling procedures to prevent a recurrence, he said.
"For a start, all confidential information files are now password-protected," said Mr Chia.
A Ministry of Education (MOE) spokesman said: "All schools have been reminded to use encryption as an additional means to protect personal data stored in files."
Apologising for the incident, she said the employee who made the mistake has been counselled and the school has been asked to tighten its controls.
Still, several parents contacted by The Straits Times said they were concerned. "How do you ensure that the data is not used?" said a 39-year-old IT consultant, giving her name only as Ms Wong.
Another parent asked why sensitive files were not encrypted. "The school should have tighter processes," said the 30-year-old sales manager, who wanted to be known only as Mr Soh.
Last year, the names, addresses and mobile-phone and identity- card numbers of K Box's 300,000 members were posted online in the biggest breach of personal data here. The Personal Data Protection Commission has not released investigation findings.
Three parents told The Straits Times they hoped the commission could step in.
However, the privacy watchdog said MOE schools such as Henry Park are exempted from the Personal Data Protection Act, fully enforced from July 2 last year. The Act requires organisations to take "reasonable measures" to protect personal data in their possession.
Instead, MOE schools are governed by public-sector rules.
These have not been made public, though the MOE spokesman said its internal rules require sensitive information such as personal data to be encrypted and not be disclosed to unauthorised parties.
Lawyer Bryan Tan, a technology partner at Pinsent Masons MPillay, said in situations not covered by the Act, the public has no recourse and "only moral suasion".
But lawyer Gilbert Leong, a partner at Rodyk & Davidson, said if parents suspect their data has, for example, been sold to a tuition agency, they can complain to MOE and the commission, which can investigate and charge wrongdoers in court.
Privacy advocate Ngiam Shih Tung, 47, said it is timely to review the exemption of government agencies from the Act.
"There are many areas where the Government may have fallen short of the standards imposed on the private sector," said the engineer. "Is there a requirement for public agencies to state the purpose of data collection?"
This article was first published on Mar 24, 2015.
Get a copy of The Straits Times or go to straitstimes.com for more stories.