The personal data of more than 1,900 pupils from Henry Park Primary School was leaked two weeks ago, in the second such case reported here since patrons of karaoke chain K Box had their details exposed last September.
A Microsoft Excel spreadsheet containing the children's particulars was mistakenly sent out to some 1,200 parents on March 12 as part of an update about a school event.
The file contains the names and birth certificate numbers of all 1,900 pupils in the school, along with the names, phone numbers and e-mail addresses of their parents.
A day after the leak, principal Chia Soo Keng sent an e-mail apology to all parents, asking them to delete the Excel file and not to use the data.
He told The Straits Times: "This should not have happened."
This was the school's first data breach and it is reviewing all personal data-handling procedures to prevent a recurrence, he said.
"For a start, all confidential information files are now password-protected," said Mr Chia.
When contacted, a Ministry of Education (MOE) spokesman said: "All schools have been reminded to use encryption as an additional means to protect personal data stored in files."
Apologising for the incident, she added that the staff member who made the mistake has been counselled and the school has been asked to tighten its controls.
Still, several parents contacted by The Straits Times said they were concerned about the breach.
"How do you ensure that the data is not used?" asked a 39-year-old IT consultant who wants to be known only as Ms Wong.
Another parent asked why sensitive files were not encrypted. "The school should have tighter processes," said the 30-year-old sales manager, who wants to be known only as Mr Soh.
This incident follows the K Box case last year, when the names, addresses and mobile phone and identity card numbers of its 300,000 members were posted online in the biggest breach of personal data here. The Personal Data Protection Commission has not released the investigation findings.
Three parents told The Straits Times they hoped the commission could step in.
However, the privacy watchdog said MOE schools such as Henry Park are exempt from the Personal Data Protection Act, fully enforced since July 2 last year. The Act requires organisations to take "reasonable measures" to protect personal data in their possession.
Instead, MOE schools are governed by public sector rules.
These rules have not been made public, though the MOE spokesman said its internal rules require sensitive information such as personal data to be encrypted and not be disclosed to unauthorised parties.
Lawyer Bryan Tan, a technology partner at Pinsent Masons MPillay, noted that in situations not covered by the Personal Data Protection Act, the public has no recourse and "only moral suasion".
But lawyer Gilbert Leong, a partner at Rodyk & Davidson, said if parents suspect their data has, for example, been sold to a tuition agency, they can complain to MOE and the commission, which can investigate complaints and charge wrongdoers in court.
Privacy advocate Ngiam Shih Tung, 47, an engineer, said it is timely to re-look the exemption of government agencies from the Personal Data Protection rules.
"There are many areas where the Government may have fallen short of the standards imposed on the private sector," he said. "Is there a requirement for public agencies to state the purpose of data collection?"
Get MyPaper for more stories.