143 NUS student volunteers' data breached; school directed to provide mandatory training

Students studying at the National University of Singapore's (NUS) Central Library.
Students studying at the National University of Singapore's (NUS) Central Library. ST PHOTO: FELINE LIM

SINGAPORE - The National University of Singapore (NUS) has been given 120 days to implement mandatory personal data protection training for all student leaders, after a data breach of some 143 student volunteers at one of its residential colleges came to light.

The Personal Data Protection Commission (PDPC), in its grounds of decision issued on Wednesday (April 26), has directed that such training should include how to collect and handle students' personal information for student events, such as orientation camps.

It is believed to be the PDPC's first data protection enforcement case involving a local university, since the Personal Data Protection Act (PDPA) came into force in July 2014.

The commission found that a URL link for a Google Sheets spreadsheet, started by students from NUS College of Alice and Peter Tan, had disclosed personal data of students without authorisation.

The spreadsheet was created for the college's freshmen orientation camp in 2016, which was led by student leaders.

It contained the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers and email addresses of the student volunteers tasked to help run the camp.

Although the spreadsheet was first shared among selected students, via the "share with specific people" function on Google Sheets, it was later circulated beyond the original group some time in May 2016.

It was found that an unknown party had changed the setting on the spreadsheet to "share using a link".

As a result, any user with the URL link will have access to the spreadsheet and the personal data in it, possibly exposing such information to those beyond the university, wrote PDPC deputy commissioner Yeong Zee Kin.

The PDPC launched investigations after a complaint was made by an NUS student for the breach under Section 24 of the PDPA.

The section states that an organisation must take reasonable security arrangements to prevent unauthorised access, collection, use and disclosure of personal data in its possession.

Although NUS had general guidelines in place, it did not have any formalised training to equip students with "the mindset, knowledge, skills and tools to protect personal data," wrote Mr Yeong.

The university first conducted classroom training in 2014 for selected students and in 2015, e-training on the PDPA was made available on a student portal.

However, this was not compulsory and none of the student leaders in the camp had gone through the e-training prior to the event.

In response to media queries, an NUS spokesman said that it will be developing an e-training module on personal data protection, which will be in line with the PDPC's directives.

"Once the module is developed, all NUS students, including student leaders, will take the module," the spokesman said.

Meanwhile, all student leaders involved in freshman orientation activites in 2017 will be required to undergo online basic training developed by the PDPC.

Additional training materials will be provided to all student leaders, while face-to-face briefing sessions will be conducted for all freshmen orientation chairmen and data protection officers.

"The university will make every effort to ensure that this does not happen again," the spokesman added.