NUS college breached data protection law

The National University of Singapore (NUS) has been given 120 days to ensure all its students in leadership roles are trained in personal data protection.

The deadline for mandatory training comes after NUS was found to have breached Section 24 of the Personal Data Protection Act (PDPA) this week .

In its grounds of decision released on Wednesday, Personal Data Protection Commission (PDPC) deputy commissioner Yeong Zee Kin found that NUS had breached that section - which states that an organisation must make reasonable security arrangements to prevent unauthorised access, collection, use and disclosure of personal data in its possession.

This is the commission's first enforcement case involving a local university since the Act came into force in July 2014.

The PDPC found that an URL link for a Google Sheets spreadsheet, started by students from the College of Alice and Peter Tan (CAPT), had disclosed personal data of some 143 students without authorisation. CAPT is a residential college at NUS.

The spreadsheet was created for the college's freshmen orientation camp last year. It contained the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers and e-mail addresses of the student volunteers tasked to help run the camp.

Although it was first shared among selected students, it was later circulated beyond the original group in May last year.

It was later found that an unknown party had changed the settings to "share using a link". As a result, any user with the URL link would have had access to the spreadsheet and the personal data in it, possibly exposing such information to those beyond the university, wrote Mr Yeong.

PDPC launched an investigation after a complaint was made by an NUS student. The university said that it was notified of the complaint in June last year.

The NUS spokesman said that all student leaders involved in freshman orientation activities this year will be required to undergo online basic training developed by the commission. And going forward, all students will be required to take an e-training module which is still under development.

"The university will make every effort to ensure that this does not happen again," he said.

A PDPC spokesman told ST that the mandatory training requirement currently only applies to NUS, due to the breach. However, he said that other universities may also consider the guidance set out in the decision as good practices for them to adopt.

A version of this article appeared in the print edition of The Straits Times on April 29, 2017, with the headline 'NUS college breached data protection law'. Print Edition | Subscribe