The National University of Singapore (NUS) is making all its student leaders who are involved in freshmen orientation activities this year to undergo “online basic training”, after the Personal Data Protection Commission (PDPC) found that it had breached data protection laws.
This happened when the particulars of 143 student volunteers helping out in a freshmen orientation camp last year were uploaded in a Google document online and made public.
As part of its grounds of decision released on Wednesday (April 27) after an investigation, the commission ordered NUS to design training to address personal data protection, in the context of collecting and processing information for student events. It must make this arrangement within 120 days and training is mandatory for student leaders.
Factors taken into account during the assessment of the breach included the significant number of students affected and the potential consequences of misusing matriculation numbers, such as culprits assuming a student’s identity, or even carrying out pranks or nuisances in a student’s name.
The PDPC received a complaint from an NUS student in June last year about the circulation of a Google spreadsheet that contained personal data of student volunteers, including their full names, mobile numbers and matriculation numbers.
Investigations revealed that the spreadsheet was created by student leaders organising a freshman orientation camp for the College of Alice and Peter Tan — one of several undergraduate residential colleges on campus — and was used when recruiting volunteers for the camp.
At first, the spreadsheet was shared only among the student leaders, with restricted access. In May last year, an unknown party changed the settings of the spreadsheet to be shared using a link “whether intentionally or otherwise”, meaning anyone with the link could then access it.
The PDPC found that NUS had failed to make “reasonable” security arrangements to protect the personal data in its possession, and had flouted the Personal Data Protection Act.
While the university had organised a one-off classroom training on personal data use and collection in 2014, it failed to continue doing this the following year, and opted for e-training instead. It was not compulsory for the students leaders to complete the e-training, and none of them went for the training before the start of the camp, even though they were handling the personal data of other students, the commission found.
The PDPC said that formalised data protection training would have helped to sensitise the student leaders to their obligations and familiarised them with the practices they should adopt: “The (camp) was an event that involved many students, and would potentially involve the handling of many students’ personal data. The organisation ought to have at least ensured that the student leaders organising and running the (camp) had the proper training to deal with and protect the personal data that they will handle.”
In response to media queries, NUS said that it was developing an e-training module in line with the commission’s directives, and once the module was ready, all students would have to take it.
“In the interim, all student leaders involved in freshman orientation activities this year will need to take an online basic training that was developed by PDPC”, an NUS spokesperson said. Extra training materials will be given to these student leaders, and face-to-face briefing sessions will be conducted for the chairpersons and data protection officers of freshmen orientation activities.
NUS said that it would “make every effort” to ensure that such breaches do not happen again.