An employee of the Hong Kong Baptist University leaked personal data of 190 applicants via email on Monday, said the educational institute Wedneday.
According to Andy Lee Shiu-chuen, vice-president (Administration) and secretary of HKBU, a staffer responsible for student recruitment of the BA (Hons) in English Language and Literature and BEd (Hons) in English Language Teaching programs had erroneously attached a file containing the personal data of the applicants when sending out an email to 190 JUPAS (Joint University Programs Admissions System) applicants inviting them to an information session.
The invitation email and the attached file were sent to 95 applicants, said Lee. The personal data in the file include the 190 applicants' full names, JUPAS numbers, Hong Kong identification numbers, gender, email addresses, full addresses, telephone numbers, and internally calculated aggregate scores based on results of the Hong Kong Certification of Education Examination, Lee noted.
The employee, said Lee, already sent another email to the 95 recipients requesting them to delete the previous email as well as the attached file, he added.
The university has reported the incident to the Office of the Privacy Commissioner for Personal Data and has set up a team to investigate the case as well as to review and strengthen the procedure for processing personal data, Lee noted.
The five-member investigation team includes the vice-president (Administration) and secretary, the academic registrar and a staff member of the academic registry, the director of personnel and a staff member of the personnel office, he added.
“HKBU apologizes deeply for the incident. We have also called all the affected students to convey our sincere apology and once again request those students who have received the attached file to delete the previous email as well as the attached file," he noted.
The university places great importance on the processing of personal data and has long laid down procedures and guidelines for handling personal data, said Lee, adding that it has immediately instructed the unit concerned to follow the university guidelines in handling personal data. "For example, encryption is necessary in the transmission of files containing personal data and all information collected is to be deleted after use," Lee said.