Hong Kong elite school told to review data policy after alleged student privacy breach
- Education Bureau and privacy watchdog follow up with St Paul’s Co-educational College over social media post accusing it of monitoring pupils’ after-class activities
- School says it recently conducted sample checks to understand student usage of tablet computers and ensure devices were being used appropriately
Hong Kong’s education authorities have called on an elite school to review its data handling policies after it was accused of collecting information from students’ personal computers and allegedly installing devices to monitor their activities.
The Office of the Privacy Commissioner for Personal Data also said on Thursday evening it would look into a complaint posted online about St Paul’s Co-educational College’s collection and handling of students’ personal information.
The anonymous complaint surfaced on Instagram and alleged the Mid-Levels school had recently started demanding students turn over their personal computers to IT staff for inspection after discovering the devices were often used to play video games.
The complainant further alleged that, based on the first batch of pupils who had their computers scrutinised, the school staff had backed up the pupils’ data onto USB drives and installed suspected monitoring devices to check their activities after school hours.
In Hong Kong, personal data can only be collected for a lawful purpose directly related to a function or activity of the user. The data collected should be necessary and adequate but not excessive for such purposes.
According to the social media post, there were also suggestions the school checks included scrutinising private account information, personal files, photos and chat records on the devices, prompting concerns on campus.
The complainant accused the school of invading students’ privacy, saying it was unreasonable for the institution to regulate their computer use after class when they had paid about HK$7,000 (US$894) each for the devices.
The Education Bureau on Thursday evening said it had contacted the school to learn more and requested a review of its data handling policies.
Hong Kong privacy watchdog probes data breach at prominent sports club
In a statement to the Post, a school spokeswoman said it had recently conducted a “health check exercise” using sampling to understand student usage of tablet computers and ensure the devices were being used appropriately, as well as to prevent potential risks to campus network security computer as viruses and malware might be accidentally downloaded.
The computer inspection was conducted in accordance with the “Bring Your Own Device” acceptable use policy recommended by the Education Bureau and signed off by parents and students, the school said.
“During the process, only the browsing history during school hours, installation history and execution logs of students were collected using a USB,” it added. “The relevant raw data will be permanently destroyed after the completion of the exercise and necessary follow-up actions.”
The privacy watchdog said no complaints had been received, but it would contact the school to gather more information and ensure compliance with privacy laws.
The school said it attached great importance to protecting students’ privacy and was committed to ensuring an environment that was safe and conducive to learning.
“Students’ best interests have always been accorded top priority by us when formulating any measures and school policies,” the school added.
