The school’s principal, Leanne Preece, said yesterday a number of the personal documents were delivered to the incorrect household.

The Department of Education and Training is investigating the cause of the confusion.   

Australian Privacy Federation chair David Vaile called the misdelivery of student mail a “systemic personal information security failure” and believed there should have been checks and balances in place to make sure the error did not occur.  

“It's not just one little glitch, it's something buried in a system that a lot of people would've been using,” he said.

“You'd think it would go through quite a few hands on the way out: you have checks, you have backups, you have people involved in proof reading.

“If you do that, if you have a Murphy's law approach… you’ve got more chance of making sure something doesn’t go wrong.” 

Read more: Schools, parents tracking students by their mobiles

He said the accidental revealing of private information would vary in impact from person to person.  

“What you'll find is a mosaic and a spectrum between not really serious impacts and some people who could find it quite serious,” he said, explaining some students might feel humiliated if other people knew about their academic performance or attendance record,” Mr Vaile said. 

“This is data that's held on trust for the individual and it’s potentally very meaningful for them, so in that sense, if something goes wrong, you've projected the risk onto the individual and it will be quite variable what happens next.”

Some parents' trust in the education system to look after their children’s information could also be eroded, he said.

Once data was released it was impossible to be made private again, Mr Vaile explained, which meant there was need for preventative measures to protect information from getting into the wrong hands.

The Office of the Victorian Information Commissioner, which regulates how the public sector handles private information, was bound by the Privacy and Data Protection Act 2014 not to reveal if it was aware of the Weeroona incident.

But a spokesperson for the agency said the law gave people the right to complain if they believed personal information was mishandled.

“A person who believes their personal information has been mishandled by an organisation subject to the Privacy and Data Protection Act, such as a public school, should approach that organisation in the first instance to discuss their concerns,” the spokesperson said.

“If the organisation does not respond within 30 days, or if the response is unsatisfactory, a complaint may be made to OVIC.”

Ms Preece said yesterday parents have been asked to return misdirected mail to the school and a new copy of students’ reports would be available at the start of the 2018 school year.

An education department spokesman said the the privacy of students was taken very seriously and the mailing of reports to the wrong addresses was “very unfortunate”. 

“We’re working with the school to find out what happened and will also visit the school to conduct privacy training,” he said.