While the computer was password protected, it was "possible that the database could be inappropriately and unlawfully accessed". The NSW Police had been alerted and an internal investigation is underway. The extraordinary slip-up came to light a day after a multi-party parliamentary committee urged the state government to "lead the way" in Australia and pass new laws allowing people to sue for damages for serious invasions of privacy. This would include inadvertent privacy breaches committed by governments and corporations. A furious student told Fairfax Media: "It's bad enough I have a condition that requires me to use the university's disability services, but it's worse that the uni could be so careless as to risk that information getting into the wrong hands."

The university's director of student support services, Jordi Austin, said in the email to students the university was "deeply sorry" and was "treating this event with the utmost seriousness". The university had "immediately [adopted] a range of additional procedures to further secure student data ahead of a wider review". An internal investigation would "result in further changes to procedures to prevent such an incident from happening again". All affected students would be contacted once the investigation was complete. A report was being prepared for the Privacy Commissioner and students had been informed of their right to make a complaint to the university's privacy officer. Upper house Greens MP David Shoebridge, a member of the parliamentary committee which recommended a raft of new privacy laws, said it "beggars belief that the university would include such sensitive data on a laptop" and the incident "confirms why we need fresh privacy laws".

"It is hard to imagine much more personal data than details of a student's disability," Mr Shoebridge said. "This is the very kind of negligent action that should be the subject of a new action founded on privacy." Under the committee's proposal, people could sue for damages for invasion of privacy if they had a "reasonable expectation of privacy" in the circumstances and the invasion was "serious". There is a public interest-style test designed to limit incursions on freedom of speech. In most cases, the invasion of privacy would need to be intentional or reckless. But in the case of government agencies or companies that might release confidential data inadvertently, negligence would be sufficient. The latter proposal has attracted some criticism from legal experts. The University of Sydney declined to comment on how many students may have been affected by the incident.

But in a statement to Fairfax Media, the university said it had "reviewed and tightened our protocols relating to our control of laptops and implemented other data control precautions and policies. We need to avoid giving specific details of security arrangements which might aid future attacks".