A technical fault in a new software system made a large file database viewable to anyone with a university email address for about six weeks, during which it was accessed by 23 students.
An investigation focusing on about 200 potentially affected documents began after the university was alerted to the breach by student magazine Critic Te Arohi.
An email sent by the university to students on Monday said the university would contact those affected by the breach.
"Due to the types of files in the system, most Otago students will receive one or more of these privacy breach notification emails," the email said.
"That is because some of the files accessed included information on course enrolments or course approvals for 2023."
In addition to the Critic source and reporters, 23 Otago students inadvertently accessed information.
Students’ searches in OneDrive had returned the files, and most of the students involved had "no idea" they had seen something they should not have.
They had deleted any information they gained access to, and had not shared it, so the university considered any potential harm to be low.
PhD student Kerri Cleaver expressed her frustration with the situation.
She received an email informing her that her personal information was contained in the accessed documents.
This included identification details, contact information, and course details and advice.
"I don’t want my personal information regarding my progress out there, nor do I want my date of birth, email and cell number out there.
"I think the information the uni gave is pretty insufficient."
She wanted more details about how the breach had occurred.
Emails notifying students of the breach apologised for any distress or inconvenience.
"We assure you that we have investigated the matter thoroughly to ensure that your personal information is protected and are working with our [information technology services] team to ensure that this does not happen again."
While the investigation found 583 files were accessed during the breach, the majority were accessed by staff with valid reasons, or contained nothing confidential, the university said.
