The Electrical & Mechanical Services Department said that it is committed to establishing a more robust privacy security framework in an effort to prevent the leakage of personal data.

It made the statement today as it responded to an investigation report that was released by the Office of the Privacy Commissioner for Personal Data (PCPD) on the leakage of personal data from an online server platform of the department’s contractor.

Apart from noting that the PCPD has completed its investigation of the leakage of personal data, the department pointed out that it collected such personal data in restriction-testing declaration operations to combat COVID-19 in 2022.

The department made it clear that it will study the report in detail for stringent and appropriate follow-up actions.

It stressed that it attaches great importance to information security and personal data privacy. Relevant policies and guidelines, including the retention period of personal data, have been formulated and circulated to staff regularly.

The department explained that the procurement terms between it and the contractor providing the online server platform stated that the relevant data would be deleted after termination of the service. Additionally, the department said that it had clearly informed the contractor of the expiry of the service by the end of February 2023.

Since noticing the leakage of the data on April 30, 2024, the department indicated that it has been acting in a proactive and responsible manner in reporting the case to law enforcement agencies, and has been co-operating with the PCPD on the investigation.

Noting that the PCPD has announced earlier that there were cases of leakage of personal data involving the same online server platform provided by the contractor during the same period, the department immediately conducted an in-depth enquiry with the contractor about the operational details of the server platform to ensure the complete removal of the relevant data.

Having consolidated the experience from this incident, the department made it clear that it is committed to establishing a more robust privacy security framework and a corporate culture for personal data protection to prevent the recurrence of similar incidents.

It added that it has since taken a series of measures, including reinforcement of privacy management, holistically reviewing and enhancing guidelines in handling personal data, stepping up staff training, and monitoring contractors of online server platforms.

Moreover, it stated that it will also enhance computer system support, including developing a dedicated platform to store personal data in its own server.

Furthermore, for outsourced services involving the handling of personal data, the department said that it will remind the contractor to delete the relevant data by the end of the retention period, and will proactively check with the contractor to confirm that the deletion of such data has been completed.