Please use a Javascript-enabled browser. 061026en08009
news.gov.hk  
 From Hong Kong's Information Services Department
*
October 26, 2006
*
*

Security

*

Personal data leak breaches privacy law

*
Office of the Privacy Commissioner for Personal Data

The Independent Police Complaints Council's leak of personal data online in March breached data protection requirements, Privacy Commissioner Roderick Woo says, adding the council has complied fully with his enforcement notice.

 

The Security Bureau said all necessary support will be offered to the council and its secretariat in taking forward the follow-up and remedial measures.

 

Mr Woo said that so far 55 complaints have been received since March, when the commission launched an internal probe. Investigation findings revealed the council contravened data protection requirements stipulated under the Personal Data (Privacy) Ordinance.

 

He said the council failed to take steps to prevent data from being released to the outsourced IT contractor without due consideration of the necessity of doing so. It had also failed to take precautionary measures to safeguard the data that had been released to the contractor, and had not taken practicable steps to ensure the integrity, prudence and competence of people having access to the data, resulting in the leakage of data online.

 

Preventive measures

Mr Woo issued an enforcement notice to the council on September 18, directing it to:

* devise the necessary policy and practical guidelines for the proper handling and protection of the complaint data when dealing with an outsourced contractor or agent;

* implement effective measures to ensure compliance by its staff with those policy and guidelines; and,

* review the existing outsourcing contracts and endeavour to incorporate into those contract terms in respect of measures required to be taken by the contractors to protect the complaint data.

 

He said the council has complied fully with the enforcement notice on October 16.

 

"Learning from this unfortunate incident, data users should be highly alert in handling sensitive or large quantity of personal data, in particular if they are in electronic form. If they are asked to release database containing personal data to an outsourced contractor or agent, precautionary measures should be taken to prevent data leakage," Mr Woo said.

 

"The lesson to be learned here is not an apportioning of blame, but what can be done to prevent a similar recurrence."

 

A campaign to boost information security has been launched while in-depth training will be held and guidelines issued to both the private and public sectors.