Gov’t dep’t contravened data privacy laws in breach involving 17,000 people, privacy watchdog finds
Hong Kong Free Press
Hong Kong’s privacy watchdog has found that the city’s Electrical and Mechanical Services Department contravened data privacy laws over a data leak involving 17,000 people this May.
Privacy Commissioner Ada Chung said at a Monday press conference that the department has been served an enforcement notice requiring it to take corrective measures and submit a report to the watchdog.
The personal data involved included names, addresses, Hong Kong Identity Card numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they had tested positive in PCR tests and the respective dates, according to a statement issued by the Privacy Commissioner for Personal Data.
The PCPD findings came after a string of data breaches affecting companies, schools, and government departments, including the EMSD, the Companies Registry, and the Fire Services Department.
The city’s Consumer Council and tech park Cyberport also fell victim to hackers last year, while Oxfam saw a potential data breach this July.
Covid test data
The EMSD was in charge of collecting data for Covid-testing exercises at 14 public housing estates, including Kai Ching Estate and On Tat Estate, between March and February 2022. The data was stored on a cloud platform called ArcGIS Online.
Chung said on Monday that the Covid testing data remained on the database even after the EMSD’s contract with a contractor had expired.
It was not until late April this year that the EMSD learned that the testing data had not been deleted, and could still be browsed without logging into the website. There was no evidence that the personal information had been published anywhere, the department said in May.
The PCPD said a lack of written policies on the storage and disposal of data was one of the key reasons as to why the data breach occurred.
See also: Hong Kong urged to improve accountability after two more gov’t data breaches
“There had not been any written policy specifying the retention period of the aforesaid data. Such written policies could provide a clear basis for the retention and disposal of data and could play an important role in this regard,” the statement read.
The PCPD found that the EMSD had not taken all practicable steps to ensure that personal data was not kept longer than was necessary, and to ensure that the personal data was protected against unauthorised or accidental access.
Privacy Commissioner Chung served an enforcement notice on the EMSD over the contraventions of the Personal Data (Privacy) Ordinance relating to data retention and unauthorised access, and ordered it to take measures to prevent similar incidents.
The office of the PCPD said last month that almost 70 per cent of Hong Kong companies experienced cyberattacks in the past year, as a survey found that firms’ cybersecurity awareness still stood at “basic” levels.
Over a third of the 442 companies surveyed had provided cybersecurity awareness training for employees, while just under a quarter had conducted awareness drills.
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.