A staff member transferred personal data held by his employer to his personal computer without authorisation – DPP 4 – security of personal data
Background
A financial institution reported to PCPD that an administrative staff member copied more than 4,000 files from the office desktop computer to his personal laptop via his own USB flash drive without authorisation. Among those files, 51 of them contained personal data of around 6,600 customers, 30 staff members and unsuccessful job applicants. Personal data involved included financial account details of customers, human resources data of staff members and curricula vitae of unsuccessful job applicants. On knowing the incident, the PCPD initiated a compliance check.
In the compliance check process, PCPD found that the staff member concerned was the only staff who was granted permission to use USB flash drive with read-and-write functions in discharging his duties. The files concerned, which were encrypted and password-protected, were stored on the local drive of his office desktop computer, which was not password-protected. The staff member explained that he copied the files to his personal laptop with a view to cleaning up the space of the hard disk of his office computer which was running slow at the material time.
After internal investigation, the financial institution considered that the staff member concerned had not disclosed any personal data of a data subject and that the staff member had no intent to obtain gain in money or other property (for any person’s benefit) or to cause loss in money or other property to any data subject involved in this incident. In any event, the staff member concerned signed a Non-Disclosure Agreement specifying that he had not disclosed any data contained in the files to any third party and had deleted the files immediately and permanently.
Remedial Measures
In the wake of the incident, the financial institution revoked the USB write-access right of the staff member concerned. The institution also sent an email to all staff members reminding them of the institution’s global policy on secure use of removable storage devices and arranged training for all staff members in information security risk.
Lesson Learnt
In business environment, it is inevitable that staff members have access to personal data. In general, those who are responsible for administrative and human resources-related matters have to handle a large amount of sensitive personal data. Organisations should attach great importance to data governance and the culture of respecting and protecting privacy. To this end, organisations should regularly review and monitor their staff members’ access right to personal data to ensure that they would handle personal data on a “need-to-know” basis.
(Uploaded in July 2022)