Recruitment platform wrongfully sent out emails containing CV information – DPP 4 – security of personal data
Background
A recruitment platform reported to the PCPD that job application emails containing CVs of 4,201 job applicants were erroneously sent to 1,692 companies. Personal data involved included job applicants’ full English and Chinese names, home addresses, mobile numbers, email addresses, genders, dates of birth, nationalities, identity card numbers, marital statuses, education background and work experience. On knowing the incident, the PCPD initiated a compliance check.
In the compliance check process, the PCPD revealed that the incident occurred when a server misconfiguration prompted a manual job application resending process, and a human sorting error caused the data mismatch and job applications being sent incorrectly to the companies.
Remedial Measures
After the incident, the recruitment platform formed a cross-functional task force to access impact, resolve the issue, and communicate with external and internal stakeholders. To remove the risk of data mismatch in the future, a fully automated process which eliminates the need for manual interaction with datasets was implemented in addition to a checking mechanism to ensure that job application emails will not be sent out to irrelevant companies.
Lesson Learnt
Even systems which are predominantly machine-operated may at times require human intervention (such as server misconfiguration in this case). Human interaction is prone to errors. So, completely automated processes are mostly welcomed, albeit some form of auditing mechanism would still be beneficial.
(Uploaded in July 2022)