The Privacy Commissioner for Personal Data (the Commissioner) Mr. Roderick B. Woo published today a report (the Report) on the result of an investigation of the leakage on the Internet of personal data relating to complaints made against the Police by the public.
Background
The incident was first reported in a local newspaper on 10 March 2006. Personal data of about 20,000 people who had made complaints to the Police held by the Independent Police Complaints Council (IPCC) were posted on the Internet and became accessible by the public. The Commissioner immediately carried out a self-initiated investigation on 15 March 2006. After commencement of the investigation, the Commissioner received a total of 55 complaints made against the IPCC. The investigation was carried out by way of visits to the IPCC office, visits to the Complaints Against Police Office, interviews of the persons concerned and the taking of statements, examination of documentary records and written representations from the relevant parties as well as oral examination of persons summoned under section 44 of the Personal Data (Privacy) Ordinance (the Ordinance).
The Report provides an account of the system of managing complaints against the Police; the IPCC’s information technology system, security and privacy policies; events leading to the leakage on the Internet; and the Commissioner’s findings and recommendations.
The Commissioner’s Findings
In his Report, the Commissioner found that the IPCC had contravened the requirements of Data Protection Principle (DPP) 4 of Schedule 1 to the Ordinance. DPP4 provides that a data user shall take all reasonably practicable steps to ensure that personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use. It requires a data user to implement security safeguards and precautions in relation to the personal data in its possession, the level of which should reflect the sensitivity of the data and the seriousness of the potential harm that may result from a security breach.
The basis of the Commissioner’s findings was that the IPCC had failed to take:-
(i) any steps to prevent the data from being released to the outsourced IT contractor without due consideration of the necessity of doing so;
(ii) any precautionary measures to safeguard the data that had been released to the outsourced contractor; and
(iii) any practicable steps to ensure the integrity, prudence and competence of persons having access to the data, resulting in the leakage of the data on the Internet.
Enforcement Notice
In the exercise of his power under section 50 of the Ordinance, the Commissioner issued an Enforcement Notice to the IPCC on 18 September 2006 directing it to do the following by 16 October 2006:
1. Devise the necessary policy and practical guidelines for the proper handling and protection of the complaint data when dealing with an outsourced contractor or agent;
2. Implement effective measures to ensure compliance by its staff with those policy and guidelines; and
3. Review the existing outsourcing contracts and endeavor to incorporate into those contracts terms in respect of measures required to be taken by the contractors to protect the complaint data handed to them by the IPCC.
IPCC’s Position
The Commissioner received the IPCC’s Position Statement on 5 October 2006.
In its Position Statement, the IPCC seeks to challenge the Commissioner’s findings and the Enforcement Notice broadly on the following grounds:-
(a) That the Council members of the IPCC are not data user(s) within the meaning of the Ordinance;
(b) That the individual Council members of the IPCC (including those who have left during the relevant period) have not been given a chance to be heard;
(c) That the Enforcement Notice seeks to place a burden on the Council members of the IPCC who are not involved in the running of the IPCC secretariat, which is a government body.
At the request of IPCC, the Commissioner also publishes IPCC’s Position Statement together with the press release.
The Commissioner’s Response
The Commissioner disagrees with the IPCC in respect of the aforementioned grounds and considers that it is in the public interest to respond to them.
The Commissioner regards the IPCC as the relevant “data user” in this incident. The IPCC, comprising of the individual Council members plus the secretariat (which provides the necessary administrative support), has control over the use of the complaint data in accordance with the IPCC’s own terms of reference, i.e. to review the handling by the Police of complaints by the public and to keep under review statistics of the types of complaints made by the public, etc. The IPCC therefore falls squarely within the definition of “data user” under the Ordinance, being “any person who either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data”. At no stage during the investigation did IPCC deny that it was the relevant data user. The Commissioner finds no room for an argument that the IPCC is not a data user in relation to the complaint data.
During the course of the investigation, the Commissioner had provided ample opportunity to the IPCC to respond to the complaints and to make such representations it wished to make. Correspondence were addressed to the Chairman of the IPCC and responses and representations were received from the IPCC signed by the Secretary of the IPCC on behalf of the IPCC and copied to the Chairman of the IPCC. In addition, the IPCC has been afforded the opportunity of putting forward its representation in terms of its Position Statement.
In its Position Statement, the IPCC argued that the Council members are separate and distinct from the secretariat. Evidence available shows that the secretariat exists solely to assist the Council members to discharge their role and functions. The secretariat is not an independent government body. Orders and directives from the Council members are carried out by the secretariat. In any case, the relevant computer program contracts were entered into in the name of the IPCC, not the secretariat as an independent government body. At no stage during the investigation did IPCC state that the Council members were separate and distinct from the secretariat. The Commissioner finds no merits of the IPCC’s argument.
Having said that, the Commissioner’s finding in this unfortunate incident should not cast a slur on the reputation of individual Council members of the IPCC. Throughout the development of Hong Kong civic-minded citizens have volunteered to help in different areas of human activities by serving as members in committees and councils. They give freely their time and efforts for the betterment of the community. Individual Council members of IPCC are good examples. They operate under situations which could be better regulated by law. Mr. Woo said “I hear that the Government has plans to introduce legislation to make the IPCC an independently operated statutory body. I hope the fact that IPCC will continue to handle sensitive personal data will be given due consideration.”
Compliance of the Enforcement Notice
The Commissioner is pleased to note that on 16 October 2006, the IPCC has complied fully with the Enforcement Notice.
Learning from this incident
Mr. Woo said: “Learning from this unfortunate incident, data users should be highly alert in handling sensitive or large quantity of personal data, particularly if they are in electronic form. In the event that they are asked to release database containing personal data to an outsourced contractor or agent, precautionary measures should be taken to prevent data leakage.”
The lesson to be learned here is not an apportioning of blame but what can be done to prevent a similar recurrence. My office is doing what it can within our limited legal power and even more limited resources to campaign for compliance of the Ordinance.
Campaign to promote compliance
In an effort to prevent recurrence of similar incidents, the Commissioner has initiated a campaign to promote satisfying compliance of the provisions of the Ordinance. Opportunities will be given to both the private and public sectors to receive the necessary knowledge.
For the private sector, the Commissioner has launched an informational campaign titled “Information Security Enhancement Campaign” jointly with three major IT professional associations and institutions. As part of the Campaign, an information booklet, titled “Recommended Procedures for IT Practitioners on Personal Data Handling”, is published today providing guidance for IT professionals across all sectors. The booklet outlines the procedures to be followed in the collection and processing of personal data by IT contractors or sub-contractors. Seminars and workshops will also be held to provide in-depth training to ensure effective implementation of the recommended procedures. With a view to encouraging organizations to incorporate data privacy protection as one of the core elements of corporate governance, the Commissioner’s Office also plans to provide guidance to the managerial level in the future.
For the public sector, the Commissioner recommends all government departments to include in their regular staff-training programme the subject of data protection. In addition, the Commissioner’s Office has jointly organized seminars with the Home Affairs Bureau on compliance of the Ordinance. Attendees will include officials from various government departments.
Copies of the Report and the Booklet are available from the Commissioner’s Office at 12/F., Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong. They are also available for download from the website of the Commissioner's Office ( http://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/invest_report.html).