1. The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Roderick B. Woo has ordered an investigation to probe into the recent incidents concerning the leakage on the internet of certain classified police documents which contained personal data.
2. “I am gravely concerned that classified police documents have been repeatedly leaked on the internet through the “FOXY” file-sharing software. In the course of my investigation, I will seek the Police Commissioner’s cooperation and ensure that the Police will take effective measures to stop personal data from accidental or unauthorized access.” Mr. Woo said.
3. The Commissioner conducted a self-initiative compliance check not so long ago into some similar incidents. It was admitted by the Police that some of its officers had used their personal computers which had installed the software in question to prepare police reports. To prevent occurrence of similar incidents, the Police had agreed to take the following actions:
- Setting up a Force Working Group to identify
information security risk factors;
- Informing Office of the Privacy Commissioner for
Personal Data (“PCPD”) and affected data subjects of all data breach
incidents;
- Publishing messages on the Police notice board to
enhance data security knowledge, e.g. how to uninstall Foxy software;
- Instructing all Formation Systems Security Managers
to conduct checks and inspections on all Police terminals;
- Reviewing Police policies and relevant manuals on
information security and data protection;
- Setting up a Force Focus Group on personal data
protection to advise police officers on the importance of data
protection;
- Exploring technical solutions to guard against data
leak;
- Carrying out periodic sanitization and inspection
of all Police common terminals to remove unauthorized data;
- Promulgating a guideline on how to investigate
information security incidents.
4. Since then the PCPD had conducted seminars for the benefit of police officers on personal data protection focusing on the legal framework, data protection principles, governance of data protection and data access request.
5. “To help prevent further harm done to the affected individuals, I strongly urge internet users not to download or disseminate sensitive personal data on the internet after an accidental or unauthorized leakage has become known.” Mr. Woo said.
6. In his package of reform proposals to the Government in December 2007, the Commissioner proposed making it an offence (with certain exemptions) for any person who knowingly or recklessly, without the consent of the data user, obtain, disclose or procure the disclosure of personal information. The selling of personal data obtained in such circumstances should also be regarded as unlawful. The proposal, if adopted, would hopefully deter irresponsible behaviour of persons who, in flagrant disregard of personal data privacy, obtain or disclose personal data leaked by accident or without due consent.
END