Date: 29 August 2019
Registration and Electoral Office’s Loss of Register of Electors Incident
Sensitive data lost amidst unfavourable timings, localities and human factors
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG today published an investigation report on the data breach incident of the loss of a marked final register of electors (Marked FR) used in the 2016 Legislative Council General Election (2016 Election) by the Registration and Electoral Office (REO). The Privacy Commissioner found REO contravened the data protection principle under the Personal Data (Privacy) Ordinance (Ordinance) relating to personal data
security. The Privacy Commissioner served an Enforcement Notice today to direct REO to remedy and prevent any recurrence of the contraventions.
Major Findings
Data Security
Since the personal data contained in the Marked FR included the unique and sensitive information about electors’ identity card numbers and their election or polling statuses as registered electors, the Privacy Commissioner considered that it was not inconceivable that the loss of the kind of data in question might cause more than monetary or psychological harm to the data subjects concerned. Therefore the security steps required to be taken by REO had to be proportionate to the degree of sensitivity of the data and the harm that would result from such loss. The REO also had to effectively take those formulating steps for the security of personal data held.
However, the REO did not take all reasonably practicable steps to ensure that the personal data of the registered electors contained in the Marked FR was protected against its loss, and it could not locate the Marked FR after repeated searches over a period of 30 months, contravening Data Protection Principle 4(1) of Schedule 1 to the Ordinance:
-
Failure to have in place clear and adequate policies and handling practices, procedures and systems to protect personal data of this unique and sensitive nature;
-
Failure to assess and evaluate the security risks and the potential impacts of the risks on the personal data handled in relation to the multiple transfers and storage venues for large number of documents, including the Marked FR;
-
Failure to maintain proper and adequate records of inventory and retrieval systems by both internal and external staff handling the data;
-
Failure to consider formulating and implementing separate and specific security measures for the unique and sensitive data in the Marked FR especially where it would not be required after the poll;
-
Failure to assess the risk of inadvertent human error;
-
Failure to communicate with all relevant persons and conduct adequate training on the secure handling of the data; and
-
Failure to have in place a data breach response plan.
Data breach notification
There being no statutory requirements under the Ordinance for a data breach notification, whether to the Privacy Commissioner or the affected electors, and whether within a particular period of time or otherwise, the Privacy Commissioner found no contravention of the Ordinance in this connection. However, considering the unique and sensitive nature of the personal data involved, the REO should have given data breach notification earlier.
Enforcement Notice
The Privacy Commissioner exercised his power pursuant to section 50(1) of the Ordinance and served an Enforcement Notice to direct REO to:
-
Separate the handling and storage of the marked final register of electors from other electoral documents including separate packing and centralising storage of all marked final registers of electors in designated and adequate storage locations;
-
Set up procedures governing properly and effectively the logistical management of the marked final registers of electors;
-
Set up procedures in respect of proper recording of movements of electoral documents, retrieval systems and dossier reviews;
-
Set up personal data audit directives to address, in particular, the issue of loss of personal data and the associated searching process; and
-
Set up and implement effective and sufficient measures and training to ensure the REO, polling station and other related staff’s compliance with the above procedures and directives.
Timings, Localities and Human Factors
Mr Stephen Kai-yi WONG, the Privacy Commissioner, said, “The incident involved unique and sensitive personal data of electors. The Marked FR was stored at multiple transfer locations but there were no complete inventory and transfer records. It could not be located after repeated searches over a period of 30 months, during which time the REO had to attend to two bi-elections. Further, data breaches are usually attributable to human factors. Human errors could have been caused by intense work load, overly long work hours, scarce resources, inexperienced or under-trained staff, etc.”
The Privacy Commissioner highlighted the importance of the “human” factor in the incident, “Notwithstanding the express provision in the data security principle that ‘
particular regard’ must be heeded to, amongst others, the “integrity, prudence and competence” of the relevant persons, data users often fail to accord the due regard. In this incident, the affected electors may simply expect that their personal data should have been safely kept and properly used once collected, especially where their data involved is unique and sensitive. The REO should have taken measures at the initial stage to ensure the integrity, prudence and competence of persons having access to the data so as to prevent or reduce the risk of any data breach incident and to ensure personal data were protected by competent individuals.”
Nowadays, ethical data governance has become a worldwide trend. The accountability principle, essentially putting in place appropriate technical and organisational measures to ensure, and to demonstrate compliance with the data protection law, is increasingly seen as an effective management tool to proactively protect personal data privacy right and prevent data breaches. The Privacy Commissioner recommended that the REO should develop its privacy management system, and adopt good practices to strengthen the security measures in order to meet the expectations of electors for safeguarding and proper use of their personal data.
-End-