Media Statements
Privacy Commissioner’s Office Publishes Investigation Findings on the Data Breach Incident of the Electrical and Mechanical Services Department and the “Blind” Recruitment Advertisements Posted on the Online Platform of Jobs DB Hong Kong Limited
Date: 9 December 2024
The Office of the Privacy Commissioner for Personal Data (PCPD) today published two sets of investigation findings. The first set of findings relates to the data breach incident of the Electrical and Mechanical Services Department and the second set of findings relates to the “blind” recruitment advertisements (Blind Ads) posted on the online platform of Jobs DB Hong Kong Limited (JobsDB).
(1) Data Breach Incident of the Electrical and Mechanical Services Department (EMSD)
The investigation arose from a data breach notification submitted by the EMSD to the PCPD on 1 May 2024, reporting its suspicion that the personal data of members of the public in its possession was leaked. The data breach involved the personal data of persons who had undergone testing in the “restriction-testing declaration” (RTD) operations conducted in 2022 (the Incident).
Background
The EMSD conducted a total of 14 RTD operations between March and July 2022 to carry out COVID-19 tests for the residents or visitors in 14 buildings (see Annex 1). To collect the data of persons who were subject to testing in the RTD operations, the EMSD procured and used the services of an e-Form Platform (the e-Form Platform) associated with the cloud platform ArcGIS Online and created 14 e-forms. The relevant e-forms and data were stored in the data repository of ArcGIS Online.
In late 2022, when the EMSD noted that the RTD operations had come to an end, it immediately notified the contractor not to renew the service contract after its expiry in late February 2023. According to the EMSD, the EMSD considered that the e-Form Platform account would be invalidated upon expiry of the contract, and the relevant information would be automatically deleted by the contractor. It was not until its receipt of the PCPD’s notification on 30 April 2024 that the EMSD learned that the personal data of persons who had undergone testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online without logging into any account or password. The EMSD hence immediately requested the contractor to remove the personal data involved from the e-Form Platform on the same day, so that the public could no longer browse the relevant information. The EMSD also submitted a data breach notification to the PCPD on the next day.
The Incident affected the personal data of over 17,000 persons. The personal data involved included names, addresses, Hong Kong Identity Card (HKID card) numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.
Based on the information provided by the EMSD, subsequent to the Incident, the EMSD has strived to learn from the Incident and has implemented a series of measures and initiatives, which included strengthening privacy management, comprehensively reviewing the work and guidelines on the handling of personal data, stepping up staff training and supervision of contractors and enhancing departmental information technology support systems, so as to establish a more robust privacy protection framework and a corporate culture that values the protection of personal data.
Investigation Findings
In the course of the investigation, the PCPD has conducted five rounds of enquiries with the EMSD and approached the contractor twice to obtain relevant information. The PCPD thanked the EMSD and the contractor for their cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the EMSD were the main contributing factors of the occurrence of the Incident:-
1. Lack of written policies on the retention of personal data collected in the RTD operations. Hence, there was no clear guidance on the storage and disposal of data. While the EMSD might not be able to specify the retention period or formulate a data retention policy before or during the RTD operations, nonetheless all along it had only relied on the notification given to the contractor in late 2022 not to renew the contract as the basis for suggesting that a data retention period had actually been specified. However, there had not been any written policy specifying the retention period of the aforesaid data. Such written policies could provide a clear basis for the retention and disposal of data and could play an important role in this regard.
In particular, for this case, the data involved sensitive personal data, including the persons’ names, ages, genders, full addresses, phone numbers, as well as their HKID card numbers and PCR test results. Besides, the Incident affected over 17,000 persons. Therefore, the EMSD should be particularly vigilant and cautious in handling the data involved.
2. Failure to make unequivocal request to the contractor for deletion of the relevant data in late 2022, when the EMSD became aware that the RTD operations had come to an end. In notifying the contractor not to renew the contract, the EMSD had not explicitly requested the contractor to delete the personal data involved in the Incident. In fact, it was only when the EMSD became aware of the Incident on 30 April 2024 that it requested the contractor to remove the personal data involved from the e-Form Platform on the same day. The relevant data was then removed that evening, so that they could no longer be accessed by the public. It is evident that the data would be removed upon a request made with the contractor.
The Privacy Commissioner considered that requesting the contractor to delete the relevant data when the EMSD notified the contractor not to renew the contract would have been an effective and practicable step to safeguard the personal data involved. However, the EMSD did not take this action.
3. Failure to take the initiative to delete the personal data involved, particularly during the period from late December 2022 to late February 2023 when the EMSD was still able to log in to the e-Form Platform to manage the personal data stored therein. Instead, the EMSD only waited for the contract with the contractor to expire, without taking the initiative to check and delete the personal data from the platform to avoid unnecessary or excessive retention of the personal data. This is a clear deficiency; and
4. Failure to properly follow up with the contractor on the deletion of data as the EMSD merely assumed that the contractor would act on its own volition after the expiry of the contract. The EMSD had never urged, checked or reminded the contractor to delete the personal data from the e-Form Platform, and had never sought to understand or monitor the progress or effectiveness of the contractor’s relevant actions. The EMSD, as the data user, should not merely await passively for the contractor to take action, nor should it ride on its trust in the contractor and not to verify the work done by the contractor. This is another obvious deficiency.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, understood that amid the severe epidemic situation, departments involved in the RTD operations needed to deploy resources and act quickly. Owing to the time constraints, the EMSD might not have considered the policies and arrangements for deletion of personal data when they planned and conducted the RTD operations. However, since then, the EMSD has not formulated a policy on the retention period of the relevant personal data, nor has it made an unequivocal request to the contractor for data deletion; the EMSD also failed to proactively delete the personal data, or to follow up on and check the deletion of personal data by the contractor after the completion of the RTD operations, which resulted in the unnecessary exposure of the relevant personal data to the risk of data leakage. It is clear that not only had the EMSD failed to comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO), it had also fallen short of the reasonable expectations of the public. In the circumstances, the Privacy Commissioner found that the EMSD:
Download “Investigation Findings: Data Breach Incident of the Electrical and Mechanical Services Department”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf
(2) Eight Organisations Placed Blind Ads on JobsDB
The PCPD is concerned that the act of placing Blind Ads on online recruitment platforms by organisations to collect personal data from job applicants may constitute a contravention of the relevant requirements under the PDPO. The PCPD had earlier on initiated investigations against JobsDB and eight organisations that had placed Blind Ads on JobsDB and wished to publish the investigation findings today.
In general, a Blind Ad is one that does not identify the recruiting organisation (either the employer or a recruitment agency acting on its behalf) nor contain sufficient information to identify the organisation, and does not provide a means for job applicants to make further enquiries or such means does not contain sufficient information to identify the organisation, but directly invites job applicants to submit their personal data, such as their HKID Card numbers, contact details or resumes.
The PCPD’s investigation revealed that organisations that have registered an account with JobsDB can place recruitment advertisements on the JobDB’s online platform. Since January 2024, candidates have been able to apply for the advertised jobs by clicking the “Quick apply” button as instructed in the advertisements and submit the requisite personal data. Once submitted, the information will be stored in JobsDB’s management system and the applicants would be able to request the deletion of their personal data via JobsDB, while JobsDB also controls the circumstances and the duration for which organisations can access the relevant data.
In the circumstances, JobsDB controls the collection, holding, processing (which includes deletion) and use of the applicants’ personal data. In this regard, JobsDB is a “data user” under the PDPO and must comply with the relevant requirements under the PDPO and the DPPs.
Investigation also revealed that a recruiting organisation can publish recruitment advertisements in the name of a “Private Advertiser” without disclosing its name. The eight recruiting organisations under investigation published Blind Ads in the names of “Private Advertisers” (see Annex 2) to collect the job applicants’ personal data. The eight recruiting organisations in question are also “data users” under the PDPO and they involved prospective employers and those acting on their behalves. Their businesses are in the areas of financial securities, apparel retail, Chinese medicine and transportation services, etc.
Having considered the circumstances of the cases and the information obtained from the investigations, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that all of the eight organisations that placed the aforesaid Blind Ads on JobsDB and requested job applicants to submit their personal data to unknown recruiting companies and JobsDB that published the same on its platform were involved in the unfair collection of the job applicants’ personal data, and this constituted contraventions of DPP1(2) of the PDPO. The Privacy Commissioner has therefore served enforcement notices on JobsDB and three recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future, and issued an advisory letter to each of the remaining five organisations.
Through the findings of the investigation, the Privacy Commissioner would also like to call upon other operators of online recruitment platforms to:
For members of the public who wish to make any enquiries or lodge any complaint against the placing of Blind Ads, please contact the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk/complaints@pcpd.org.hk).
In order to protect job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_03031_e.pdf
Annex 1
Dates, buildings and number of persons involved in the 14 RTD operations
Annex 2
Particulars of the Blind Ads Placed by Eight Recruiting Organisations on JobsDB
Privacy Commissioner’s Office Publishes Investigation Findings on the Data Breach Incident of the Electrical and Mechanical Services Department and the “Blind” Recruitment Advertisements Posted on the Online Platform of Jobs DB Hong Kong Limited
The Office of the Privacy Commissioner for Personal Data (PCPD) today published two sets of investigation findings. The first set of findings relates to the data breach incident of the Electrical and Mechanical Services Department and the second set of findings relates to the “blind” recruitment advertisements (Blind Ads) posted on the online platform of Jobs DB Hong Kong Limited (JobsDB).
(1) Data Breach Incident of the Electrical and Mechanical Services Department (EMSD)
The investigation arose from a data breach notification submitted by the EMSD to the PCPD on 1 May 2024, reporting its suspicion that the personal data of members of the public in its possession was leaked. The data breach involved the personal data of persons who had undergone testing in the “restriction-testing declaration” (RTD) operations conducted in 2022 (the Incident).
Background
The EMSD conducted a total of 14 RTD operations between March and July 2022 to carry out COVID-19 tests for the residents or visitors in 14 buildings (see Annex 1). To collect the data of persons who were subject to testing in the RTD operations, the EMSD procured and used the services of an e-Form Platform (the e-Form Platform) associated with the cloud platform ArcGIS Online and created 14 e-forms. The relevant e-forms and data were stored in the data repository of ArcGIS Online.
In late 2022, when the EMSD noted that the RTD operations had come to an end, it immediately notified the contractor not to renew the service contract after its expiry in late February 2023. According to the EMSD, the EMSD considered that the e-Form Platform account would be invalidated upon expiry of the contract, and the relevant information would be automatically deleted by the contractor. It was not until its receipt of the PCPD’s notification on 30 April 2024 that the EMSD learned that the personal data of persons who had undergone testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online without logging into any account or password. The EMSD hence immediately requested the contractor to remove the personal data involved from the e-Form Platform on the same day, so that the public could no longer browse the relevant information. The EMSD also submitted a data breach notification to the PCPD on the next day.
The Incident affected the personal data of over 17,000 persons. The personal data involved included names, addresses, Hong Kong Identity Card (HKID card) numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.
Based on the information provided by the EMSD, subsequent to the Incident, the EMSD has strived to learn from the Incident and has implemented a series of measures and initiatives, which included strengthening privacy management, comprehensively reviewing the work and guidelines on the handling of personal data, stepping up staff training and supervision of contractors and enhancing departmental information technology support systems, so as to establish a more robust privacy protection framework and a corporate culture that values the protection of personal data.
Investigation Findings
In the course of the investigation, the PCPD has conducted five rounds of enquiries with the EMSD and approached the contractor twice to obtain relevant information. The PCPD thanked the EMSD and the contractor for their cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the EMSD were the main contributing factors of the occurrence of the Incident:-
1. Lack of written policies on the retention of personal data collected in the RTD operations. Hence, there was no clear guidance on the storage and disposal of data. While the EMSD might not be able to specify the retention period or formulate a data retention policy before or during the RTD operations, nonetheless all along it had only relied on the notification given to the contractor in late 2022 not to renew the contract as the basis for suggesting that a data retention period had actually been specified. However, there had not been any written policy specifying the retention period of the aforesaid data. Such written policies could provide a clear basis for the retention and disposal of data and could play an important role in this regard.
In particular, for this case, the data involved sensitive personal data, including the persons’ names, ages, genders, full addresses, phone numbers, as well as their HKID card numbers and PCR test results. Besides, the Incident affected over 17,000 persons. Therefore, the EMSD should be particularly vigilant and cautious in handling the data involved.
2. Failure to make unequivocal request to the contractor for deletion of the relevant data in late 2022, when the EMSD became aware that the RTD operations had come to an end. In notifying the contractor not to renew the contract, the EMSD had not explicitly requested the contractor to delete the personal data involved in the Incident. In fact, it was only when the EMSD became aware of the Incident on 30 April 2024 that it requested the contractor to remove the personal data involved from the e-Form Platform on the same day. The relevant data was then removed that evening, so that they could no longer be accessed by the public. It is evident that the data would be removed upon a request made with the contractor.
The Privacy Commissioner considered that requesting the contractor to delete the relevant data when the EMSD notified the contractor not to renew the contract would have been an effective and practicable step to safeguard the personal data involved. However, the EMSD did not take this action.
3. Failure to take the initiative to delete the personal data involved, particularly during the period from late December 2022 to late February 2023 when the EMSD was still able to log in to the e-Form Platform to manage the personal data stored therein. Instead, the EMSD only waited for the contract with the contractor to expire, without taking the initiative to check and delete the personal data from the platform to avoid unnecessary or excessive retention of the personal data. This is a clear deficiency; and
4. Failure to properly follow up with the contractor on the deletion of data as the EMSD merely assumed that the contractor would act on its own volition after the expiry of the contract. The EMSD had never urged, checked or reminded the contractor to delete the personal data from the e-Form Platform, and had never sought to understand or monitor the progress or effectiveness of the contractor’s relevant actions. The EMSD, as the data user, should not merely await passively for the contractor to take action, nor should it ride on its trust in the contractor and not to verify the work done by the contractor. This is another obvious deficiency.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, understood that amid the severe epidemic situation, departments involved in the RTD operations needed to deploy resources and act quickly. Owing to the time constraints, the EMSD might not have considered the policies and arrangements for deletion of personal data when they planned and conducted the RTD operations. However, since then, the EMSD has not formulated a policy on the retention period of the relevant personal data, nor has it made an unequivocal request to the contractor for data deletion; the EMSD also failed to proactively delete the personal data, or to follow up on and check the deletion of personal data by the contractor after the completion of the RTD operations, which resulted in the unnecessary exposure of the relevant personal data to the risk of data leakage. It is clear that not only had the EMSD failed to comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO), it had also fallen short of the reasonable expectations of the public. In the circumstances, the Privacy Commissioner found that the EMSD:
- had not taken all practicable steps to ensure that the personal data involved was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening Data Protection Principle (DPP) 2(2) of the PDPO concerning the retention of personal data; and
- had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP4(1) of the PDPO concerning the security of personal data.
Download “Investigation Findings: Data Breach Incident of the Electrical and Mechanical Services Department”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf
(2) Eight Organisations Placed Blind Ads on JobsDB
The PCPD is concerned that the act of placing Blind Ads on online recruitment platforms by organisations to collect personal data from job applicants may constitute a contravention of the relevant requirements under the PDPO. The PCPD had earlier on initiated investigations against JobsDB and eight organisations that had placed Blind Ads on JobsDB and wished to publish the investigation findings today.
In general, a Blind Ad is one that does not identify the recruiting organisation (either the employer or a recruitment agency acting on its behalf) nor contain sufficient information to identify the organisation, and does not provide a means for job applicants to make further enquiries or such means does not contain sufficient information to identify the organisation, but directly invites job applicants to submit their personal data, such as their HKID Card numbers, contact details or resumes.
The PCPD’s investigation revealed that organisations that have registered an account with JobsDB can place recruitment advertisements on the JobDB’s online platform. Since January 2024, candidates have been able to apply for the advertised jobs by clicking the “Quick apply” button as instructed in the advertisements and submit the requisite personal data. Once submitted, the information will be stored in JobsDB’s management system and the applicants would be able to request the deletion of their personal data via JobsDB, while JobsDB also controls the circumstances and the duration for which organisations can access the relevant data.
In the circumstances, JobsDB controls the collection, holding, processing (which includes deletion) and use of the applicants’ personal data. In this regard, JobsDB is a “data user” under the PDPO and must comply with the relevant requirements under the PDPO and the DPPs.
Investigation also revealed that a recruiting organisation can publish recruitment advertisements in the name of a “Private Advertiser” without disclosing its name. The eight recruiting organisations under investigation published Blind Ads in the names of “Private Advertisers” (see Annex 2) to collect the job applicants’ personal data. The eight recruiting organisations in question are also “data users” under the PDPO and they involved prospective employers and those acting on their behalves. Their businesses are in the areas of financial securities, apparel retail, Chinese medicine and transportation services, etc.
Having considered the circumstances of the cases and the information obtained from the investigations, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that all of the eight organisations that placed the aforesaid Blind Ads on JobsDB and requested job applicants to submit their personal data to unknown recruiting companies and JobsDB that published the same on its platform were involved in the unfair collection of the job applicants’ personal data, and this constituted contraventions of DPP1(2) of the PDPO. The Privacy Commissioner has therefore served enforcement notices on JobsDB and three recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future, and issued an advisory letter to each of the remaining five organisations.
Through the findings of the investigation, the Privacy Commissioner would also like to call upon other operators of online recruitment platforms to:
- Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and
- Carefully review recruitment advertisements received to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.
For members of the public who wish to make any enquiries or lodge any complaint against the placing of Blind Ads, please contact the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk/complaints@pcpd.org.hk).
In order to protect job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:
- Increase transparency in placing recruitment advertisements and disclose the identities of the organisations;
- Refrain from placing Blind Ads to collect job applicants’ personal data; and
- If necessary, consider engaging a recruitment agency who is identified in the advertisement to collect the personal data from job applicants.
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_03031_e.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the investigation findings on the data breach incident of the EMSD.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the investigation findings on the data breach incident of the EMSD.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (middle), Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation), Ms Rebecca HO Kan-yeuk (left) and Senior Legal Counsel, Ms Hermina NG Wing-hin (right), published the investigation findings on the data breach incident of the EMSD and the “blind” recruitment advertisements posted on the online platform of JobsDB.
-End-
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (middle), Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation), Ms Rebecca HO Kan-yeuk (left) and Senior Legal Counsel, Ms Hermina NG Wing-hin (right), published the investigation findings on the data breach incident of the EMSD and the “blind” recruitment advertisements posted on the online platform of JobsDB.
-End-
Annex 1
Dates, buildings and number of persons involved in the 14 RTD operations
| Dates of operations | Building | Number of persons involved |
|---|---|---|
| 3-4 / 3 / 2022 | Tak Ying House, Tak Long Estate | 1,506 |
| 6-7 / 3 / 2022 | Yan Ching House, Kai Ching Estate | 1,451 |
| 9-10 / 3 / 2022 | Oi Ming House, Yau Oi Estate | 1,608 |
| 14-15 / 3 / 2022 | Fu Leung House, Fu Cheong Estate | 210 |
| 17-18 / 3 / 2022 | Wu Fai House, Wu King Estate | 1,330 |
| 19-20 / 3 / 2022 | Tip Ying House, Butterfly Estate | 1,348 |
| 21-22 / 3 / 2022 | Sin Tat House, On Tat Estate | 1,966 |
| 23-24 / 3 / 2022 | Wai Tung House, Tung Tau (II) Estate | 285 |
| 25-26 / 3 / 2022 | Kwong Wai House, Kwong Fuk Estate | 1,010 |
| 30/3 - 1/4/2022 | Pok Yat House, Pok Hong Estate | 1,823 |
| 12-13 / 4 / 2022 | Cheung Fung House, Cheung Wah Estate | 939 |
| 3-4 / 5 / 2022 | Ming Toa House, Ming Tak Estate | 1,582 |
| 30-31 / 5 / 2022 | Un Shing House, Un Chau Estate | 469 |
| 4-5 / 7 / 2022 | Toi Fung House, Fung Tak Estate | 1,798 |
| Total | 17,325 |
Annex 2
Particulars of the Blind Ads Placed by Eight Recruiting Organisations on JobsDB
| Advertisement | Recruiting Organisation | Contents in relation to Blind Ads |
| 1 | Company A |
|
| 2 | Company B |
|
| 3 |
Company C (providing recruitment assistance to another company) |
|
| 4 | Company D |
|
| 5 | Company E (recruiting on behalf of another company within the same corporate group) |
|
| 6 | Company F (recruiting on behalf of the association(s) chaired by members of the company’s management) |
|
| 7 | Company G |
|
| 8 | Company H |
|