Table of Contents Table of Contents
Previous Page  113 / 192 Next Page
Information
Show Menu
Previous Page 113 / 192 Next Page
Page Background

8.10

An insurance company wrongly sent a file containing personal data of some 1,880

customers to a bank by email. The wrong recipient was asked to delete the file. The

insurance company was advised by the Commissioner to implement an action plan to

strengthen data transmission security by using password protection and encryption, etc.

and to conduct a special review by its internal auditor on data transmission process

focusing on personal data protection.

8.11

Another insurance company was found to have leaked online through a website some

600 policy holders’ personal data (including their names, addresses, telephone numbers

and insured amounts). The leakage was attributed to the inappropriate grant of access

right by the insurance company to its agent to the personal data concerned. The agent

uploaded and stored the data in a web file server at his home and as a result, the data

could be accessed by the public through an internet search engine. Upon the

conclusion of the investigation, the Commissioner served an enforcement notice to the

insurance company requiring it to review its operation procedures to strengthen control

on access, transfer and security of the personal data of insurance policy holders.

6

(b) Government and Public Bodies

8.12

A spate of reported data leakage incidents occurring in government departments

between 2008 and 2012 was caused by file-sharing software found installed in

computers.

8.13

It was reported by the newspapers in May 2008 that documents apparently belonging

to the Immigration Department were leaked on the internet through the “Foxy” file-share

software. These documents comprised internal memos and file minutes and some of

these documents were marked “confidential”. The names, dates of birth and

identification document types and numbers of some Hong Kong residents, visitors and

immigration officers were leaked. In response to the compliance check carried out by

the Commissioner, the Immigration Department gave an undertaking to the

Commissioner

7

to strengthen data security by taking a number of improvement

measures including:

• prohibiting the use of office documents as templates or sample case documents

unless the identifying particulars of individuals concerned have been removed;

• classifying all office documents (in both paper and electronic form) containing

personal data according to the degree of sensitivity of the data;

• prohibiting the taking or copying of such data for use outside office premises unless

authorised;

6

See Case Note No. 2006C10, available on the Website:

https://www.pcpd.org.hk/english/enforcement/case_notes/casenotes_2.php?id=2006C10&content_type=&content_na

ture=&msg_id2=289

7

See media statement issued by the Commissioner on 5 June 2008, available on the Website:

https://www.pcpd.org.hk/english/news_events/media_statements/press_20080605.html
1 108 109 110 111 112 113 114 115 116 117 118 119 192  FlippingBook