114 / 192
• specifying the measures to be taken by staff to protect personal data used outside
office premises, e.g. encryption of personal data stored in electronic form and the
prompt return and erasure of the personal data after use; and
• providing proper training, guidance and supervision to the staff.
8.14
Another similar incident was reported in March 2009.
8
According to the police, some
police officers had used their personal computers to prepare police reports but
unfortunately the reports stored in their computers were leaked through Foxy to other
internet users. To prevent the recurrence of similar incidents, the police agreed to take
remedial action including the setting up of a working group to identify information
security risk factors; informing the Commissioner and the affected subjects of all data
breach incidents; instructing all information systems security managers to conduct
checks and inspections on all police terminals; reviewing police policies and relevant
manuals on information security and data protection; exploring technical solutions to
guard against data leakage; carrying out periodic sanitisation and inspection of all
police common terminals to remove unauthorised data, etc.
8.15
However, despite such remedial action, further breaches by the police were discovered
and reported by the media in August 2011 and September 2012, which again involved
the leakage of personal data on the internet through Foxy. As a result, the Commissioner
conducted an investigation in October 2012.
9
Even though human error was found to
be the direct cause of the relevant data leakage, the Commissioner pointed out the
importance for organisations to institute comprehensive internal training and awareness
programmes for their staff. Data users must be prepared for the initiative that the
Commissioner will readily take to examine whether effective measures have been
adopted to minimise human error.
8.16
In another investigation
10
conducted against the police, the loss of police notebooks
and fixed penalty tickets containing the personal data of 285 individuals including
victims of crimes, witnesses and suspects was involved. It was also found that the
incidents not only involved negligence or carelessness on the part of the police officers
concerned, but also gross insufficiency in the operational procedures of the police and
notable deficiencies in their supervision and monitoring systems. The Commissioner
concluded that the police had contravened DPP4 and served an enforcement notice
on the police requiring them to adopt various measures to establish supplementary
security procedures to prevent leaks and to tighten supervision. The police were further
advised to undertake a general review of their equipment and uniform used for holding
or conveying police documents, and to step up their training, incentive and disciplinary
programmes to promote compliance with the police’s policies and procedures in
relation to privacy and data protection.
8
See media statement issued by the Commissioner on 9 March 2009, available on the Website:
https://www.pcpd.org.hk/english/news_events/media_statements/press_20090309.html9
See Investigation Report No. R13-15218, available on the Website:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R13_15218_e.pdf10
See investigation Report No. R13-0407, available on the Website:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R13_0407_e.pdf