Following is a question by the Hon Audrey Eu and an oral reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (May 21):
Recently, a number of government departments, statutory bodies and business corporations have lost equipment and devices containing personal data. These incidents have been described by some media as a "privacy disaster". In this connection, will the Government inform this Council:
(a) of its remedial measures, apart from issuing circulars or guidelines relating to the internal procedure on information security; whether it knows the remedial actions taken by the statutory bodies and business corporations concerned, including whether they have notified the affected members of the public; if they have, of the details; if not, the reasons for that;
(b) of the channels through which members of the public may lodge complaints and claims when their personal data have been negligently handled by government departments, statutory bodies or business corporations; and
(c) in view of this "privacy disaster", whether it will consider amending the law to expand the power of the Privacy Commissioner for Personal Data (PC), as well as enacting laws on the management of government records to specify clearly the authority of and restrictions on government departments in handling personal data, so as to strengthen the protection of the privacy of the public; if it will amend the law, of the timetable; if not, the reasons for that?
(a) In the wake of the several data leakage incidents involving government departments, the Government has instantly issued an internal circular and guidelines on information security procedures for the compliance by government officers. To strengthen the control on the handling of personal data as well as protective measures on the use of portable electronic storage devices, all departments will make maximum use of the security functions offered by application softwares and use storage devices that support data protection such as passwords, encryption, biometrics (e.g. fingerprints). Officers must seek prior permission from supervisors and suitably encrypt the data before storing any information in portable storage devices. After usage, such data must be deleted as soon as possible. No officer may store personal data in a personally-owned device or personal computer.
The Government would strengthen communication with civil servants with a view to raising their awareness of the Security Regulations, and remind them of the need to comply with the Regulations. The Office of the Government Chief Information Officer, the Security Bureau and the Civil Service Bureau would work out the relevant plans, and have the plans implemented in the coming months by working with departmental Information Security Officers, policy bureaux and departments. The Government will strengthen monitoring on the use of portable electronic storage devices by bureaux and departments, as well as review the information security policies, the Security Regulations and code on working practice in the light of the investigation outcome of the recent leakage incidents.
Departments and the statutory body involved in data leakage have respectively taken out corresponding remedial measures, including reviewing departmental information security procedures, issuing internal guidelines to strengthen staff awareness of information security and notifying the affected persons, the Office of the Privacy Commissioner for Personal Data (PCO) or the Police. Details are set out in the Annex.
We understand that the bank involved in the data leakage incident issued a statement on May 7 indicating that it was contacting the affected account holders.
(b) A member of public who suspects that his personal data have been negligently handled by government departments, statutory bodies or business corporations may lodge a complaint with the PCO. Where the PC upon completion of the investigation finds that the data user is contravening a requirement under the Personal Data (Privacy) Ordinance (PDPO), or has contravened such a requirement and such contravention is likely to continue or be repeated, the PC may serve an enforcement notice to direct the data user to take necessary steps to remedy the contravention. Non-compliance with an enforcement notice is a criminal offence. On conviction, the data user is liable to a fine at Level 5 (maximum fine at $50,000) and imprisonment for two years, and in the case of a continuing offence, a daily fine of $1,000.
An individual who suffers damage by reason of a contravention under the PDPO may claim damages under Section 66 of the Ordinance.
(c) Section 36 of the PDPO empowers the PC to inspect any personal data systems of a data user for the purpose of making recommendations to the data user in order to promote compliance with the provisions of the PDPO. The PC is also empowered under Section 38 to the Ordinance to carry out an investigation to ascertain whether there is any contravention of the PDPO either on his initiative or upon receipt of a complaint. The PDPO also confers on the PC the power of entry on premises for the purpose of investigation and inspection as well as the power of gathering evidence. The PC may direct a data user to take necessary steps to remedy contravention of the Ordinance by serving an enforcement notice on the latter. Insofar as the recent data leakage incidents are concerned, the PC has invoked his statutory powers to follow up the cases through investigation and inspection, etc. We consider the PDPO has conferred appropriate powers on the PC to follow up the data leakage incidents effectively.
We are conducting a comprehensive review of the PDPO together with the PC. During the review, we will examine ways to further strengthen protection on personal data privacy with regard to the collection, holding, processing and use of personal data.
The PDPO binds the Government. Government departments are required to comply with the relevant provisions of the Ordinance in handling records containing personal data. We consider that there is no need to legislate on the management of government records.
Ends/Wednesday, May 21, 2008