LCQ3: Government departments' handling of incidents of leakage of personal data|
Following is a question by the Hon Ronny Tong and an oral reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (June 11):
Regarding government departments' handling of incidents of leakage of personal data of the public, will the Government inform this Council:
(a) as files suspected to be internal and confidential documents of the Police were recently circulated on the Internet, whether, at the time when these incidents occurred, the Police had internal guidelines in place instructing police officers on the ways to use and protect personal data of the public; if they had, of the contents of the guidelines; whether the Police have, immediately after the leakage incident, thoroughly investigated if any police officer violated such guidelines, as well as whether they have contacted all affected persons informing them of the remedial actions to be taken in response to the incident and whether they have taken any disciplinary actions against the police officers who have violated the guidelines;
(b) whether the Hong Kong Monetary Authority (HKMA) has established any mechanism requiring banks to immediately report to the HKMA incidents of leakage of personal data; if it has, why it had allowed the Hong Kong and Shanghai Banking Corporation Limited (HKBC) not reporting to it the loss of a server containing data of its customers until six days after the incident, and why the HKMA had not made any announcement of the incident in the four days following receipt of the report; and
(c) whether it will review the procedure for handling personal data by all government departments, and how it will enhance the confidence of the public in the handling of personal data by the Government?
(a) All along, the Police Force has sought to govern how police officers should deal with and protect personal data in accordance with the internal guidelines drawn up for this purpose. The Police General Orders and the Force Procedural Manual provide in detail that police officers should handle and protect personal data in accordance with the Data Protection Principles laid down in the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The Force Information Security Manual also stipulates strict guidelines, setting out the issues and procedures which police officers should pay attention to when they handle internal information and personal data by electronic means.
The Police Force is very concerned about the recent incidents in which certain internal documents were found on the Internet. Those cases have been referred to the Technology Crime Division in the Commercial Crime Bureau for full investigation. For those cases which were not found to involve any criminal element, the Force has embarked on a disciplinary review. If, upon investigation, any police officer is found to have failed to follow the Force's internal guidelines or requirements, the Police will take disciplinary action in accordance with established procedures.
In addition, the Police have already informed the data subjects of the incidents concerned, and advised them to contact the Police immediately for follow-up if they suspect that the disclosed personal data has been misused.
The Police have set up a Working Group to conduct a comprehensive review regarding the Police's existing measures and procedures regarding information security and data protection (including personal data and protected data), including a review on the policy concerning the use of private computers for office work, and to propose improvement measures so as to reduce the risk of leakage of personal data or protected data.
(b) The HKMA has issued clear guidelines on protection of data of bank customers. The guidelines require authorised institutions (including banks) to draw up incident management procedures for loss of or unauthorised access by third party to customers' data, including the mechanism for notifying external parties (such as the HKMA and affected customers) of the incident. The supervisory standard of the HKMA requires banks to notify and submit an incident report to the HKMA after the incident as soon as possible.
Regarding the incident mentioned in the question, the HKMA received the notification of the HSBC in the evening of May 2, 2008 (Friday) concerning the bank's loss of a computer server containing data of customers on April 26, 2008. Right after receiving the notification, the HKMA did require the HSBC to conduct the relevant follow-up work, including promptly notifying affected customers, enhancing measures on protection of personal data of customers and submitting an incident report to the HKMA.
The HKMA has not allowed the HSBC to notify it of the relevant incident six days after the incident. The HKMA has already received the incident report submitted by the HSBC and will consider from the supervisory perspective whether the HSBC's handling of the aforesaid incident (including the notification arrangements) is in compliance with the requirements of the guidelines. The HKMA will consider taking appropriate supervisory actions in case it discovers any breach of the requirements of the guidelines.
Banks involving in leakage of customers' data have the responsibility to notify affected customers promptly. The manner by which banks notify affected customers, including whether to make announcements, is the decision for banks. That said, having regard to the large number of affected customers in this incident, the HKMA considered announcement-making to be an appropriate and effective way to notify customers who may be affected. As such, the HKMA did request the HSBC to announce the incident immediately after the latter had made a preliminary ascertainment on the number of affected customers and information that might have been leaked. The HSBC made an announcement on the relevant incident on May 6, 2008.
(c) After the PDPO came into effect in December 1996, the Administration has issued a number of circulars to all policy bureaus and departments to explain the provisions in the PDPO and how to comply with certain requirements under the Ordinance. Bureaus and departments have to put in place their own data protection measures in accordance with the provisions in the PDPO and taking into account their specific operational needs. Each and every bureau or department is required to appoint one or two officers as Departmental Data Controlling Officer(s) to assess, authorise, monitor and review data protection measures within the office to ensure compliance with the requirements of the Ordinance. The Office of the Privacy Commissioner for Personal Data (PCPD) also regularly provides these officers with information on the Ordinance to keep them posted on the latest development in personal data privacy.
In addition to having in place personal data protection systems tailor made for their operational needs, bureaux and departments have to step up training for staff to enhance their understanding of the Ordinance and their alertness in handling personal data.
We encourage government bureaux/departments to send their officers to join the Data Protection Officers' Club set up by the PCPD to enhance their knowledge and understanding of the Ordinance through various exchange activities. The Club is a network for professionals tasked with the responsibility of implementing and coordinating measures to protect personal data privacy within their respective organisations. At present, representatives from 32 government bureaux/departments have joined the club. The PCPD will organise a seminar on personal data security in August, as well as run a series of workshops between October and December for members of the Club to enrich their knowledge on personal data protection.
In 2008-09, the PCPD has been provided with an additional funding of $1 million to step up its promotional and educational work, including the production of a training kit on "Get to know Personal Data (Privacy) Ordinance" to enable data users in both the public and private sectors to run their in-house staff training sessions on the proper handling of personal data. The training kit is expected to be available for distribution to all government departments in early 2009. In addition, the Government and the PCPD will organise jointly a series of seminars and case studies for bureaux and departments to further enhance their understanding about the PDPO, including personal data security and handling of data access requests.
The Administration also encourages staff to make good use of the information available on the PCPD website (such as codes of practice, guidelines, guidance notes and fact sheets) to enhance their understanding of the Ordinance.
Ends/Wednesday, June 11, 2008