Peter A Clarke

The loss of computers containing personal information is an all too common event. I have previously written a post on the UK Information Commissioner’s Office taking action for loss of a lap top.  It is a serious problem because notebooks,  a common if not preferred form of computers for many workers, can be easily lost or stolen.  They can store large amounts of sensitive data.  While theft and loss is a problem the bigger problem for organisations is the lack of security in the storage of data.  Poor training results in more data being kept than is required, the data is not properly encrypted and computers are not properly password protected.

The Hong Kong Privacy Commissioner has conducted an investigation and today published a detailed report on the Loss of Notebook computers which contained personal data of election Committee Members and Electors.  The amount of data on 2 computers that were lost is significant, 1,200 Election Committee members and 3.78 million electors. Some of the data was particularly sensitive, such as the Hong Kong Identity Card numbers of the electors.  The Commissioner has issued an enforcement Notice prohibiting the download of personal data, requiring internal guidelines to be established and undertake a review of processes amongst other directions.

In the United Kingdom there would almost certainly have been a monetary penalty notice.  In the United States there would have been a significant monetary settlement and a likely 10 – 20 year agreement requiring onerous audits. In Australia, hard to say.  The enforcement is so tentative.  That said the power is there for injunctive relief as well as civil penalty proceedings.

The media statement by the Hong Kong Privacy commissioner provides:

The Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”) has carried out an investigation on the loss of two notebook computers, containing personal data of about 1,200 Election Committee members (“EC members”) and about 3.78 million Geographical Constituencies electors (“Electors”), under the custody of the Registration and Election Office (“REO”) reported on the day following the 2017 Chief Executive Election, and publishes the report today.

The report states that the first notebook computer (“First Notebook Computer”) contained the names of EC members only. Given that the name of EC members is public data, and a name alone is not considered as sensitive personal data, the Privacy Commissioner takes the view that harm would not be done to the EC members even when their names were leaked as a result of the loss of the First Notebook Computer. Moreover, the security measures taken by the REO to protect the personal data stored in the First Notebook Computer are considered adequate. Furthermore, the Privacy Commissioner considers it acceptable for the REO to download the names of the EC members to the First Notebook Computer for the purpose of recording re-issuance of name badges. Therefore the Privacy Commissioner concludes that the REO did not contravene Data Protection Principle (“DPP”) 4(1)¹ of the Personal Data (Privacy) Ordinance (“Ordinance”) for the loss of First Notebook Computer.

The second notebook computer (“Second Notebook Computer”) contained, in addition to the name and address available to the public in the Registers of Electors, the Hong Kong Identity Card number of all Electors which is considered sensitive personal data and not accessible by members of the public. The Privacy Commissioner considers that the circumstances relating to the loss of the Second Notebook Computer are unique and unprecedented. Although the personal data of the Electors involved has already undergone multiple layers of encryptions and the chance of leakage is low, the loss of the Second Notebook Computer containing the personal data of all Electors could have been avoided, and hence the privacy concerns arising therefrom are understandable. The Privacy Commissioner is of the view that the assessment and approval of the use of an enquiry system containing the Electors’ data was especially not well thought out or adaptive to the special circumstances of the case. The REO simply followed past practices and failed to review, update or appraise the existing mechanism in a timely manner and in light of the circumstances. The claimed effectiveness of the need for storing personal data of all Electors was not proportional to the associated risks. The security measures adopted by the REO were not proportional to the degree of sensitivity of the data and the harm that might result from a data security incident either. The result of this investigation shows that the REO lacked the requisite awareness and vigilance expected of it in protecting personal data, rules of application and implementation of various guidelines were not clearly set out or followed, internal communication was less than effective, and hence failed to take all reasonably practicable steps in consideration of the actual circumstances and needs to ensure that the Electors’ personal data was protected from accidental loss, thereby contravening DPP 4(1)² of the Ordinance.

In view of the finding of contravention regarding the handling of the Second Notebook Computer, the Privacy Commissioner has decided to serve an enforcement notice on the REO pursuant to section 50(1)³ of the Ordinance to remedy and prevent any recurrence of the contravention. The REO is directed to:

• prohibit the download or use of Geographical Constituencies electors’ personal data (except their names and addresses) for the purpose of handling enquiries in Chief Executive Elections; and issue notice on this to the relevant staffs on a regular basis;

• set internal guidelines in respect of the processing of personal data in all election-related activities, including:

• technical security measures (information system encryption and password management);
• physical security measures;
• administrative measures on the use of notebook computers and other portable storage devices; and

• implement effective measures to ensure staffs’ compliance with the above policies and guidelines.

Having considered all the circumstances of the case, the Privacy Commissioner Stephen Kai-yi WONG also makes the following recommendations: –

• Use only “necessary” personal data in different elections

• Only make available the personal data for access or use on a “need-to-know” and “need-to-use” basis, especially when portable storage devices such as notebook computers are involved.
• Adopt the principle of least-privileged rights, by which only staffs authorised to handle identity verification would be able to retrieve or access relevant personal data.

• Strictly review, approve and monitor the download and copying of systems containing Electors’ personal data

• Strictly evaluate the necessity of downloading and copying systems containing Electors’ personal data and set approval procedures and standards.
• Monitor if any system containing Electors’ personal data has been downloaded or copied without authorisation. Such systems and the related servers should record all activity logs to trace any access, use, download, edit and/or deletion of the data by a system user.
• Install monitoring and alarm mechanisms in all the systems containing the Electors’ personal data and the related servers, so that whenever there is any irregularity (e.g. download or deletion of huge personal data), timely reporting of the case, as well as tracing and reviews can be done.

• Adopt effective technical security measures when storing Electors’ personal data

• Personal data should not be stored in notebook computers or portable storage devices unless absolutely necessary.
• If it is necessary to store the Electors’ personal data in notebook computers or portable storage devices, effective technical security measures should be adopted according to the quantity and sensitivity of the data, e.g. two-factor authentication in data access, etc.

• Formulate, systematically review and update personal data security policy

• Formulate, systematically review and update its current personal data security policies, procedures and practical guidelines according to its functions and activities.
• Effectively disseminate the personal data security policies to all staffs. Clear ways to access the relevant information should also be provided.
• Review and formulate a compliance check mechanism to ensure the personal data security policies, procedures and practical guidelines are complied.

• Conduct Privacy Impact Assessment: Before commencement of any new task or project involving the creation, collection, use or storage of voluminous Electors’ data, sensitive one in particular, the REO should carry out a privacy impact assessment. Adequate security measures should be adopted to address the privacy risks arising from the project.

• Implement Privacy Management Programme: The REO should learn from the lessons of the incident and adopt the Privacy Management Programme as a top-down organisational imperative. The REO should review and update its programme controls and raise staffs’ awareness and vigilance in protecting and respecting the Electors’ personal data privacy to regain the confidence and trust of the Electors.