The Office of the Privacy Commissioner for Personal Data in Hong Kong has released two reports on investigations involving possible violations of the Data Protection Ordinance. Both reports involve the Hong Kong Police Department.
The first investigation involved the leakage of an HKPD document containing personally identifiable information via Foxy (a file-sharing program). Two instances involving leaks in August 2011 and September 2012 were investigated. The investigation revealed that in the first case, the leakage via Foxy did not occur from the police’s computer system but from the individual (recipient) who had been emailed the document. In the second, the leakage occurred because an individual officer violated HKPD policies and downloaded files via a thumb drive that were transferred to his own computer (which did have Foxy installed). When he subsequently went to sell that computer, he did not comply with policy about using department-required software to wipe the drive. The Privacy Commissioner concluded that the HKPD had adequate policies in place at the time (after having suffered earlier leaks), and the police officer had undergone four training sessions on privacy and data security but had not followed procedure. Under the circumstances, the Privacy Commissioner recommended strengthening the culture of privacy and data protection but did not make specific recommendations or impose requirements. You can read the Privacy Commissioner’s report here (pdf).
The second investigative report summarizes five investigations into 11 data breaches reported between October 2011 and January 2013 that involved the loss of police officers’ notebooks and copies of Fixed Penalty Tickets. The 11 incidents – all involving different officers – involved the personal information of 285 witnesses, suspects, and crime victims. In many cases, their Hong Kong ID number was involved. Unlike undertakings by the U.K. Information Commissioner’s Office, investigative reports by the Hong Kong Privacy Commissioner contain a lot of details about each incident.
The HKPD did not fare as well in the second investigative report as they did in the first, and the Privacy Commissioner imposed five requirements to improve data protection supervision and monitoring. He also recommended a review of officers’ equipment and uniforms as it appears some notebooks were lost when they fell out of pockets or equipment. You can read the full investigative report here (pdf).