Open University’s loss of students and tutors’ data

1.    It was reported in the news today (13 March) that the Open University of Hong Kong (OUHK) had lost a USB flash drive which contained personal data of students and tutors of the OUHK.  In relation to this incident, the Commissioner is in the course of conducting a compliance check to find out whether or not OUHK had taken practicable security measures to protect the personal data held by it from unauthorized or accidental access.

2.    The Chairman of the OUHK Student Union was quoted in one of the news reports as saying that OUHK was “following” a guideline issued by the Office of the Privacy Commissioner for Personal Data in 1998 that did not cover the use of USB.

3.    To set the record straight, OUHK advised the Commissioner that it has been “following” a “University Code of Practice on Personal Data Privacy” which was first issued by OUHK in 1998 and revised in 2001.  However, the contents of the Code were not known to the Commissioner.

4.    The Commissioner wishes to draw the attention of all data users to Data Protection Principle 4 of the Personal Data (Privacy) Ordinance, which requires them to take all practicable steps to ensure that the personal data held by them are protected against unauthorized or accidental access, processing, erasure or other use.



END