The Privacy Commissioner met the Commissioner of Police on the series of online leakages of personal data via peer-to-peer application by the Hong Kong Police


1.    The Privacy Commissioner for Personal Data, Mr. Roderick B Woo (“the Privacy Commissioner”) today (7 December) paid a visit to the Commissioner of Police in order to gain a better understanding of the problem concerning the series of reported incidents of online data leakage through the file sharing software. Together they discussed the available options to strengthen the protection of personal data, including the control of access and use of personal data by police officers outside workplaces and the provision of secure IT environment for handling personal data.

2.    “Personal data collected by the Police in discharge of its law enforcement duties are often sensitive in nature as they may be associated with the investigation of crimes.  A high duty of care is expected of the Police in protecting the personal data privacy of individuals especially in connection with the information obtained from suspects or from witnesses to ensure that accidental or unauthorized access are minimized.  This is important not only in terms of protecting personal data privacy but also for the maintenance of the public’s confidence in the Police’s investigative process.” Mr. Woo said.

3.    Data Protection Principle 4 (DPP4) of Schedule 1 of the Personal Data (Privacy) Ordinance (“the Ordinance”) provides that a data user shall take practicable steps to ensure that personal data held by him are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to any measures taken for ensuring the integrity, prudence and competence of persons having access to the data.

4.    The Commissioner of Police acknowledged that as at 4 December 2009, there have been a total of 28 personal data leakage incidents that were caused by some staff inadvertently saving copies of Police documents as templates for future use in personal computers at home, which had installed peer-to-peer application.  The leakage was not caused by hacking or the failure of the IT system of the Police.  He maintained that all practicable steps have been taken to ensure due protection of personal data in the hands of the Police.

5.    The Commissioner of Police added that there might be further online spread of these personal data but he maintained that it could be a manifestation of the leakages originated from previous online data security breaches.

6.    In the meantime, the Privacy Commissioner is satisfied that the Police has taken the following measures to mitigate the harm to the affected individuals and to prevent reoccurrence:

i)    the affected persons have been notified so that they can stay alert.
ii)    Investigation with 26 of the incidents have been completed.  A total of 21 police officers had been disciplined.
iii)    a sanitization exercise to rid all Police common terminals of classified and /or personal data was completed in July 2008. A second round sanitization exercise was carried out in February 2009 to further ensure compliance.
iv)    2,800 USB thumb drives with e-Cert encryption were introduced in February 2009 for all inspectorate officers or above for the secure storage and transmission of classified data.
v)    its staff have been reminded of the risk of using peer-to-peer applications and how such applications can be removed from their computers.  In addition, a series of seminars/workshops/briefings on information security had been conducted, in which the risk of peer-to-peer applications were identified.
vi)    internal cyber patrols are continuing its efforts to prevent reoccurrence of data leakage incident.

7.    The Privacy Commissioner is currently investigating into the series of cases of data leakage cases involving the Police and is focusing on the specific cause of leakage in each of these cases.  Mr. Woo said “I shall have to consider in due course whether to commence an inspection of the data security system run by the Hong Kong Police in relation to the handling of personal data by its officers outside their normal workplaces with a view to making recommendations to assist the Commissioner of Police to better comply with the requirements of the Ordinance and to reduce the likelihood of recurrence of these incidents.  The resources and manpower constraint may however affect my decision.”

8.    Members of the public who are affected by the data leakage may lodge complaints to the Office of the Privacy Commissioner for Personal Data (“the PCPD”) if they wish.  The PCPD will provide all necessary assistance to the complainants with regard to individual circumstances.  In addition, the Personal Data (Privacy) Ordinance provides that any person who suffers damage, including injury to feelings, from a contravention of the requirement under the Ordinance shall be entitled to compensation from the responsible data user.




END