On 1 April 2007, the media reported that sensitive personal data belonging to people filing objections to trademark applications were found to be accessible by the public via the website of a government department. The personal data involved in the incident included unedited copies of passports.

The Commissioner takes the view that the disclosure of an individual's personal data to the public without the individual's consent is in itself an invasion of his/her privacy. The fact that a particular type of personal data is passively collected through a website does not mean that the personal data should automatically be published on the Internet.

After a preliminary inquiry, the Commissioner found that although the government department had a statutory duty to make certain documents collected by it available for online inspection, it should not allow uncontrolled access by Internet users to personal data contained in those documents.

The government department fully accepted the Commissioner's finding and undertook in writing that it would take all practicable steps to remedy the situation and comply with the requirements of the Ordinance. On 17 April 2007, the Commissioner issued a written warning to the government department.

A compliance check against a political party (the "Party") commenced after local newspapers reported that the Party had asked each of its district council members to provide the Party with personal data of not less than 300 residents in return for a financial subsidy.

After a preliminary inquiry, the Commissioner found that the Party, which collects and processes large quantity of personal data, did not have any privacy policy or guidelines in relation to the personal data held by it. Under Data Protection Principle 5, data users are required to provide for openness about their policies and practices in relation to personal data, the kind of personal data they hold and the main purposes for which personal data are or are to be used.

In response to the inquiry, the Party undertook in writing that it would comply with the requirements of the Ordinance by formulating a privacy policy statement. On 20 June 2007, the Commissioner issued a written warning to the Party. In compliance with the terms of the undertaking, the Party issued a privacy policy statement in September 2007 and provided the Commissioner with a copy of the same.

This case concerns an Internet leak of personal data reported by the mass media on 31 July 2007 in relation to 68 individuals who had applied for a study program offered by a university. The leaked data included the applicants' name, address, identity card number and employment/education background.

A compliance check was carried out against the university. The check revealed that the personal data of the 68 individuals were "inadvertently" transferred to a public server by a staff member of the university, resulting in the data being accessible by the public on the Internet. To remedy the situation, the university took immediate action to remove the data from the Internet and undertook in writing that it would take all practicable steps to ensure that similar incident would not continue or recur.

Taking into account the sensitivity of the data, the Commissioner considers that the university has failed to take all practicable steps to protect the security of the personal data held by it against unauthorized or accidental access and administered a written warning on the university on 29 October 2007.