| Date: 26 October 2006
|
Privacy Commissioner releases the IPCC investigation report
The
Privacy Commissioner for Personal Data (the Commissioner) Mr. Roderick
B. Woo published today a report (the Report) on the result of an
investigation of the leakage on the Internet of personal data relating
to complaints made against the Police by the public.
Background
The incident was first reported in a local newspaper on 10 March
2006. Personal data of about 20,000 people who had made
complaints to the Police held by the Independent Police Complaints
Council (IPCC) were posted on the Internet and became accessible by the
public. The Commissioner immediately carried out a self-initiated
investigation on 15 March 2006. After commencement of the
investigation, the Commissioner received a total of 55 complaints made
against the IPCC. The investigation was carried out by way of
visits to the IPCC office, visits to the Complaints Against Police
Office, interviews of the persons concerned and the taking of
statements, examination of documentary records and written
representations from the relevant parties as well as oral examination
of persons summoned under section 44 of the Personal Data (Privacy)
Ordinance (the Ordinance).
The Report provides an account of the system of managing complaints
against the Police; the IPCC’s information technology system, security
and privacy policies; events leading to the leakage on the Internet;
and the Commissioner’s findings and recommendations.
The Commissioner’s Findings
In his Report, the Commissioner found that the IPCC had contravened the
requirements of Data Protection Principle (DPP) 4 of Schedule 1 to the
Ordinance. DPP4 provides that a data user shall take all
reasonably practicable steps to ensure that personal data held by it
are protected against unauthorized or accidental access, processing,
erasure or other use. It requires a data user to implement
security safeguards and precautions in relation to the personal data in
its possession, the level of which should reflect the sensitivity of
the data and the seriousness of the potential harm that may result from
a security breach.
The basis of the Commissioner’s findings was that the IPCC had failed to take:-
(i) any steps to prevent the data from being released
to the outsourced IT contractor without due consideration of the
necessity of doing so;
(ii) any precautionary measures to safeguard the data that had been released to the outsourced contractor; and
(iii) any practicable steps to ensure the integrity,
prudence and competence of persons having access to the data, resulting
in the leakage of the data on the Internet.
Enforcement Notice
In the exercise of his power under section 50 of the Ordinance, the
Commissioner issued an Enforcement Notice to the IPCC on 18 September
2006 directing it to do the following by 16 October 2006:
1. Devise the necessary policy and practical
guidelines for the proper handling and protection of the complaint data
when dealing with an outsourced contractor or agent;
2. Implement effective measures to ensure compliance by its staff with those policy and guidelines; and
3. Review the existing outsourcing contracts
and endeavor to incorporate into those contracts terms in respect of
measures required to be taken by the contractors to protect the
complaint data handed to them by the IPCC.
IPCC’s Position
The Commissioner received the IPCC’s Position Statement on 5 October 2006.
In its Position Statement, the IPCC seeks to challenge the
Commissioner’s findings and the Enforcement Notice broadly on the
following grounds:-
(a) That the Council members of the IPCC are not data user(s) within the meaning of the Ordinance;
(b) That the individual Council members of the IPCC
(including those who have left during the relevant period) have not
been given a chance to be heard;
(c) That the Enforcement Notice seeks to place a
burden on the Council members of the IPCC who are not involved in the
running of the IPCC secretariat, which is a government body.
At the request of IPCC, the Commissioner also publishes IPCC’s Position Statement together with the press release.
The Commissioner’s Response
The Commissioner disagrees with the IPCC in respect of the
aforementioned grounds and considers that it is in the public interest
to respond to them.
The Commissioner regards the IPCC as the relevant “data user” in this
incident. The IPCC, comprising of the individual Council members
plus the secretariat (which provides the necessary administrative
support), has control over the use of the complaint data in accordance
with the IPCC’s own terms of reference, i.e. to review the handling by
the Police of complaints by the public and to keep under review
statistics of the types of complaints made by the public, etc.
The IPCC therefore falls squarely within the definition of “data user”
under the Ordinance, being “any person who either alone or jointly or
in common with other persons, controls the collection, holding,
processing or use of the data”. At no stage during the
investigation did IPCC deny that it was the relevant data user.
The Commissioner finds no room for an argument that the IPCC is not a
data user in relation to the complaint data.
During the course of the investigation, the Commissioner had provided
ample opportunity to the IPCC to respond to the complaints and to make
such representations it wished to make. Correspondence were
addressed to the Chairman of the IPCC and responses and representations
were received from the IPCC signed by the Secretary of the IPCC on behalf of
the IPCC and copied to the Chairman of the IPCC. In addition, the
IPCC has been afforded the opportunity of putting forward its
representation in terms of its Position Statement.
In its Position Statement, the IPCC argued that the Council members are
separate and distinct from the secretariat. Evidence available
shows that the secretariat exists solely to assist the Council members
to discharge their role and functions. The secretariat is not an
independent government body. Orders and directives from the
Council members are carried out by the secretariat. In any case,
the relevant computer program contracts were entered into in the name
of the IPCC, not the secretariat as an independent government
body. At no stage during the investigation did IPCC state that
the Council members were separate and distinct from the
secretariat. The Commissioner finds no merits of the IPCC’s
argument.
Having said that, the Commissioner’s finding in this unfortunate
incident should not cast a slur on the reputation of individual Council
members of the IPCC. Throughout the development of Hong Kong
civic-minded citizens have volunteered to help in different areas of
human activities by serving as members in committees and
councils. They give freely their time and efforts for the
betterment of the community. Individual Council members of IPCC
are good examples. They operate under situations which could be
better regulated by law. Mr. Woo said “I hear that the Government
has plans to introduce legislation to make the IPCC an independently
operated statutory body. I hope the fact that IPCC will continue
to handle sensitive personal data will be given due consideration.”
Compliance of the Enforcement Notice
The Commissioner is pleased to note that on 16 October 2006, the IPCC has complied fully with the Enforcement Notice.
Learning from this incident
Mr. Woo said: “Learning from this unfortunate incident, data users
should be highly alert in handling sensitive or large quantity of
personal data, particularly if they are in electronic form. In
the event that they are asked to release database containing personal
data to an outsourced contractor or agent, precautionary measures
should be taken to prevent data leakage.”
The lesson to be learned here is not an apportioning of blame but what
can be done to prevent a similar recurrence. My office is doing
what it can within our limited legal power and even more limited
resources to campaign for compliance of the Ordinance.
Campaign to promote compliance
In an effort to prevent recurrence of similar incidents, the
Commissioner has initiated a campaign to promote satisfying compliance
of the provisions of the Ordinance. Opportunities will be given
to both the private and public sectors to receive the necessary
knowledge.
For the private sector, the Commissioner has launched an informational
campaign titled “Information Security Enhancement Campaign” jointly
with three major IT professional associations and institutions.
As part of the Campaign, an information booklet, titled “Recommended
Procedures for IT Practitioners on Personal Data Handling”, is
published today providing guidance for IT professionals across all
sectors. The booklet outlines the procedures to be followed in
the collection and processing of personal data by IT contractors or
sub-contractors. Seminars and workshops will also be held to
provide in-depth training to ensure effective implementation of the
recommended procedures. With a view to encouraging organizations
to incorporate data privacy protection as one of the core elements of
corporate governance, the Commissioner’s Office also plans to provide
guidance to the managerial level in the future.
For the public sector, the Commissioner recommends all government
departments to include in their regular staff-training programme the
subject of data protection. In addition, the Commissioner’s
Office has jointly organized seminars with the Home Affairs Bureau on
compliance of the Ordinance. Attendees will include officials
from various government departments.
Copies of the Report and the Booklet are available from the
Commissioner’s Office at 12/F., 248 Queen’s Road East, Wan Chai, Hong
Kong. They are also available for download from the website of
the Commissioner's Office ( http://www.pcpd.org.hk/english/publications/invest_report.html).
|
|
|
|
|
|
|