PCPD - The Director of Immigration Department signed formal undertaking

1.   The Director of Immigration, Mr. Simon Yun-lu Peh, today signed a formal undertaking with the Privacy Commissioner for Personal Data, Mr. Roderick B Woo to step up measures on data security of the personal data held by the Immigration Department in compliance with the Personal Data (Privacy) Ordinance. Mr. Woo is pleased with the prompt action taken by Mr. Peh and the determination and commitment demonstrated by such action. He is satisfied with the terms of the undertaking which reflect the recommendations made by him to the Department.

2.   It was reported in the newspapers on 8 May 2008 that some sensitive personal data contained in documents apparently belonging to the Immigration Department were leaked on the internet through a file-sharing software called "FOXY". The personal data consisted of 27 document files comprising internal memos, file minutes and other documents, some marked "confidential", containing the names, dates of birth, and identification document types and numbers of eleven visitors / foreigners and three Hong Kong residents, as well as the names, ranks and post titles of certain immigration officers.

3.   Both Mr. Peh and Mr. Woo were seriously concerned with the incident. They had a telephone discussion the same morning when Mr. Peh confirmed that he had already made arrangements for the removal of the data to stop the accessibility online by using the FOXY software.

4.   That afternoon, the Deputy Director and an Assistant Director of Immigration met with the Privacy Commissioner's investigation officers to assist the latter with their enquiries.

5.   The Immigration Department fully co-operated with the Privacy Commissioner's officers and provided them with copies of relevant information and materials. The immigration officers involved also gave detailed statements of the circumstances leading to the leakage of the data.

6.   The Immigration Department acknowledged that the leakage was due to the inadvertence of the relevant staff in collecting and saving the softcopies of the document files as templates of sample case documents for self-study and future use in a personal computer at home, which had installed the "FOXY" programme.

7.    "The Immigration Department has always been conscious of the importance of data protection and maintains a system which has a high standard of security. Nonetheless I agree that certain measures, if taken, can improve the existing security in relation to our management of personal data. We appreciate the positive suggestions made by the Privacy Commissioner in this matter. We trust that the steps which I have undertaken to adopt will further enhance the existing personal data protection system," Mr. Peh said.

8.    "The incident was caused by failure of the staff concerned to handle personal data with care. Having considered the circumstances of the case and that the Immigration Department has undertaken to enhance its data security, I have decided not to take any further action but will monitor the proper compliance of the Undertaking," Mr. Woo said.

9.   In summary, the Immigration Department undertakes :-

(a)   To prohibit the collection or retention of office documents as templates or sample case documents for future use by all staff unless the identifying particulars of individuals contained therein (if any) have been removed.

(b)   To require all staff to erase all identifying particulars of individuals (if any) from any such templates or sample case documents kept by them (if any) and confirm in writing that they do not currently hold any such templates or sample case documents that contain identifying particulars of individuals.

(c)   To categorize all office documents containing personal data in both paper and electronic forms, according to the sensitivity of the data, into classes ranging from absolute prohibition of photocopying or storing on portable electronic devices to data that can be taken or copied for use outside the office premises.

(d)   To prohibit the taking or copying of any such data for use outside office premises, unless permitted by officers of specified ranks.

(e)   To prohibit any further use or copying of the data referred to paragraph (d) above unless permitted by an authorizing officer.

(f)   To specify the measures that are required to be taken by the staff member concerned to protect such data when they are outside the office premises (e.g. personal data in electronic form must be encrypted).

(g)   To require the prompt return or permanent erasure of such data when their purpose of use has been fulfilled.

(h)   To maintain clear and detailed records in respect of the taking or copying of such data for use outside the office premises.

(i)   To give clear instructions to staff in relation to the implementation of the above requirements or measures.

(j)   To take all reasonably practicable steps to ensure compliance by staff with those instructions through proper training, guidance and supervision (to be followed by disciplinary actions if appropriate).