Loss of portable storage device containing personal data – DPP 4 – security of personal data
Background
A government department (the Department) reported to the PCPD that it had engaged a service contractor to assist in managing a community complex, and that a staff member of the service contractor had stored the reservation records on a USB storage device without authorisation. The device, which contained the names, contact numbers and names of employers of a few hundred applicants, was discovered to be missing the next day.
Remedial Measures
Upon receiving the relevant data breach notification, the PCPD initiated a compliance check. In response to the incident, the Department implemented various measures to prevent recurrence of similar incidents. These included replacing computers provided by the service contractor, with computers that restrict the use of USB ports and which internet access are disabled; formulating a guideline for its contractors regarding the safeguard of personal data, including advising them to avoid storing personal data on portable storage devices; and incorporating the said guideline into future quotation and tender exercises to ensure proper handling of personal data by contractors.
Lesson learnt
While portable storage devices offer a convenient means to store and transfer data outside of an organisation’s system, they are susceptible to data security incidents. Organisations should avoid the use of portable storage devices to store personal data wherever practicable. If it is necessary to use portable storage devices, organisations should establish policies that set out the circumstances under which portable storage devices may be used, the types and amount of personal data that may be transferred, and the approval process of the use of portable storage devices, etc. Organisations should also keep an inventory of portable storage devices and track their uses and whereabouts, as well as erase data in portable storage devices securely after each use.
On the other hand, if organisations engage a third-party data processor, contractual or other means should be adopted to prevent unauthorised or accidental access, processing, erasure, loss or use of the personal data transferred to the data processor for processing.
(Uploaded in October 2025)