(24 October 2013) The Office of the Privacy Commissioner for Personal Data ("PCPD") has served an Enforcement Notice on the Hong Kong Police Force ("HKPF") following its breach of the Personal Data (Privacy) Ordinance ("Ordinance") relating to protection of personal data against accidental loss in two incidents which involved loss of police notebook1 ("notebook") and loss of fixed penalty ticket2 ("FPT") respectively.
2. Mr Allan Chiang, the Privacy Commissioner for Personal Data ("Commissioner") remarked at the press briefing today that "the potential harm to individuals from the misuse of their personal data, whether accidentally lost, leaked or purposely stolen, could be significant." In accordance with Data Protection Principle 4 ("DPP4") under the Ordinance, data users are obliged to take all reasonably practicable steps to ensure personal data is protected against unauthorised or accidental access, loss or use.
3. During the period from October 2011 to January 2013, 11 data breach incidents came to the Commissioner's notice concerning loss of notebooks and copies of FPTs, by different police officers. The lost items contained the personal data of a total of 285 persons including crime victims, witnesses and suspects.
4. Details of the 11 data breach incidents are summarised as follows:-
| Incident No. | Date of the incident | Nature of item lost | Number of items lost | Number of data subjects affected | Personal data concerned |
|---|---|---|---|---|---|
| Notebook | |||||
| 1 | 30/10/2012 | Notebook | 17 | 41 | Name, address and HKID Card No. |
| 2 | 11/11/2012 | Notebook | 1 | 2 | - Ditto - |
| 3 | 12/12/2012 | Notebook | 1 | 130 | HKID Card No. |
| 4 | 31/12/2012 | Notebook | 1 | 60 | Name, HKID Card No. and DOB |
| 5 | 26/1/2013 | Notebook | 1 | 29 | - Ditto - |
| FPT / FPT booklet | |||||
| 6 | 26/10/2011 | FPT copy | 1 | 1 | Vehicle No., surname and driving licence / HKID Card No. |
| 7 | 14/9/2012 | FPT booklet | 1 | 2 | - Ditto - |
| 8 | 19/10/2012 | FPT booklet | 1 | 5 | - Ditto - |
| 9 | 21/10/2012 | FPT booklet | 1 | 4 | - Ditto - |
| 10 | 15/1/2013 | FPT booklet | 1 | 10 | - Ditto - |
| 11 | 21/1/2013 | FPT copy | 1 | 1 | - Ditto - |
5. The HKPF has failed to take all practicable steps, including putting in place a set of comprehensive procedures as well as ensuring the effective implementation of its supervision and monitoring system, to safeguard the security of police documents containing personal data. The incidents also revealed the need to review the police equipment and uniform design, as well as a general lack of awareness of the security risks associated with personal data among the officers concerned.
Policies and Procedures
6. The HKPF has in place the Police General Orders which states that the HKPF respects personal data privacy and is committed to complying with the requirements of the Ordinance. Despite this general policy, gross insufficiency in the underlying operational procedures is revealed.
7. A notable example is Incident 1 where the police officer on his way to work lost 17 notebooks in a bus. An officer is supposed to return his used notebook when he requests for a new one, but this officer was able to retain 17 used notebooks which were issued as far back as more than five years ago.
8. The major deficiencies identified in Incident 1 are:-
(a) The officer was able to retain 15 of the 17 notebooks simply by quoting police case numbers as if they were required for continued handling the related police cases (retention by court as exhibit, preparation of witness statement or preparation for court hearing etc.). There was apparently no mechanism to verify if the reason claimed by a notebook holder to retain a used notebook was true. There was no requirement for anyone to query the notebook holder's explanation by, for example, verification with the notebook's holder's supervisor. In Incident 1, all the case numbers quoted by the officer concerned did not support the retention of the notebooks.
(b) The officer responsible for issue of notebooks is obliged not to accept the return of a used notebook if it is not endorsed by the supervising officer of the notebook-holder. However, there is no rule which requires him or anyone else to follow up on the subsequent return of the unendorsed notebook. This procedural hiatus has in effect permitted the police officer in Incident 1 to retain one notebook for over five years.
(c) A Chief Inspector is charged with the responsibility to carry out monthly checks on the notebook issue and receipt records to ensure compliance with prevailing police orders. Despite his endorsement on the records, the Chief Inspector involved in Incident 1 had failed to identify that 17 notebooks were retained by the same police officer for as long as over five years. This unacceptable failure highlights the need for the formulation of a checklist for the Chief Inspector to follow in the monthly inspection.
Supervision and Monitoring
9. Supervision and monitoring are important to ensure that laid down procedures are implemented. The police incidents, however, clearly demonstrated that the HKPF's oversight system has been far from effective.
10. Notable deficiencies identified in Incident 1 are as follows:-
(a) There is a designated officer for carrying out bi-annual checks on the return of notebooks, and drawing the attention of the supervising officer to any overdue items. The Chief Inspector conducts monthly checks on the notebook issue and receipt records. Both failed to spot any of the numerous irregularities involved in Incident 1, including the retention of one notebook without any reason recorded.
(b) As the notebook issue and on loan records are maintained in paper form, one has to manually go through all such documents kept in a police formation in order to find out the total number of notebooks retained by a particular officer at any one time. This is not conducive to prompt identification of compliance problems. An effective system, achievable by computerisation, should enable a timely alert of all outstanding issues when an officer requests issue of a new notebook or when a check by a supervising officer is initiated.
Equipment and Uniform
11. Equipment and uniform, when properly designed with their function to carry police documents duly taken in account, should enhance the protection of such documents.
12. The PCPD has not inspected the equipment and uniform involved in the incidents and cannot therefore comment if there are deficiencies or areas where improvement in design is definitely required. However, the PCPD has noted the HKPF's explanation that in some cases the lost notebook was believed to have fallen off from the pocket of the jacket that the officer was wearing and in other cases, the lost FPTs were believed to have fallen out from the pannier of the police motorcycle during transit.
Awareness of Privacy and Data Protection
13. A common theme of the irregularities identified in the incidents is negligence and carelessness on the part of the police staff involved. In most cases, they could not account clearly for the loss of the documents. Some of them forgot where they had last kept the documents, others could not be sure if the documents which should have been locked were indeed locked while one admitted he had not locked up the document as required. In the extreme case of Incident 1, the staff involved blatantly failed to observe the requirements of the police orders.
14. These problems seem to indicate a general lack of awareness and appreciation of the importance of privacy and data protection among some staff of the HKPF.
15. In view of the HKPF's deficiencies in its procedures in safeguarding the notebooks and FPTs identified in Incidents 1 and 11 and the notable deficiencies in its supervision and monitoring systems highlighted in Incident 1, the Commissioner concluded that the HKPF has contravened DPP4 in these two Incidents for failing to take all reasonably practicable steps to protect the personal data contained in these documents against accidental loss.
16. Accordingly, the Commissioner has served an enforcement notice on the HKPF directing it to (a) establish supplementary security procedures to plug the loopholes identified, and (b) tighten up its supervision.
17. All the eleven incidents (with the exception of Incident 11) involved negligence or carelessness on the part of the police officers concerned. The Commissioner accepts that human errors of this nature cannot be totally ruled out. As the requirement under DPP4 to safeguard personal data is not absolute and the data user's obligation is to take all reasonably practicable steps, the Commissioner considers that the police officers' failures in these incidents do not by themselves constitute a DPP4 contravention on the part of the HKPF. However, taking into account the very sensitive nature of the personal data involved and the frequent occurrence of these incidents, the matter has to be taken seriously.
18. In light of the findings of the investigation, the Commissioner advises the HKPF to undertake a general review of HKPF's equipment and uniform used for holding or conveying police documents in order to safeguard personal data from unauthorised access or accidental loss. The Commissioner further suggests that the HKPF should step up its training, incentive and disciplinary programmes to promote compliance with the HKPF's policies and procedures in relation to privacy and data protection.
19. In concluding the investigation, Mr Chiang remarked, "Organisations are advised to embrace data protection as part of their corporate governance responsibilities. They should have appropriate policies and procedures that promote good privacy and data protection practices. They should also ensure adequate oversight to check that security rules and procedures are fully implemented. The HKPF's deficiencies in security procedures and oversight, as revealed in this investigation, are regrettable. They represent a bad example which organisational data users should take due note of".
20. "Admittedly, many security breaches are simply the result of human error which cannot be totally eliminated. Recklessness or simple carelessness of a single employee can undermine sound privacy policies and robust security practices. This underlies the importance for organisations to institute comprehensive internal training and awareness programmes for their staff. To ensure an organisation-wide commitment, the building of a privacy-respectful and data-secure culture is imperative," Mr Chiang added.
Investigation Report: http://www.pcpd.org.hk/english/resources_centre/publications/files/R13_0407_e.pdf
- End -
1 Notebooks are used by police officers to record all matters pertaining to their discharge of duties and may contain the name, address, Hong Kong Identity Card Number ("HKID Card No."), date of birth ("DOB") and statements made by suspects or witnesses, etc. Notebooks can, at a later time, help the police officers refresh their memory of events and particulars including relevant statements made by persons connected with any case/incident.
2 FPTs are used by police officers in connection with enforcement against traffic offences. In addition to the details of the traffic offence, the amount of penalty and the vehicle number, an FPT may contain the surname and driving licence number / HKID Card No. of the offending driver.
Notes to Editors:
1. The PCPD is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance in Hong Kong.
2. Anyone who collects and use (including disclose and transfer) personal data must comply with the six Data Protection Principles (DPPs) of the Ordinance, which make sure that personal data is:
3. Non-compliance with DPPs does not constitute a criminal offence directly. But the Privacy Commissioner may serve an Enforcement Notice to direct the data user concerned to remedy the contravention. Contravention of an Enforcement Notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment of up to 2 years.
4. If an enquiry /investigation finds prima facie evidence that an offence is involved, the Commissioner may refer the case to the police for criminal investigation or prosecution.