(24 October 2013) An investigation conducted by the Office of the Privacy Commissioner for Personal Data ("PCPD") concluded that two data breach incidents caused by Foxy1 were attributed to human error and did not constitute a contravention of the Personal Data (Privacy) Ordinance ("Ordinance") on the part of the data user, namely, the Hong Kong Police Force ("HKPF").
2. Mr Allan Chiang, Privacy Commissioner for Personal Data ("Commissioner") warned that "There is practically no effective recovery means once a data file is leaked through the Foxy network. Foxy users are advised to make sure that they understand how their version of Foxy works and configure it appropriately to protect their data files. As the company which developed Foxy has ceased business, persons who for some reasons still wish to download this software for use will have to resort to unofficial channels and thus run the risk of obtaining a copy which contains malware or one which may have been tampered with, rendering the extent of data sharing uncontrollable."
3. The PCPD received a complaint in August 2008 which alleged that the HKPF had leaked its documents containing personal data through Foxy. The then Commissioner investigated into the complaint and concluded that the HKPF had contravened Data Protection Principle ("DPP")4 of Schedule 1 to the Ordinance for failing to take practicable measures to protect the complainant's personal data against unauthorised or accidental access. An enforcement notice was served on the HKPF which led to the adoption in August 2009 of a series of improvement measures (the "2009 improvement measures") to safeguard personal data. These include configuring the USB ports of HKPF's computers to accept approved USB thumb drives only; formulation of information security instructions and guidelines; strengthening of security measures and support; and enhancement of the HKPF officers' knowledge of information security.
Incident 1
4. In August 2011, the media reported that numerous police documents containing personal data were searchable via Foxy by the general public. Almost all the documents in question were covered in the investigation in 2008 and 2009. The only exception is a reply slip containing the name and identity card number of an applicant for a position in the HKPF. It was found the data leakage was caused by the Foxy installed in the computer of the applicant. The HKPF was not responsible in this case.
Incident 2
5. It was reported in the press in September 2012 that 210 copies of witness statements, HKPF's internal memoranda, forms and correspondence were leaked on the Internet via Foxy. The personal data involved were names, identity card numbers, addresses and details of the prosecution of some witnesses and arrested persons.
6. It was revealed that a police officer ("the Police Officer") had since 2007 occasionally used his private USB thumb drive to download documents to his own computer ("the Computer") and occasionally used the Computer for work purpose, all without the approval of the HKPF. However, the HKPF confirmed that it had not installed any file-sharing software including Foxy in its computer system. Also, the Police Officer stated that he had not used the Computer to connect to the Internet or allowed others to use the Computer, so leakage of documents stored in the Computer by Foxy was impossible.
7. The Police Officer sold the Computer in mid-2011. The HKPF considered that the leaked documents could have been recovered from the hard disk after sale of the Computer, and the data was leaked subsequently.
8. The data leakage in Incident 2 could be traced back to the period before August 2009 when the Police Officer arranged without authority download of police documents on his personal computer. Therefore, in keeping with the conclusion in the 2008-2009 investigation, the Commissioner is of the view that the HKPF at that time had not taken all practicable measures to prevent this misconduct from occurring. Hence, it had contravened DPP4.
9. Notwithstanding this finding, the Commissioner considers that the 2009 improvement measures are robust enough to promote staff's compliance with the requirement to safeguard personal data. The data leakage was caused by the acts and omissions attributable to the Police Officer, in contravention of the HKPF's standing instructions.
10. The Police Officer admitted that he knew the HKPF's security requirements. He had attended relevant training. Incident 2 could have been avoided if the Police Officer had complied with the laid down requirements, that is, before sale of the Computer, handed the equipment to the department's Information Technology Security Officer for inspection, removing the hard disk and using an approved software to delete the data.
11. The duty imposed on data users by DPP4 is that "all practicable steps shall be taken" to safeguard personal data. Data users' obligations are not absolute. They are not expected to prevent data leakages at all costs. The Police Officer's continued use of the Computer for work purposes without approval, and his failure to use approved software to erase all official materials before the sale of the Computer, was an isolated incident of human error which does not constitute another DPP4 contravention on the part of the HKPF. The Commissioner therefore sees no justification to serve an Enforcement Notice on the HKPF directing it to step up its efforts to safeguard personal data.
12. Given the importance and sensitivity of the personal data contained in the HKPF documents, the Commissioner urges the HKPF to go beyond fulfilling the minimum requirements of the Ordinance and strive for further means to safeguard data with a view to preventing recurrence of similar incidents.
13. Incident 2 revealed that despite the implementation of the 2009 improvement measures, the past use of USB thumb drives to store official data/documents and the continued unauthorised and improper use of personal computers for work purposes by individual police officers could still lead to leakage of police data (which might contain personal data) years later. As police officers who used their own computers and USB thumb drives could be subject to disciplinary action due to breach of the 2009 improvement measures, they may be tempted not to follow the orders but to use other means to fix the problem themselves.
14. In this regard, the Commissioner advises that the HKPF can adopt different formal or informal means to address the above dilemma. To be effective, these means must be designed to suit the operation nature and corporate culture of the HKPF. Therefore, the Commissioner can only provide general advice to the HKPF but cannot prescribe measures in concrete terms.
15. The Commissioner recommends the HKPF to (i) promote its "Personal Computer Cleaning" programme to help police officers check and delete the personal data/confidential data on their own computers, (ii) set up enquiry hotlines to offer assistance to police officers who wish to seek help on an anonymous basis, and (iii) promote case sharing and exchange of experience among police officers to enhance the awareness of personal data protection and the serious consequences that may ensue as a result of data leakages on the Internet.
16. In concluding the investigation, Mr Chiang remarked, "Data users are obliged to protect personal data by reasonable security safeguards against such risks as loss, unauthorised access, destruction, use, modification or disclosure of data. They should note that many security breaches are simply the result of human error. Recklessness or simple carelessness of a single employee can undermine sound privacy policies and robust security practices. This underlies the importance for organisations to institute comprehensive internal training and awareness programmes for their staff. To ensure an organisation-wide commitment, the building of a culture of privacy is imperative. "
17. "Organisations collecting and managing personal data are always faced with data security risks, regardless of the form in which the data is retained. However, rapid advances in computing power, coupled with easy access to desk-top and mobile devices globally connected through the Internet, have increased the scale and volume of personal data flows, the ability to store data indefinitely and the associated risks of data breaches. Both data users and data subjects should be aware of the privacy pitfalls in the use of ICT. The risk associated with the use of Foxy software in this case is a good learning point," Mr Chiang added.
Investigation Report: http://www.pcpd.org.hk/english/resources_centre/publications/files/R13_15218_e.pdf
Leaflet: Smart Use of Computers and the Internetwww.pcpd.org.hk/english/resources_centre/publications/files/computer_wisely_e.pdf
- End -
1 Foxy is a peer-to-peer file sharing software developed by a Taiwanese IT company. Users generally may not be aware that Foxy would run automatically each time a computer is switched on, causing files in the computer to be sharable for download by anyone else running Foxy. Users may not have an effective means to stop the sharing and have no way to know who has downloaded their files. More information is available from: www.cuhk.edu.hk/itsc/security/gpis/tipsfoxy.html
Notes to Editors:
1. The PCPD is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance in Hong Kong.
2. Anyone who collects and use (including disclose and transfer) personal data must comply with the six Data Protection Principles (DPPs) of the Ordinance, which make sure that personal data is:
3. Non-compliance with DPPs does not constitute a criminal offence directly. But the Privacy Commissioner may serve an Enforcement Notice to direct the data user concerned to remedy the contravention. Contravention of an Enforcement Notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment of up to 2 years.
4. If an enquiry /investigation finds prima facie evidence that an offence is involved, the Commissioner may refer the case to the police for criminal investigation or prosecution.