Date: 29 December 2022
Privacy Commissioner’s Office Publishes an Investigation Report on
On completion of its investigations into two personal data breach incidents of the Registration and Electoral Office (the REO), the Office of the Privacy Commissioner for Personal Data published an investigation report today.
Investigation Case (1): A staff member of the REO wrongly dispatched files containing the data of electors by email to an unknown recipient
Two Personal Data Breach Incidents of the Registration and Electoral Office
Incident (1) occurred during the period when the fifth wave of COVID-19 ran rampant. At that time, the REO put in place special work-from-home arrangements by dividing staff into different teams to work at home alternately to reduce social contact. The clerical officer involved in the incident (the Clerical Officer) was arranged to work from home on certain days.
At around 7 p.m. on 23 March 2022, the Clerical Officer planned to send two Excel files which contained the particulars of about 15,000 electors (including their Chinese and English names and residential addresses) (the Two Excel Files) to her personal email account to facilitate her work from home on the next day. However, the Clerical Officer inputted an incorrect email address so that the Two Excel Files were sent to an unknown recipient. The Clerical Officer only realised the mistake when she noticed that the email did not reach her personal email account after some 10 minutes. She then reported the situation to the Assistant Electoral Officer.
According to the evidence obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner) considers that the following reasons had led to the occurrence of Incident (1):
1. Failure of the staff of the REO to comply with the guidelines issued by the Office on information technology security;
2. Inadequate awareness of data protection on the part of the staff of the REO; and
3. Inadequate information security measures of the REO.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, considers that the incident mainly involved human errors. The data breach incident stemmed from the negligence and lack of awareness on data protection of an individual staff member, which led to the contravention of the relevant guidelines of the REO on information technology security, which provided that “[staff should] only use the email system of the REO for transmission of classified information through email” and “[staff should not] use personal email accounts for official duties or for transmitting classified information or personal data”. Simply to facilitate her work at home, the staff member concerned sent an email which contained a huge amount of personal data of electors to an incorrect email address outside the REO’s email system with neither thorough consideration of the security risks involved nor careful checking of the email address of the recipient. On the other hand, the Privacy Commissioner also finds that the REO had not put in place appropriate information security measures prior to the incident, which allowed staff to use its email system to freely send files which contained personal data to personal email addresses outside the email system of the REO. This was another root cause for the incident.
Investigation Case (2): The REO wrongly attached a reply slip submitted by an Election Committee (EC) member to a test email
Incident (2) occurred in the preparatory stage for the 2022 Chief Executive Election (the Election). To prepare for the Election, the REO planned to issue test SMS and/or email messages on 27 April 2022 to EC members and/or their assistants who had provided their mobile phone numbers and/or email addresses to ensure that they could receive information related to the Election.
Upon the REO’s receipt of the reply slips which contained contact information provided by EC members and their assistants, the information provided in the reply slips, which related to about 1,800 EC members and their assistants, would be manually inputted onto a computer list (the Master List). However, inaccuracies in the Master List were spotted despite multiple checkings on the scheduled date of dispatch of the test emails (i.e. 27 April 2022), the Senior Project Officer (the SPO), who was assigned to oversee the task of issuing the test emails (and SMS), therefore instructed staff members to check the email addresses and issue the test emails in batches.
To facilitate checking, the Executive Assistants responsible for issuing the test emails would split their computer screens into two halves, with the left-hand side showing the draft test emails and the right-hand side showing the electronic copies of the reply slips. The Executive Assistants would use the up and down arrow keys on the keyboard to select the corresponding reply slips (shown in a preview window) and check against the email addresses inputted into the ‘bcc’ fields of the draft test emails one-by-one. Thereafter, an Electoral Officer and the SPO would conduct the second and third checking using the Executive Assistants’ computers respectively. The Executive Assistants would only issue the relevant emails by pressing the “Send” button after the SPO had cross-checked the email addresses with the electronic copies of the reply slips and confirmed the contents of the test emails to be accurate.
To speed up the process, the SPO instructed that the second checking be removed starting from the fourth batch of test emails. In the morning on 28 April 2022,
it was discovered in the course of reviewing the issued test emails that an email sent to 38 EC members and 26 assistants at 4:42 a.m. had a reply slip containing the personal data of an EC member and his assistant wrongly attached to it. The personal data concerned were the names, email addresses and phone numbers of the EC member and his assistant, and the signature of the EC member.
According to the evidence obtained during the investigation, the Privacy Commissioner considers that the following reasons had led to the occurrence of Incident (2):
1. Negligence and inadequate awareness of data protection on the part of the staff of the REO;
2. Deficiencies in the work process of the REO; and
3. Absence of written procedures for the relevant work.
The Privacy Commissioner considers that the incident was mainly caused by human errors. The incident stemmed from the negligence and lack of awareness of data protection on the part of the relevant staff and deficiencies in the REO’s relevant workflow. In the present case, the inaccuracies of the Master List apparently led to a sudden change in the workflow and last-minute cross-checking of email addresses in draft test emails against the reply slips by staff well after mid-night. The Privacy Commissioner considers that if the REO had proper workflow in place to ensure the Master list was promptly and accurately prepared, the staff members involved would not have to conduct last-minute manual checking under tight time constraints or use unreliable method to conduct the checking. Meanwhile, if the staff members involved had been more cautious in the checking process, the incident could have been avoided.
In addition, the REO did not have any written procedures in relation to the mechanism of sending test emails, thus increasing the risks of human errors and non-compliance with the necessary steps. The Privacy Commissioner understands that staff of the REO were working under huge pressure in conducting last-minute checks. However, the lack of written procedures inevitably increased the risks of human errors, especially when the staff concerned needed to work for prolonged hours and the removal of the second checking to expedite the whole process undermined the effectiveness of the original three-tier checking mechanism.
Overall, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considers that, “The two incidents revealed that the Registration and Electoral Office had not taken all practicable steps to ensure that personal data was protected from unauthorised or accidental access, processing, erasure, loss or use, I therefore find that the Registration and Electoral Office had contravened DPP4(1) concerning the security of personal data under the Personal Data (Privacy) Ordinance.”
The Privacy Commissioner has served two Enforcement Notices on the REO directing it to remedy and prevent recurrence of the contravention. The Privacy Commissioner requested the REO to implement technological security measures to monitor the use of its email system, review and improve the workflow of collecting personal data from EC members and issuing bulk emails which contain personal data, as well as strengthen training in respect of information security and the protection of personal data.
Incidentally, the Privacy Commissioner is pleased to note that the REO has striven to learn from the incidents. After the occurrence of the two incidents, the Registration and Electoral Office has enhanced security measures and reviewed the relevant workflow of personal data handling to strengthen the protection of personal data privacy.
Through the report, the Privacy Commissioner wishes to make the following recommendations to organisations which possesses a huge amount of personal data:
· Thoroughly implement a Personal Data Privacy Management Programme;
· Conduct privacy risk assessments and formulate specific guidelines for non-routine work;
· Devise effective education and training plans on personal data security; and
· Deploy information security measures to mitigate the risk of human errors.
Download “Investigation Report: Two Personal Data Breach Incidents of the Registration and Electoral Office”: