Table of Contents Table of Contents
Previous Page  114 / 192 Next Page
Show Menu
Previous Page 114 / 192 Next Page
Page Background

• specifying the measures to be taken by staff to protect personal data used outside

office premises, e.g. encryption of personal data stored in electronic form and the

prompt return and erasure of the personal data after use; and

• providing proper training, guidance and supervision to the staff.


Another similar incident was reported in March 2009.


According to the police, some

police officers had used their personal computers to prepare police reports but

unfortunately the reports stored in their computers were leaked through Foxy to other

internet users. To prevent the recurrence of similar incidents, the police agreed to take

remedial action including the setting up of a working group to identify information

security risk factors; informing the Commissioner and the affected subjects of all data

breach incidents; instructing all information systems security managers to conduct

checks and inspections on all police terminals; reviewing police policies and relevant

manuals on information security and data protection; exploring technical solutions to

guard against data leakage; carrying out periodic sanitisation and inspection of all

police common terminals to remove unauthorised data, etc.


However, despite such remedial action, further breaches by the police were discovered

and reported by the media in August 2011 and September 2012, which again involved

the leakage of personal data on the internet through Foxy. As a result, the Commissioner

conducted an investigation in October 2012.


Even though human error was found to

be the direct cause of the relevant data leakage, the Commissioner pointed out the

importance for organisations to institute comprehensive internal training and awareness

programmes for their staff. Data users must be prepared for the initiative that the

Commissioner will readily take to examine whether effective measures have been

adopted to minimise human error.


In another investigation


conducted against the police, the loss of police notebooks

and fixed penalty tickets containing the personal data of 285 individuals including

victims of crimes, witnesses and suspects was involved. It was also found that the

incidents not only involved negligence or carelessness on the part of the police officers

concerned, but also gross insufficiency in the operational procedures of the police and

notable deficiencies in their supervision and monitoring systems. The Commissioner

concluded that the police had contravened DPP4 and served an enforcement notice

on the police requiring them to adopt various measures to establish supplementary

security procedures to prevent leaks and to tighten supervision. The police were further

advised to undertake a general review of their equipment and uniform used for holding

or conveying police documents, and to step up their training, incentive and disciplinary

programmes to promote compliance with the police’s policies and procedures in

relation to privacy and data protection.


See media statement issued by the Commissioner on 9 March 2009, available on the Website:


See Investigation Report No. R13-15218, available on the Website:


See investigation Report No. R13-0407, available on the Website: