Hong Kong’s EMSD Faces Privacy Commissioner’s Wrath Over Data Breach Affecting 17,000
HONG KONG, December 9, 2024 – The Office of the Privacy Commissioner for Personal Data (PCPD) has issued a scathing report detailing a significant data breach involving the Electrical and Mechanical Services Department (EMSD), impacting over 17,000 individuals. The breach, stemming from inadequate data handling practices during the pandemic’s compulsory testing program, has resulted in the EMSD being found in violation of the Personal Data (Privacy) Ordinance.
Data Breach Details and Personal Data Violations
The report reveals that between March and July 2022, the EMSD conducted 14 compulsory testing operations. During these operations, they utilized an electronic form hosted on a cloud platform to collect personal data from individuals. This data included names, addresses, identity card numbers, and phone numbers—highly sensitive personal information.
The critical flaw? The EMSD failed to implement adequate security measures.
As the Privacy Commissioner’s report highlights, “In April this year, the Privacy Commissioner received complaints from citizens who reported that their personal information could be accessed without requiring a username or password.”
This lapse in security directly violated the Personal Data (Privacy) Ordinance. The EMSD’s initial assumption that deactivating the account and the contract’s expiration would automatically delete the data proved tragically incorrect. This highlights a critical failure in understanding and implementing data protection best practices.
EMSD’s Failures and the Privacy Commissioner’s Response
Privacy Commissioner Ada Chung Lai-ling directly condemned the EMSD’s actions, stating that the department’s failure to establish written policies on data retention for personal information collected during compulsory testing was unacceptable. She further criticized the EMSD’s inaction, noting their failure to request data deletion from the contractor and their lack of proactive steps to ensure data removal.
“The department did not request the deletion of this data from the contractor, nor did it take proactive steps to delete the data or adequately follow up on its deletion—actions that clearly fell short of the requirements set forth in the Privacy Ordinance and failed to meet the public’s reasonable expectations,” Commissioner Chung stated.
The PCPD’s investigation uncovered four major deficiencies in the EMSD’s handling of personal data, directly leading to the conclusion that the department violated the Personal Data (Privacy) Ordinance. These deficiencies underscore a systemic failure to prioritize data security and comply with established regulations.
Enforcement Notice and Corrective Actions
In response to these serious violations, the Privacy Commissioner has issued an enforcement notice to the EMSD. This notice mandates the implementation of corrective measures to address the identified deficiencies and prevent future occurrences. The EMSD has been given a two-month deadline from the date of the enforcement notice to complete these corrective actions. Failure to comply could result in further penalties.
The Importance of Data Protection and Compliance
This incident serves as a stark reminder of the critical importance of robust data protection measures and strict adherence to regulations like the Personal Data (Privacy) Ordinance. The EMSD’s failure to protect the personal data of 17,000 individuals highlights the potential consequences of negligence and the need for organizations to prioritize data security and privacy.
The case underscores the need for comprehensive data protection policies, regular security audits, and employee training to ensure compliance and prevent future data breaches. The EMSD’s experience should serve as a cautionary tale for all organizations handling sensitive personal data in Hong Kong.
