PCPD - Privacy Commissioner Probes into IPCC Data Leak

In view of the seriousness of the “complaint against the Independent Police Complaints Council for the leak of personal data” (IPCC), the Privacy Commissioner for Personal Data, Mr. Roderick Woo, had taken immediate action to probe into the matter before any formal complaint was received.

Having approached the IPCC to make enquiry into the matter on his own initiative last Saturday, Mr. Woo today led senior officers of his Office to meet with the Chairman, Vice-Chairman and the management of the IPCC and obtained crucial facts of the matter in no time. Mr. Woo said, “This unfortunate event has caused serious alarm and anxiety in the community, particularly those affected by the disclosure. In light of the sensitivity of the personal data involved, my Office will exercise prudent judgment and response promptly.”

“With the cooperation of the IPCC, we worked together to review its current internal system in handling personal data so as to prevent recurrence of similar events in future in a pragmatic manner.” Mr. Woo said.

In accordance with Data Protection Principle (DPP) 1 of the Personal Data (Privacy) Ordinance (the Ordinance), all personal data shall only be collected for lawful purposes, in a lawful and fair manner in the circumstances of the case. In addition, DPP3 provides that personal data shall only be used for the purposes for which they were originally collected or a directly related purpose. Information contained in the IPCC database is for internal use only. Any illegal collection or use of such information will be in breach of DPP1 and/or DPP3 of the Ordinance. The Commissioner’s Office will carry out an investigation promptly on any illegal use of such information and offenders will have to bear civil or criminal liabilities.

“As far as the protection of personal data privacy of the people involved is concerned, I now appeal the public not to collect such information online, and for those who have obtained such information, to destroy it at once and not to use it for whatever purposes,” Mr. Woo said.

The Commissioner’s Office is also concerned about the handling of personal data by local organizations, in particular for government departments that hold a large amount of personal data of the public. Organizations must strictly comply with DPP 4 of the Ordinance and take all practicable steps to ensure that personal data held by them are protected against unauthorized or accidental access, processing or erasure. In addition to security measures of the location and the equipment in which the data are held, organizations must also ensure the integrity, prudence and competence of persons authorized to handle personal data. Organizations should also take measures to ensure the secure transmission of the data. In light of the unfortunate incident, people should exercise particular caution when storing and transmitting personal data by electronic means. Data users should implement security safeguards or precautions the level of which should reflect the seriousness of potential harm resulting from a security breach.

Members of the public who are affected by this incident may lodge complaint to the Commissioner’s Office if necessary. The Commissioner’s Office will provide all necessary assistance to the complainants with regard to individual circumstances. In addition, according to Section 66 of the Personal Data (Privacy) Ordinance, any citizen who suffers damage, including injury to feelings, from this incident are entitled to civil compensation from the data user.