|
The Director of Immigration Department signed formal
undertaking
1.
The Director of Immigration, Mr. Simon Yun-lu Peh, today signed a
formal undertaking with the Privacy Commissioner for Personal Data, Mr.
Roderick B Woo to step up measures on data security of the personal
data held by the Immigration Department in compliance with the Personal
Data (Privacy) Ordinance. Mr. Woo is pleased with the prompt
action taken by Mr. Peh and the determination and commitment
demonstrated by such action. He is satisfied with the terms of
the undertaking which reflect the recommendations made by him to the
Department.
2.
It was reported in the newspapers on 8 May 2008 that some
sensitive personal data contained in documents apparently belonging to
the Immigration Department were leaked on the internet through a
file-sharing software called "FOXY". The personal data consisted
of 27 document files comprising internal memos, file minutes and other
documents, some marked "confidential", containing the names, dates of
birth, and identification document types and numbers of eleven visitors
/ foreigners and three Hong Kong residents, as well as the names, ranks
and post titles of certain immigration officers.
3.
Both Mr. Peh and Mr. Woo were seriously concerned with the
incident. They had a telephone discussion the same morning when
Mr. Peh confirmed that he had already made arrangements for the removal
of the data to stop the accessibility online by using the FOXY software.
4.
That afternoon, the Deputy Director and an Assistant Director of
Immigration met with the Privacy Commissioner's investigation officers
to assist the latter with their enquiries.
5.
The Immigration Department fully co-operated with the Privacy
Commissioner's officers and provided them with copies of relevant
information and materials. The immigration officers involved also
gave detailed statements of the circumstances leading to the leakage of
the data.
6.
The Immigration Department acknowledged that the leakage was due
to the inadvertence of the relevant staff in collecting and saving the
softcopies of the document files as templates of sample case documents
for self-study and future use in a personal computer at home, which had
installed the "FOXY" programme.
7.
"The Immigration Department has always been conscious of the
importance of data protection and maintains a system which has a high
standard of security. Nonetheless I agree that certain measures,
if taken, can improve the existing security in relation to our
management of personal data. We appreciate the positive
suggestions made by the Privacy Commissioner in this matter. We
trust that the steps which I have undertaken to adopt will further
enhance the existing personal data protection system," Mr. Peh said.
8.
"The incident was caused by failure of the staff concerned to
handle personal data with care. Having considered the
circumstances of the case and that the Immigration Department has
undertaken to enhance its data security, I have decided not to take any
further action but will monitor the proper compliance of the
Undertaking," Mr. Woo said.
9.
In summary, the Immigration Department undertakes :-
(a)
To prohibit the collection or retention of office documents as
templates or sample case documents for future use by all staff unless
the identifying particulars of individuals contained therein (if any)
have been removed.
(b)
To require all staff to erase all identifying particulars of
individuals (if any) from any such templates or sample case documents
kept by them (if any) and confirm in writing that they do not currently
hold any such templates or sample case documents that contain
identifying particulars of individuals.
(c)
To categorize all office documents containing personal data in
both paper and electronic forms, according to the sensitivity of the
data, into classes ranging from absolute prohibition of photocopying or
storing on portable electronic devices to data that can be taken or
copied for use outside the office premises.
(d)
To prohibit the taking or copying of any such data for use
outside office premises, unless permitted by officers of specified
ranks.
(e)
To prohibit any further use or copying of the data referred to
paragraph (d) above unless permitted by an authorizing officer.
(f)
To specify the measures that are required to be taken by the
staff member concerned to protect such data when they are outside the
office premises (e.g. personal data in electronic form must be
encrypted).
(g)
To require the prompt return or permanent erasure of such data
when their purpose of use has been fulfilled.
(h)
To maintain clear and detailed records in respect of the taking
or copying of such data for use outside the office premises.
(i)
To give clear instructions to staff in relation to the
implementation of the above requirements or measures.
(j)
To take all reasonably practicable steps to ensure compliance by
staff with those instructions through proper training, guidance and
supervision (to be followed by disciplinary actions if appropriate).
END
|