Content 360 2025 Singapore
HK privacy watchdog slams EMSD over data leak involving 17,000 residents

HK privacy watchdog slams EMSD over data leak involving 17,000 residents

share on

Hong Kong’s privacy watchdog has slammed the Electrical and Mechanical Services Department (EMSD) for failing to proactively delete the personal data, which led to a data breach affecting over 17,000 individuals.

The Office of the Privacy Commissioner for Personal Data (PCPD) has released its investigation report on the data leak incident that the EMSD reported in April. The investigation was prompted by a data breach notification from the EMSD to the PCPD on 1 May 2024, which reported suspicions of a leak involving personal data from individuals tested during the “restriction-testing declaration” (RTD) operations in 2022.

The EMSD conducted 14 COVID-19 testing operations between March and July 2022, using an e-form platform linked to ArcGIS Online to collect data from those tested. After the operations concluded, the EMSD notified the contractor not to renew the service contract, assuming that the e-form account would be invalidated and data deleted upon expiration in February 2023. 

However, on 30 April 2024, the EMSD learned from the PCPD that the personal data from the RTD operations was accessible to the public without credentials. The EMSD immediately requested the contractor to remove the data from the platform and submitted a data breach notification to the PCPD the following day.

The incident affected the personal data of over 17,000 individuals, involving information including names, addresses, HKID card numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.

The PCPD has conducted five rounds of enquiries with the EMSD and approached the contractor twice to obtain relevant information. Having considered the circumstances of the incident and the information obtained during the investigation, the privacy commissioner, Ada Chung, identified four deficiencies within the EMSD that significantly contributed to the incident.

Firstly, there is a lack of written policies on the retention of personal data collected in the RTD operations, as well as unclear guidance on storage and disposal of data. While the EMSD might not be able to specify the retention period or formulate a data retention policy before or during the RTD operations, nonetheless all along it had only relied on the notification given to the contractor in late 2022 not to renew the contract as the basis for suggesting that a data retention period had actually been specified. However, there had not been any written policy specifying the retention period of the aforesaid data.

Meanwhile, the EMSD failed to clearly request the contractor to delete the relevant data in late 2022 when it recognised that the RTD operations had concluded. In notifying the contractor about not renewing the contract, the EMSD did not explicitly ask for the deletion of the personal data involved in the incident.

The PCPD added that the EMSD failed to take the initiative to delete the personal data involved, particularly during the period from late December 2022 to late February 2023 when the EMSD was still able to log in to the e-form platform to manage the personal data stored therein. The EMSD also didn't properly follow up with the contractor on the deletion of data as it merely assumed that the contractor would act on its own volition after the expiry of the contract. The EMSD had never urged, checked or reminded the contractor to delete the personal data from the e-form platform, and had never sought to understand or monitor the progress or effectiveness of the contractor’s relevant actions.

According to Chung, the EMSD has not formulated a policy on the retention period of the relevant personal data, nor has it made an unequivocal request to the contractor for data deletion. It also failed to proactively delete the personal data, or to follow up on and check the deletion of personal data by the contractor after the completion of the RTD operations, which resulted in the unnecessary exposure of the relevant personal data to the risk of data leakage. It is clear that not only had the EMSD failed to comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO), it had also fallen short of the reasonable expectations of the public. 

In the circumstances, the privacy commissioner found that the EMSD had not taken all practicable steps to ensure that the personal data involved was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening Data Protection Principle (DPP) 2(2) of the PDPO concerning the retention of personal data; and had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP4(1) of the PDPO concerning the security of personal data.

The privacy commissioner has served an enforcement Notice on the EMSD, directing it to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future.

Related articles:

HK privacy watchdog opens probe into Oxfam HK's data breach
Live Nation launches investigation on Ticketmaster data breach

HK privacy watchdog releases new guidelines on data breach handling

share on

Follow us on our Telegram channel for the latest updates in the marketing and advertising scene.
Follow

Free newsletter

Get the daily lowdown on Asia's top marketing stories.

We break down the big and messy topics of the day so you're updated on the most important developments in Asia's marketing development – for free.

subscribe now open in new window