The Office of the Privacy Commissioner for Personal Data ('PCPD') published, on 29 December 2022, its Investigation Report No. R22 - 4116, issued on the same date, in which it issued a compliance order to the Registration and Electoral Office, for the violation of Data Protection Principle ('DPP') 4(1) of the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 ('PDPO'), following two separate breach notifications.

Background to the investigation

In particular, the PCPD highlighted that, in the first incident, the Registration and Electoral Office wrongly attached a reply slip submitted by an election committee member to a test email, which related to approximately 1,800 election committee members and their assistants. Moreover, the PCPD highlighted that the personal data concerned included names, email addresses, and telephone numbers of the election committee member and their assistants, and the signature of the election committee member.

Furthermore, the PCPD emphasised that in the second incident a staff member of the Registration and Electoral Office wrongly dispatched files containing the data of electors by email to an unknown recipient. Moreover, the PCPD noted that the files contained approximately 15,000 electors including their Chinese and English names and residential addresses.

Findings of the PCPD

According to the evidence obtained during the first investigation, the PCPD noted that the following reasons had led to the occurrence of the incident:

• negligence and inadequate awareness of data protection on the part of the staff of the Registration and Electoral Office;
• deficiencies in the work process of the Registration and Electoral Office; and
• absence of written procedures for the relevant work.

On the other hand, the PCPD reflected that given that the Registration and Electoral Office holds and processes a large amount of personal data of electors, it ought to adopt more stringent information security measures to ensure that its systems could adequately deal with staff negligence or inappropriate conduct. However, the PCPD informed that the Registration and Electoral Office had not put in place appropriate information security measures prior to the incident, which allowed its staff to use its email system to freely send files which contained personal data to personal email addresses outside the email system of the Registration and Electoral Office.

In considering the second incident, the PCPD noted that the following reasons had led to the occurrence of the incident:

• failure of the staff of the Registration and Electoral Office to comply with the guidelines issued by the PCPD on information technology security;
• inadequate awareness of data protection on the part of the staff of the Registration and Electoral Office; and
• inadequate information security measures of the Registration and Electoral Office.

Further to this, the PCPD issued that both incidents mainly involved human errors.

Outcomes

Having considered all the evidence, the PCPD highlighted that for the first incident the Registration and Electoral Office had not taken all practicable steps to ensure personal data of the electors in question was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data. Therefore, the PCPD ordered the Registration and Electoral Office the following, among others:

• review and improve the workflow of collecting personal data from Election committee members and issuing bulk emails which contain personal data;
• based on the review result of the above, devise or review relevant written operational procedures or guidelines, including the procedures of issuing test emails to Election committee members and relevant parties;
• strengthen training in respect of information security and the protection of personal data; and
• provide documentary proof to the PCPD within two months from the date of the enforcement notice, showing the implementation of items above.

For the second incident, the PCPD highlighted that the Registration and Electoral Office had not taken all practicable steps to ensure personal data of the electors in question was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data. Therefore, the PCPD ordered the Registration and Electoral Office the following:

• implement technological security measures to restrict unauthorised employees from using any email system of the Registration and Electoral Office to send emails or files containing personal data to email accounts that do not belong to the Registration and Electoral Office;
• strengthen training in respect of information security and the protection of personal data;
• record the progress of training as mentioned above, and review and assess the participation and effectiveness of the relevant training plan annually to ensure the effectiveness of the relevant training and that it includes the latest information; and
• provide documentary proof to the PCPD within two months from the date of the enforcement notice, showing the implementation of items above.

In addition, the PCPD emphasised that after the occurrence of both incidents, the Registration and Electoral Office has enhanced security measures and reviewed the relevant workflow of personal data handling to strengthen the protection of personal data privacy.

You can read the press release here and investigation report here.