Hong Kong’s privacy watchdog has found that the city’s Electrical and Mechanical Services Department contravened data privacy laws over a data leak involving 17,000 people this May.

Privacy Commissioner Ada Chung said at a Monday press conference that the department has been served an enforcement notice requiring it to take corrective measures and submit a report to the watchdog.

Privacy Commissioner Ada Chung at a press conference on December 9, 2024. Photo: PCPD.
Privacy Commissioner Ada Chung at a press conference on December 9, 2024. Photo: PCPD.

The personal data involved included names, addresses, Hong Kong Identity Card numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they had tested positive in PCR tests and the respective dates, according to a statement issued by the Privacy Commissioner for Personal Data.

The PCPD findings came after a string of data breaches affecting companies, schools, and government departments, including the EMSD, the Companies Registry, and the Fire Services Department.

The city’s Consumer Council and tech park Cyberport also fell victim to hackers last year, while Oxfam saw a potential data breach this July.

Covid test data

The EMSD was in charge of collecting data for Covid-testing exercises at 14 public housing estates, including Kai Ching Estate and On Tat Estate, between March and February 2022. The data was stored on a cloud platform called ArcGIS Online.

Chung said on Monday that the Covid testing data remained on the database even after the EMSD’s contract with a contractor had expired.

covid testing kwai chung 2
Government enforces “restriction-testing declaration” and compulsory testing at Fu Keung House, Tai Wo Hau Estate. Photo: GovHK

It was not until late April this year that the EMSD learned that the testing data had not been deleted, and could still be browsed without logging into the website. There was no evidence that the personal information had been published anywhere, the department said in May.

The PCPD said a lack of written policies on the storage and disposal of data was one of the key reasons as to why the data breach occurred.

See also: Hong Kong urged to improve accountability after two more gov’t data breaches

“There had not been any written policy specifying the retention period of the aforesaid data. Such written policies could provide a clear basis for the retention and disposal of data and could play an important role in this regard,” the statement read.

The PCPD found that the EMSD had not taken all practicable steps to ensure that personal data was not kept longer than was necessary, and to ensure that the personal data was protected against unauthorised or accidental access.

PCPD Office of the Privacy Commissioner for Personal Data
The Office of the Privacy Commissioner for Personal Data. File photo: Peter Lee/HKFP.

Privacy Commissioner Chung served an enforcement notice on the EMSD over the contraventions of the Personal Data (Privacy) Ordinance relating to data retention and unauthorised access, and ordered it to take measures to prevent similar incidents.

The office of the PCPD said last month that almost 70 per cent of Hong Kong companies experienced cyberattacks in the past year, as a survey found that firms’ cybersecurity awareness still stood at “basic” levels.

Over a third of the 442 companies surveyed had provided cybersecurity awareness training for employees, while just under a quarter had conducted awareness drills.

members promo splash

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Safeguard press freedom; keep HKFP free for all readers by supporting our team

HK$
HK$

Members of HK$150/month unlock 8 benefits: An HKFP deer keyring or tote; exclusive Tim Hamlett columns; feature previews; merch drops/discounts; "behind the scenes" insights; a chance to join newsroom Q&As, early access to our Annual/Transparency Report & all third-party banner ads disabled.

The Trust Project HKFP
Journalist Trust Initiative HKFP
Society of Publishers in Asia
International Press Institute
Oxfam Living Wage Employer
Google Play hkfp
hkfp app Apple
hkfp payment methods
YouTube video
YouTube video

James Lee is a reporter at Hong Kong Free Press with an interest in culture and social issues. He graduated with a bachelor’s degree in English and a minor in Journalism from the Chinese University of Hong Kong, where he witnessed the institution’s transformation over the course of the 2019 extradition bill protests and after the passing of the Beijing-imposed security law.

Since joining HKFP in 2023, he has covered local politics, the city’s housing crisis, as well as landmark court cases including the 47 democrats national security trial. He was previously a reporter at The Standard where he interviewed pro-establishment heavyweights and extensively covered the Covid-19 pandemic and Hong Kong’s political overhauls under the national security law.