BackIn the course of the 2017 Chief Executive (CE) Election, the Registration and Electoral Office (REO) lost two notebook computers, one containing the personal data of 3.78 million electors. Since the Constitutional and Mainland Affairs Bureau (CMAB) had set up a Task Force to review the incident, and the Office of the Privacy Commissioner for Personal Data (PCPD) had commenced an investigation, the Office of The Ombudsman decided, for better use of resources, to wait until the Task Force and PCPD had completed their reports before deciding whether and how to follow up as necessary.
Having examined those two reports together with the Report on the 2017 Chief Executive Election published by the Electoral Affairs Commission (EAC), The Ombudsman, Ms Connie Lau, commented on the following today (July 18).
As those three reports have practically already covered all the different areas and quite a number of recommendations have been made, the Office of The Ombudsman considers it not necessary to conduct yet another investigation into the incident. Nevertheless, the Office has special concern about the following two issues, scrutinizing relevant information and interviewing REO officers to gain understanding of these issues:
(1) Why did the REO allow its staff to freely carry the notebook computers containing the personal data of 3.78 million electors, just for the purpose of verifying the identities of Election Committee (EC) members (altogether 1,194 only) when necessary? The REO explained to the Office that, other than the staff of the Information Technology Management Unit (ITMU) involved, no one in the REO knew that the notebook computers brought to AWE contained the personal data of Hong Kong’s 3.78 million electors, let alone raised any queries about such a practice in the preparation process.
(2) Why did the REO allow its staff to leave the notebook computers in a room without the necessary security facilities? The REO pointed out that stringent security measures had been put in place at the main venue for the 2017 CE Election. However, there were no such security measures at the fallback venue.
The Ombudsman, Ms Connie Lau, commented this as follows: “In the incident, REO staff at various ranks just followed old practices and were careless. The ITMU staff involved ignored the importance of personal data protection. More significantly, the REO management should be held responsible for incomprehensive planning and ineffective monitoring. The Office of The Ombudsman urges the REO to take reference from the incident and implement as soon as possible the recommendations of the CMAB, PCPD and EAC, so as to avoid recurrence of similar incidents.”
Source: Office of The Ombudsman, Hong Kong
