A government department failed to take adequate measures to protect the personal data of thousands of people ordered to undergo Covid tests back in 2022 and which was later found to be freely available online, the privacy commissioner's office said on Monday.

In April this year the watchdog alerted officials to the fact that information including names, phone numbers, ID card numbers, addresses and Covid vaccination status of more than 17,000 public housing tenants was accessible online, without the need for any account or password.

The blunder, by the Electrical and Mechanical Services Department (EMSD), was made public a few days later.

During an investigation by the watchdog, the department said that given it had stopped using the services of the e-form platform involved in the breach, it wrongly believed the personal data in question had been automatically deleted.

"It was only when EMSD became aware of the incident on 30 April 2024 that it requested the contractor to remove the personal data involved," said Hermina Ng, senior legal counsel for the privacy commissioner's office.

The watchdog said the department had a lack of written policies on the retention of personal data, had failed to take the initiative to get the information deleted, and didn't follow up the issue with the e-form platform.

"The EMSD merely assumed that the contractor would act on its own volition after the expiry of the contract. The EMSD had never urged, checked or reminded the contractor to delete the personal data from the e-form platform, and had never sought to understand or monitor the progress or effectiveness of the contractor’s relevant actions," the office said.

"The EMSD, as the data user, should not merely await passively for the contractor to take action, nor should it ride on its trust in the contractor and not to verify the work done by the contractor. This is another obvious deficiency."

The privacy watchdog concluded that the EMSD failed to ensure the data collected was kept only for as long as necessary, and that it didn't safeguard the personal information from unauthorised or accidental access.

Privacy Commissioner Ada Chung said an enforcement notice has been issued to the EMSD, directing it to take measures to remedy the violations and prevent similar situations from happening again in future.

In response to the watchdog's findings, the department said it immediately conducted an in-depth enquiry with the contractor about the operational details of the server platform to ensure the complete removal of the relevant data.

The EMSD also said it introduced a number of measures, including developing a dedicated platform to store personal data on its own servers, to try to prevent a repeat of similar incidents in future.
_____________________________
Last updated: 2024-12-09 HKT 21:26