The Office of the Privacy Commissioner for Personal Data (PCPD) on Monday called on organisations to urgently enhance employee awareness and adherence to data privacy protocols.

This follows the PCPD's intervention in eight personal data breach incidents across different sectors, including a government department and medical institutions.

The breaches, all violations of the Personal Data (Privacy) Ordinance, stemmed primarily from employee negligence and failure to follow established procedures, according to Privacy Commissioner Ada Chung.

In one case, an online registration form of a medical institution was found to have involved the improper disclosure of personal data submitted by over 100 registrants, including their names in Chinese and English, phone numbers, email addresses and dates of birth.

In another, staff at a retail company inadvertently filled in the email addresses of all its members into the recipients' field, rather than using the blind carbon copy function, thereby revealing the email addresses of more than 1,000 other members to the recipients.

A third notable breach occurred within the Transport Department, where staff mailed a letter regarding the complainant's notification of an address change but failed to fold it according to required procedures, which made the complainant's Hong Kong ID card number visible through the envelope window.

Of some other cases, one involved a doctor at a medical diagnostic centre who left a computer system logged in, thereby exposing confidential patient data on a monitoring device; a tour guide distributed group e-tickets that contained the unprotected personal data of more than 30 individuals; and a security guard at a residential estate improperly disclosed a complainant's phone number to another tenant while attempting to resolve a parking complaint.

Chung stressed the need for organisations to create clear and straightforward work guidelines, while also enhancing employee awareness through targeted training.

"We have also stressed the importance of implementation of the policies and continuous monitoring and supervision of the implementation of the policies," she said.

"This can be done, for example, by sample random checking of work procedures, surprise checks by supervisors, and also this can be done by ongoing training of internal staff."

Chung also highlighted the need to offer training to new staff, along with continuous training annually.

Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Rebecca Ho said organisations can develop checklists and flowcharts tailored to various positions, making work guidelines easier to understand.

She also stressed the importance of adopting technical security measures, such as using an encrypted email system, and developing a comprehensive data breach response plan which would enable organisations to respond swiftly and effectively to potential data breaches.