Enroll Now! Your Folder (0)
Enroll Now! Your Folder (0)
general.header.copyright
Filter
Back

Keeping Your Laptops Safe and Sound: How and What Should Be Done?

2017-07-31

Introduction

The Privacy Commissioner for Personal Data (the “Commissioner”) has recently published an Investigation Report on the loss of two notebook computers containing personal data of about 1,200 Election Committee members (the “EC members”) and about 3.78 million Geographical Constituencies electors including EC members (the “Electors”), which were under the custody of the Registration and Electoral Office (the “REO”), as reported on the day following the 2017 Chief Executive Election.

In this newsletter, we shall discuss the findings of the Commissioner and the precautions that we should take in order not to make the kind of mistakes similar to the REO.

The Laptops

There are two laptops involved in this case. The first laptop contained the names of the EC members only (the “First Laptop”). The second laptop contained names and addresses available to the public in the Final Register of Electors as well as the Hong Kong Identity Card numbers of all the Electors (the “Second Laptop”). All the information has been encrypted and protected by multiple encryptions that are extremely difficult to break through. Upon discovering the loss of these laptops, the REO verbally notified the office of the Commissioner of the matter and also submitted a “Data Breach Notification Form”, which prompted the Commissioner’s investigation as required under section 38 of the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance”).

The relevant principle under the Ordinance in this case is Data Protection Principle (“DPP”) 4(1), which provides that:

“All practicable steps shall be taken to ensure that personal data… held by a data user [being the REO] are protected against unauthorized or accidental access… loss or use having particular regard to –

(a)     the kind of data and the harm that could result if any of those things should occur;

(b)     the physical location where the data is stored;

(c)     any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;

(d)     any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and

(e)     any measures taken for ensuring the secure transmission of the data.”

As there are five factual elements under DPP 4(1) to be considered by the Commissioner, the fact-finding process during the investigation was immense.

Findings

The First Laptop

With regard to the First Laptop, the Commissioner took the view that harm would unlikely be done to the EC members even if their names were leaked due to the loss as it contained only the names of the EC members which are public data anyway and are not considered as sensitive personal data. The security measures (i.e. the use of passwords and the location of the First Laptop being in a locked room) were adequate. The Commissioner also considered that it was acceptable to download the names of the EC members for the purpose of recording the re-issuance of name badges.

In the circumstances, the Commissioner concluded that the REO did not contravene DPP 4(1) of the Ordinance for the loss of the First Laptop.

The Second Laptop

As the Second Laptop contained Hong Kong Identity Card numbers of all the Electors, they are considered as sensitive personal data which are not accessible by the public members. The Electors would suffer serious harm if culprits obtain the data. The Commissioner found that the REO contravened DPP 4(1) of the Ordinance based on the following reasons:

  • the REO brought all Electors’ data for the Chief Executive Election where only 1,194 EC members were eligible to vote, which is a disproportionate and imbalanced act;
  • the REO did not set out clear policies or internal guidelines on the storage of Electors’ personal data in the laptops and the protection measures needed; and
  • the security measures adopted by the REO were not proportional to the degree of sensitivity of the data and the harm that might result from a security incident.

The Commission served an enforcement notice on the REO directing it to (i) prohibit the download or use of Geographical Constituencies electors’ personal data (except their names and addresses) for the purpose of handling enquiries in Chief Executive Elections; (ii) issue notice on this to the relevant staff on a regular basis; (iii) set internal guidelines in respect of the processing of personal data; and (iv) implement effective measures to ensure staff’s compliance with the above policies and guidelines.

Are you one of the Electors whose personal data are being stolen?

If you were one of the Electors whose personal data were stored in the missing Second Laptop and have suffered damages due to the contravention of the REO, you may be able to rely on section 66(1) of the Ordinance for compensation from the REO for damages. Nonetheless, the REO may be able to rely on the defence under section 66(3) that the REO had taken care in all the circumstances that was reasonably required to avoid the contravention concerned.

Do you carry your corporate laptop around?

We all know the importance of keeping our personal laptops safe or else our personal data could easily be disclosed to unauthorised persons. The basic security measures include setting a boot password to the laptop, using data encryption and never leave the laptop unattended. However, if you often carry your corporate laptop to places, chances are that you will need more than the basics. Corporate laptops may, say, for example, contain information of clients, so technical security measures should be heightened. In light of what were suggested by the Commissioner to the REO and in order not to contravene DPP 4(1) of the Ordinance, we suggest that the following measures should be put in place insofar as reasonably practicable:

  • Encryption – laptops should be protected by multiple encryption layers where the strongest layer should meet the industrial standard;
  • Password – for every unsuccessful login after inputting the wrong passwords, the protection layer should delay the login time so as to strengthen the difficulty of decryption. Two-factor authentication should also be adopted for accessing client’s data; and
  • Internal practices – if passwords to access client’s data are shared amongst the staff, encrypted emails should be used to circulate such passwords. A comprehensive guideline should also be provided to staff members requiring them to transmit passwords through reliable means.

Although it is not a statutory requirement for data users to inform the Commissioner or the data subjects about any data breach incident, in case of breach, data users should consider reporting the matter promptly, since it would not only mitigate the potential harm but also help improve the security system in the future.


For enquiries, please feel free to contact us at:

E: employment@onc.hk                             T: (852) 2810 1212

W: www.onc.hk                                           F: (852) 2804 6311

19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.
Published by ONC Lawyers© 2017

Our People

Michael Szeto
Michael Szeto
Partner
Michael Szeto
Michael Szeto
Partner
Back to top

ONC uses cookies to give you the best experience. If you continue browsing, we will assume that you accept their use. Cookie Policy