The Privacy Commissioner has said the Registration and Electoral Office (REO) contravened privacy rules after it lost an election computer containing the personal information of all voters. It has demanded improvements.
The commissioner’s office launched an investigation after two computers were lost from a backup polling station for the chief executive election in March. It was discovered a day after the election that the two machines had disappeared from a locked room, despite there being no sign of a break-in.
One of the lost computers contained the names, addresses, and the identity card numbers – considered private information – of all 3.78 million Hong Kong voters. The data was stored in an encrypted format and did not include telephone numbers and voting records.
The system had been used since the 2007 chief executive election in order to handle any potential enquiries relating to electors. However, the REO was unable to provide any information relating to the approval of the use of the system during the 2017 election. It was also unable to confirm whether approval had been obtained.
The commissioner confirmed that there were indeed layers of encryption present on the computers. Hong Kong identity card numbers were encrypted before being stored on the system, while other personal data was stored in plain text.
Only a small number of voters can participate in the chief executive election, with 1,194 electors taking part this year. The REO also has an online system which can be used to check electors’ eligibility.
“The REO simply followed past practices and failed to review, update or appraise the existing mechanism in a timely manner and in light of the circumstances,” the report said.
“The security measures adopted by the REO were not proportional to the degree of sensitivity of the data and the harm that might result from a security incident. The claimed effectiveness of the need for storing personal data of all Electors was not proportional to the associated risks either.”
“The REO lacked the requisite awareness and vigilance as expected of it in protecting personal data, rules of application and implementation of various guidelines were not clearly set out or followed, and internal communication was less than effective,” it concluded.
The commissioner concluded that the REO failed to take all reasonably practicable steps and contravened a data security principle of the Personal Data (Privacy) Ordinance.
The commissioner has served an Enforcement Notice against the REO to demand a remedy and prevent any recurrence of the contravention.
The REO has been directed to prohibit the downloading or use of voters’ personal data – except their names and addresses which are considered public information – for the purposes of handling enquiries in chief executive elections. Notices must be issued to staff members on a regular basis.
It has also been directed to set better internal guidelines.
The other lost computer only contained the names of the 1,194 electors, which are already public. The commissioner concluded it was acceptable to download the names to the computer for the purpose of recording the re-issuance of name badges. There would unlikely be any harm done to them, and the security measures are considered adequate in the circumstances.
No arrested have been made relating to the theft.