The Ombudsman has criticised the management of the government electoral office for “incomprehensive planning and ineffective monitoring” after it lost two computers containing the private information of voters.
The two computers were lost from a backup polling station for the chief executive election in March. It was discovered a day after the election that the two machines had disappeared from a locked room, despite there being no sign of a break-in.
One of the lost computers contained the names, addresses, and the identity card numbers of all 3.78 million Hong Kong voters, despite the fact that only 1,194 people could vote in the March election. The data was stored in an encrypted format and did not include telephone numbers and voting records.
The Ombudsman also said there were already three detailed reports issued by the Constitutional and Mainland Affairs Bureau, the Office of the Privacy Commissioner for Personal Data, and the Electoral Affairs Commission. Thus, it did not deem it necessary for the Ombudsman to conduct another investigation.
But it raised two issues with the Registration and Electoral Office (REO) after the incident, as to why the information of all voters was needed, and why the computers were in a room without the necessary security facilities.
‘Same old habit’
After reviewing responses from the REO, the Ombudsman concluded that the office continued “the same old habit” from past chief executive elections in bringing computers with the information of all voters.
It found that only the staff of the Information Technology Management Unit (ITMU) of the REO knew that the computers contained the personal data of all voters.
“REO officers of various ranks (including the management) paid no heed to the problem, and never questioned or corrected it,” the Ombudsman said in a written comment release on Tuesday.
The Ombudsman also found that the REO had taken IT security too lightly: “Staff were free to place the notebook computers atop a carton box in a room to which other people also had access.”
“In the incident, REO staff at various ranks just followed old practices and were careless. The ITMU staff involved ignored the importance of personal data protection. More significantly, the REO management should be held responsible for incomprehensive planning and ineffective monitoring,” said Ombudsman Connie Lau.
The Office of The Ombudsman urged the REO to implement recommendations given by other reports as soon as possible to avoid similar incidents.
Secretary for Constitutional and Mainland Affairs Patrick Nip said the government will fully follow up with the recommendations.
“I understand that the REO has learned expensive lessons,” he said.
The computers have yet to be found. No-one has been arrested.