Hong Kong saw a record number of user data breaches last year, totalling 129 according to the city’s privacy watchdog. The number of complaints involving information technology and personal data on the internet also skyrocketed.
Privacy Commissioner Stephen Wong said on Thursday that a key issue was how to enhance data security: “The overall trend of [data breaches] was not about gathering or using personal data, but rather about information security, such as hackers and lapses in protection,” he said.
The office of the Privacy Commissioner for Personal Data (PCPD) said there was a 22 per cent increase in data breach cases last year – an all-time high. It also received 1,890 complaints from the public, representing a 23 per cent increase from 2017.
There were 501 complaints related to information and communication technology – more than double the amount from 2017. Among those, 270 cases were related to the disclosure or leakage of personal data on the internet, while 252 had to do with the use of social networking sites or mobile apps.
Wong said organisations that make use of personal data should not just aim for the minimum regulatory requirement.
“[The organisations should] be held to a higher ethical standard in data stewardship, so as to build a trust basis with stakeholders in the contemporary data driven economy,” he said.
The PCPD conducted 289 compliance checks and four compliance investigations last year. However, Wong acknowledged that hacking cases were challenging because it was more difficult to pin down who was responsible.
In October, Hong Kong airline Cathay Pacific revealed that the personal information of 9.4 million customers was compromised because of a data hack. Wong said the PCPD received 139 complaints last year related to the incident.
Reform efforts ‘in full swing’
Wong said on Thursday that the PCPD will discuss reforms with the government for the first half of this year, and talks were already “in full swing” and nearing the final stages.
“Recently, the public has expressed concern on mandatory reporting requirements, PCPD’s enforcement powers, penalties for data breaches, and regulations on data users,” he said.
The PCPD is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance. It can issue warnings and enforcement notices, but has no powers of criminal investigation or prosecution.
“A lot of people say [the PCPD] is toothless… the ‘dentist’ may well be getting the Legislative Council to amend relevant laws,” Wong added.
However, Wong also noted that his office only had limited manpower, and the number of staff had remained the same over the past decade. He called on the government to increase his 69-person team by at least half, so as to cope with future workload.