*********************************************************
Following is a question by the Hon Choy So-yuk and a written reply by the Secretary for Security, Mr Ambrose S K Lee, in the Legislative Council today (March 29):
Question:
It has been reported that, having investigated the leak of personal data of around 20 000 people who complained against the Police, the task force of the Independent Police Complaints Council (IPCC) has attributed the cause of the incident to negligence on the part of the outsourced contractor who uploaded the information concerned to a server for the sake of convenience, thus leading to the leak of the data. In this connection, will the Government inform this Council whether it knows:
(a) whether there are specific terms in the service contract between IPCC and the contractor stating the penalties to be imposed on the contractor in the event of data leak; if so, of the details of the relevant terms; if not, the reasons for that;
(b) whether the contractor will be penalised because of the above incident; if so, of the details of the penalties; and
(c) how IPCC will prevent the recurrence of similar incidents?
Reply:
Madam President,
Both the Administration and the Independent Police Complaints Council (IPCC) are very concerned at the case. The Administration appreciates and supports the IPCC prompt and decisive actions in dealing with the incident. We have been maintaining close liaison with the IPCC and will continue to provide the necessary support to the IPCC in dealing with the incident.
The IPCC has provided the following reply to Hon Choy So-yuk's questions:
(a) The IPCC Secretariat had entered into contracts with the contractor for the development, enhancement and maintenance of a standalone computer system for statistics and research purpose since 1998. On the basis of records available, the IPCC Secretariat advised that there were no penalty clauses in the contracts for any breach of the duty of confidence by the contractor. It also advised that there was no file record indicating any reason for not including such clauses.
(b) The IPCC is seeking legal advice on matters connected with or incidental to the incident, and no further details can be provided at this stage.
(c) Apart from investigating into the cause of the leakage, the IPCC has immediately taken a range of remedial measures to control the damage caused to the public, and better safeguard the personal data available to it. The specific measures taken are at Annex. The IPCC will co-operate fully with the investigation initiated by the Office of the Privacy Commissioner for Personal Data (PCO) under section 38(b) of the Personal Data (Privacy) Ordinance into the incident. The IPCC will comply fully with PCO's recommendations in due course. In the meantime, the IPCC has also identified a list of measures on data-keeping that can be taken to comply with the data protection principles and it will consult the PCO in the process.
Annex
-----
Actions which have already been taken and are being actively followed up include:
* Limited access to sensitive information to the Secretary, IPCC or to such persons with her express permission. The computer containing the sensitive database has been put in a room with locks and a log book has been attached to the computer. Any authorised person who wishes to utilise the database would sign his/her name together with the title, date, starting and completion time on accessing the database.
* Set up a hotline (2524 3841) manned by the IPCC Secretariat to handle public enquiries.
* Uploaded the latest information regarding the incident on the IPCC website.
* Two subcommittees respectively headed by Mr Ronny F H Wong, Chairman and Hon Alan Leong, Vice-chairman to meet those who have expressed genuine concern on the incident. The subcommittees will actively consider what measures can be taken to effectively address those concerns.
* Approached Google and other Internet Service Providers for assistance in erasing the files and cache with the information.
* Provided intelligence to the Commercial Crime Bureau of the Police for cyber monitoring. Obtained advice from the Office of the Government Chief Information Officer on possible steps to continuously trace and delete the remaining traces of the data on the Internet, and to prevent further spreading of the data.
* Appealed to the public and the media to stop searching or circulating the information on the Internet.
* The Office of the Privacy Commissioner for Personal Data had advised the public that in accordance with Data Protection Principle (DPP) 1 of the Personal Data (Privacy) Ordinance, all personal data shall only be collected for lawful purposes, in a lawful and fair manner in the circumstances of the case. In addition, DPP3 provides that personal data shall only be used for the purposes for which they were originally collected or a directly related purpose. Information contained in the IPCC database is for internal use only. Any illegal collection or use of such information will be in breach of DPP1 and/or DPP3 of the Ordinance.
Ends/Wednesday, March 29, 2006
Issued at HKT 15:31
NNNN
