LCQ12: Police attach great importance to information security and data protection
*****************************************************

     Following is a written reply by the Secretary for Security, Mr Lai Tung-kwok, to a question by the Hon Elizabeth Quat in the Legislative Council today (November 21):

Question:

     Recently, several incidents involving police officers which might lead to leakage of personal data of members of the public have occurred, including the loss of police notebooks and memory sticks by police officers, as well as some Police's confidential documents being found on the Internet due to the use of peer-to-peer sharing software by police officers. In response to such incidents, the Police have set up a working group led by the Deputy Commissioner of Police to explore improvement initiatives and adopt various measures to prevent recurrence of these incidents. In this connection, will the Government inform this Council:

(a) whether the working group will comprehensively review if the existing measures adopted by the Police for protecting the privacy of members of the public are adequate; if it will, whether a detailed review report will be submitted to this Council; if it will not conduct such a review, of the reasons for that;

(b) of the membership list of the working group, and whether representatives from the relevant sectors (e.g. the information technology sector) and Office of the Privacy Commissioner for Personal Data are included; and

(c) whether short, medium and long-term measures are included in the improvement initiatives being explored by the working group, so as to ensure that short and medium term measures will be put in place to enhance the protection of personal data of members of the public before the completion of the study and the implementation of long-term measures; if not, of the reasons for that?

Reply:

President,

     The Hong Kong Police Force attach great importance to information security and data protection. The FOXY Incident Working Group, set up in 2008, which was subsequently renamed as the Information Security Working Group (the Working Group), is a high-level internal working group led by the Deputy Commissioner of Police (Operations) to holistically scrutinise information security within the Force, including measures and procedures for safeguarding personal data and confidential information. The Working Group also ensures that information security is maintained at the highest level by drawing up a series of integrated measures in areas like policies and procedures, security measures, promotion and education, etc. to enhance security.

     The Police are very concerned about several recent incidents in which there was leakage of personal data due to loss of Police documents. In addition to reviewing relevant policies, procedures and guidelines, the Police will continue to adopt various measures to ensure that their systems and procedures are maintained at the highest information security level. Training of officers will also be enhanced to ensure that the policies and measures in place can cope with the challenges resulting from the rapid development of information technology.

     My reply to the Member's question is as follows:

(a) and (b) As mentioned above, the Working Group is responsible for holistically scrutinising information security within the Force and drawing up measures to ensure that the highest level of information security is maintained. Led by the Deputy Commissioner of Police (Operations), the Working Group is composed of 12 members, including representatives from operations, crime and security, management, training, information systems and public relations at Force management level.

     Meeting at regular intervals, the Working Group closely monitors the latest environment and trends of information security within the Force. It also keeps the effectiveness of various security measures under review, taking into account the challenges resulting from the rapid development of information technology. Details of such specific measures are in part (c) of the reply.

     The Police will notify the Office of the Privacy Commissioner for Personal Data (PCPD) of any incidents involving personal data leakage, and will make every effort to provide assistance to and co-operate with PCPD on its investigation of several recent incidents of personal data leakage due to loss of Police documents. urthermore, the Police will maintain close liaison with PCPD in the implementation of information security and data protection work.

(c) Since its establishment, the Working Group has formulated and subsequently implemented a series of comprehensive security measures covering short, medium and long-term integrated plans, which include:

(i) Policies and Measures

* The Police's policies on information security and personal data protection are set out in the Police General Orders, Force Procedures Manual and Force Information Security Manual. The Police review and update their policies, procedures and guidelines in a timely manner. Officers who fail to comply with these policies, procedures and guidelines may be taken as contravening police order and subject to disciplinary actions. From 2010 to October 2012, a total of three police officers were disciplined as a result.

* The Behavioural Guidelines for the Force Values of Integrity and Honesty, issued in 2009, stipulated that police officers shall, among other things, "protect personal data and classified information".

* As a long-term solution to enhance information security, the Force plans to enhance its IT infrastructure by the "virtual workstation" project. Virtualisation technology refers to a server computing model under which virtual workstations running on a remote central server will replace personal computers, and all of the programs, applications, processes and data used are kept and run centrally on the server ends. Information security will be enhanced as all data will be processed and stored in the central server, and no data will be transferred to or can be downloaded from the front-line terminals. The Force has obtained funding approval from the Legislative Council. Pilot run of virtual workstation will be implemented in Kowloon West Region which is expected to be rolled out in 2014.

(ii) Technology Support and Assistance

* Upon completion of a Forcewide common terminal "sanitisation exercise" in 2008, regular checking of all computer systems of the Force is conducted on an annual basis to ensure that the standards for information security are met.

* Encrypted USB thumb drives are provided to officers for storage of restricted information. E-cert encrypted USB thumb drives are also distributed to officers of Inspector or above ranks for processing and transmission of confidential information.

* All USB ports on all Force computers are "whitelisted" to ensure that only registered USB devices can be used on Force computers.

* All Force computers are installed with CD burning restriction and encryption function to enhance end-point security.

(iii) Publicity and Training

* Regular training and briefing sessions are organised to let officers keep abreast of the latest development of information technology and draw reference to experiences of best practices.

* An interactive electronic learning package on information security was produced in April 2012 for front-line and supervisory officers.

* A fresh round of "Information Security and Data Protection" training was rolled out in August 2012 to enhance officers' knowledge of and accountability for the Personal Data (Privacy) Ordinance (the Ordinance), information security and personal data protection.

* In view of the popular use of social media, the Force issued an individual user guideline in January 2012 to remind officers of risk management issues in information security.

* Topics on personal data privacy and information security are included in the basic training courses for recruited police constables and probationary inspectors and the promotion course for junior managers, with an aim to augment officers' awareness of the importance of information security and to make clear for them the roles they play in this area.

* In the light of the latest amendments to the Ordinance, briefing sessions will be conducted in November 2012 to enhance officers' knowledge of the updated legislation.

Ends/Wednesday, November 21, 2012
Issued at HKT 16:31

NNNN