Traditional Chinese Simplified Chinese Email this article Government Homepage
LCQ14: Outsourced IT projects involving handling of personal data
************************************************************

    Following is a question by the Hon Ma Lik and a written reply by the Secretary for Commerce, Industry and Technology, Mr Joseph W P Wong, in the Legislative Council today (April 26):

Question:

     In regard to government departments and statutory organisations outsourcing information technology projects, will the Government inform this Council:

(a) of the details, including the commissioning department/organisation, name of the contractor and the type of personal data involved, of the projects outsourced in the past three years in which the contractors or their employees had access to the personal data of members of the public; and

(b) how the government departments and statutory organisations concerned monitored their contractors¡¯ compliance with the information security policy and guidelines of the Government; of the number of cases in the past three years in which the contractors were found to have contravened the said policy or guidelines; and the details of such cases as well as the outcome of the handling of such cases?

Reply:

Madam President,

(a) According to information provided by departments and statutory organisations, there were 68 projects outsourced in the past three years in which the contractors or their employees can have access to personal data of members of the public.  Details of the commissioning department/organisation, name of the contractor and the type of personal data involved are provided in the Annex.  

(b) In monitoring their contractors' compliance with the Government's information security requirements, departments apply a number of measures such as verifying the contractors¡¯ security related documents and procedures; monitoring their work through management updates and operation reporting; conducting regular security risk assessment and audit for assurance.  They are also required by the security policy and guidelines to implement necessary procedures for the purpose of segregation of duties and checking.

     Based on information supplied by the relevant government departments and statutory organisations, there was no confirmed case in the past three years in which the contractors had contravened the said policy or guidelines.

     As to the earlier incident concerning the complaints lodged against the leakage of personal data by the Secretariat of the Independent Police Complaints Council (IPCC), the IPCC has already published a report on April 8, 2006.  However, no conclusion has been reached with regard to the liability of the contractor involved.

Ends/Wednesday, April 26, 2006
Issued at HKT 11:53

NNNN