Privacy chief needs tools to plug data loopholes
The privacy of personal and confidential data stored on the internet is a sensitive issue that directly affects us all. The law places a clear duty of care on those responsible for putting it there. This was brought home forcibly only a year ago.
A security lapse resulted in the personal particulars of about 20,000 people who had filed complaints against the police to the Independent Police Complaints Council, and the names and mobile phone numbers of 900 police officers, being posted on the internet. This sparked a seven-month investigation by the Privacy Commissioner, who blamed the council.
It was a sharp reminder to both the government and private sector of their responsibility in ensuring the security of the vast array of personal data they have collected. Yet within months, as we reveal today, there has been another breach - in spirit, if not of the letter - of the Personal Data (Privacy) Ordinance that will give rise to public unease.
The case involves the Intellectual Property Department, which set up an online trademark search system to allow people to check whether a trademark has been applied for, opposed, or registered. But the service has led to the disclosure of confidential business details of hundreds of companies that have opposed trademark applications.
The department is required to make basic information available for inspection and it set up the online service to enhance the efficiency of this service. It seems unforgivable that no care was taken to ensure that commercially sensitive information and personal particulars also entrusted to the department were not made freely available to the public, including business competitors.
The Privacy Commissioner is to look into the matter. But an unqualified apology from the Intellectual Property Department is called for without waiting for the outcome. A spokeswoman for the commissioner's office said a data user 'shall be cautious to ensure that only personal data required for fulfilling the purpose of use are disclosed, particularly when sensitive personal data are involved ...'. There is clearly a case to answer.
All of us have yielded volumes of personal particulars to government and non-government databases. We have done so on the assurance that there will be no disclosure that has not been explicitly authorised either by ourselves or by law. It is a system based on consent and trust - trust in compliance with the law. That includes rigorous policing of the risk of human error and oversight.
Privacy expert John Bacon-Shone, of the University of Hong Kong, told this newspaper recently that the potential problem was not one of policy loopholes but security issues and a lack of awareness of how sensitive personal data ought to be handled. The privacy commissioner, Roderick Woo Bun, has foreshadowed closer scrutiny of compliance with the ordinance. Even for this limited measure, Mr Woo says he will need more resources from the government.
Public confidence in the privacy regime is paramount. The government would be sensible to consider providing the Privacy Commission with the resources to adopt a more comprehensive and aggressive stance on compliance.