Privacy chief launches inquiry into data gaffe

PUBLISHED : Tuesday, 03 April, 2007, 12:00am
UPDATED : Tuesday, 03 April, 2007, 12:00am

Privacy Commissioner Roderick Woo Bun yesterday launched an urgent investigation into the disclosure of sensitive business data on the website of the Intellectual Property Department.

'In light of the public interest that has been aroused, I am looking into this incident with urgency,' Mr Woo said. 'I am seriously concerned with the management and use of personal data by government departments that hold a large quantity of personal data, in particular when such personal data are made publicly available.'

The confidential information, belonging to hundreds of companies, was made available online after the department uploaded the data onto its website to allow people to search and check whether a trademark application had been submitted, opposed or registered.

Public access to the website link has been disabled.

Director of Intellectual Property Stephen Selby has blamed himself for the wrongful disclosure of sensitive personal and business data on the department's website and said the case warrants disciplinary action.

A team led by Mr Woo's deputy, Bonnie Smith, interviewed Mr Selby and his senior staff over the incident. The commissioner's office said the meeting lasted more than an hour.

The leaked information included details of company turnover, profit margins, invoices and business registration licences, as well as copies of employees' passports.

Mr Selby said disciplinary action might be justified but insisted his staff members were not to blame.

'I do believe this involves a disciplinary case. I accept that we haven't done as much as we should have, and I should hold myself responsible for that. But I wouldn't say any of my staff have done anything wrong in terms of discipline.'

He said it was not necessary to disclose personal details when opposing trademark applications.

A government spokesman said the department hoped to finish collecting data and records related to the case by Friday, and the companies affected would be made aware of the department's actions.

Under data protection principle No3 of the Personal Data (Privacy) Ordinance, personal information cannot be used for purposes other than those for which it was originally collected without the consent of the subject.

The latest, potentially damaging, mishap follows the discovery on the web about a year ago of personal details belonging to 20,000 people who had registered complaints against the police. The accidental leak by the Independent Police Complaints Council gave information of complaints against the police force between 1996 and 2004.

Details included the dates the complaints were filed, the full names and addresses of the complainants, details of alleged offences, the names and other particulars of the concerned police officers, and the outcome of the complaints.