Warning over leak of companies' details

PUBLISHED : Wednesday, 18 April, 2007, 12:00am
UPDATED : Wednesday, 18 April, 2007, 12:00am

Privacy watchdog acts on website data

The privacy commissioner has issued a written warning to the director of the Intellectual Property Department (IPD) for posting the confidential data of hundreds of companies on its website.

Roderick Woo Bun has completed an inquiry into the disclosure of sensitive business data on the department's website, according to a press release issued by his office last night.

The investigation was launched this month after the Sunday Morning Post reported that sensitive business information and personal data relating to trademark proceedings belonging to hundreds of companies was made available online after the department uploaded the data onto its website.

It put the information on the website to allow people to search and check whether a trademark application had been submitted, opposed or registered.

The leaked information included details of company turnover, profit margins, invoices and business registration licences, and copies of employees' passports.

'The commissioner was of the view that the IPD should not allow uncontrolled access by internet users to personal data online, even though the disclosure was intended by IPD to fulfil its statutory duty,' the statement said.

Mr Woo said the disclosure of a person's personal data without his or her consent was an invasion of privacy.

'The fact that a particular type of personal data is passively collected through a website does not mean that the personal data should automatically be published on the internet,' he said.

Directed by the commissioner, the director of intellectual property has formed a list of remedial steps to be implemented.

The list includes posting a privacy policy statement on the department's website that sets out the specified purposes of information posted there.

Other measures include identifying all individuals whose personal data had been published on the internet and informing them of the disclosure in writing, and providing guidelines for employees on handling personal data.

Speaking at the Legislative Council's commerce and industry panel meeting yesterday, Director of Intellectual Property Stephen Selby said the measures would be taken to avoid similar incidents.

Under data protection principle No3 of the Personal Data (Privacy) Ordinance, personal information cannot be used for purposes other than those for which it was originally collected without the consent of the subject.

The latest potentially damaging mishap follows the discovery on the web about a year ago of personal details belonging to 20,000 people who had registered complaints against the police.

The accidental leak by the Independent Police Complaints Council gave information on complaints against the police force between 1996 and 2004.

Details that were revealed on the website at that time included the dates the complaints were filed, the full names and addresses of the complainants, details of alleged offences, the names and other particulars of the concerned police officers and the outcome of the complaints.

Internet blunder

Complainants against police were exposed by a data release last year

Number of people whose information was inappropriately put on the Net 20,000