Warning over leak of details
Watchdog acts on website data
The privacy commissioner has issued a written warning to the director of the Intellectual Property Department (IPD) for posting the confidential data of hundreds of companies on its website.
Roderick Woo Bun has completed an inquiry into the disclosure of sensitive business data on the department's website, according to a press release issued by his office last night.
The investigation was launched this month after the Sunday Morning Post reported that sensitive business information and personal data relating to trademark proceedings belonging to hundreds of companies was made available online after the department uploaded the data onto its website.
It put the information on the website to allow people to search and check whether a trademark application had been submitted, opposed or registered.
The leaked information included details of company turnover, profit margins, invoices and business registration licences, and copies of employees' passports.
'The commissioner was of the view that the IPD should not allow uncontrolled access by internet users to personal data online, even though the disclosure was intended by IPD to fulfil its statutory duty,' the statement said.
Mr Woo said the disclosure of a person's personal data without his or her consent was an invasion of privacy.
'The fact that a particular type of personal data is passively collected through a website does not mean that the personal data should automatically be published on the internet,' he said.
Directed by the commissioner, the director of intellectual property has formed a list of remedial steps to be implemented.
Other measures include identifying all individuals whose personal data had been published on the internet and informing them of the disclosure in writing, and providing guidelines for employees on handling personal data.
Speaking at the Legislative Council's commerce and industry panel meeting yesterday, Director of Intellectual Property Stephen Selby said the measures would be taken to avoid similar incidents.
Under data protection principle No3 of the Personal Data (Privacy) Ordinance, personal information cannot be used for purposes other than those for which it was originally collected without the consent of the subject.
The latest potentially damaging mishap follows the discovery on the web about a year ago of personal details belonging to 20,000 people who had registered complaints against the police.