Data loss sparks call for damages
Yvonne Tsui and Martin Wong
Government payouts urged by legal experts
The government should take the initiative to compensate patients who had copies of their personal details, including medical records, lost by the Hospital Authority, lawyers said yesterday.
Legal claims would probably follow the loss of the data of 665 young disabled patients, said solicitor Thomas Tse Lin-chung, who helped activist Lau Shan-ching make a compensation claim in the District Court over the Independent Police Complaints Council's data leak in 2006. Mr Tse said personal data leaks warranted damages claims for government negligence.
'Once there is a leak, victims are pressured by potential misuse and further disclosure of the details,' he said. 'The victims suffer psychological impact and stress. In court, we say this is injury to feelings.
'But it is so obviously the government's mistake. Why should the victims bear the burden of proving the consequential loss and damages that follow the event?'
Civic Party legislator Audrey Eu Yuet-mee, who is also a senior counsel, said: 'It is advisable for the government to take the initiative to set up a compensation scheme for people victimised in this event. This is what a responsible government should do.
'Litigation always involves a lot of time and money, and that actually costs a person a lot to go through the procedure. If something is kept properly, it will not go missing. By common sense, we all know it can be negligence to an extent.'
The Office of the Privacy Commissioner for Personal Data said yesterday the victims could be at risk of criminal fraud and urged them to be vigilant because the information was not encrypted. It reminded them to be cautious when dealing with phone calls from people who claimed to represent health authorities.
It said it had been informed of the case and had contacted the Department of Health to see if its data handling complied with the Personal Data (Privacy) Ordinance. According to the ordinance, all practicable steps should be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, but failure to do so is not a criminal offence.
Samson Tam Wai-ho, chairman of the Institution of Engineers' information technology division, said encrypted USB flash drives should be used to store confidential data. 'The difference in price between an ordinary USB disc and one with password-enabled software is only 10 per cent. Or else, one can download it via the internet,' he said.
The Police Complaints Council was blamed for one of the city's largest personal data infringement cases in March 2006 after data including the names, addresses and criminal records of about 20,000 people who had complained about the police was published on China2easy.com, and had been there for three years.