Police and Hospital Authority warned by watchdog over loss of private data
Watchdog orders force and Hospital Authority to improve procedures or risk prosecution after inquiry into lost notebooks and patient records
The privacy watchdog has slammed the police for losing notebooks containing personal information on 285 Hongkongers in 11 incidents between October 2011 and January this year.
The Office of the Privacy Commissioner also criticised the Hospital Authority for negligence in the monitoring of a waste-disposal contractor which failed to destroy patients' data securely.
The commissioner issued enforcement notices to both organisations, setting out ways to improve their procedures. Failure to comply with such a notice is a criminal offence.
In one "extreme" case, a police officer - whose rank has not been revealed - inadvertently left a paper bag containing 17 notebooks on a bus on October 31 last year. The notebooks contained the names, addresses and identity card numbers of 41 people.
The commissioner, Allan Chiang Yam-wang, said the officer "blatantly failed to observe the requirements of the police orders" which require an officer to return his or her used notebook upon receiving a new one.
Chiang said the police lacked a comprehensive and effective supervision and monitoring system to safeguard documents containing personal data.
A requirement that supervising officers make checks when issuing new notebooks and allowing officers to retain used ones was not strictly enforced, the commissioner found. The officer still had notebooks dating back as far as 2007, the commissioner said.
Police appealed to the public for the return of the notebooks after they were found to be missing, the commissioner's office said. Disciplinary action against the officer is continuing, while his two supervisors will not face action as they have retired.
The enforcement notices require the police to establish extra security procedures and tighten supervision. The commissioner suggested that the force review the design of uniforms and equipment so that documents could be carried more securely, and remind officers of the importance of data protection.
The commissioner also ordered the Hospital Authority to review waste disposal procedures. Its contractor was found to have failed to destroy a roll of used printer ribbons, containing the personal details of 16 patients, and shredded medical appointment slips, containing details of an unknown number of patients. The media reported that the ribbons and slips were found outside the Fanling factory of contractor Confidential Materials Destruction last year.
The commissioner said the authority remained responsible for any unauthorised access to the data and should have made more frequent inspections.
With the government due to introduce a new electronic system for sharing health records, Chiang said it was "imperative" for the authority to "measure up and demonstrate to the public its commitment to ensuring privacy and data protection".
The police force said it would study the commissioner's report, while the Hospital Authority said it had tightened security.