Arguably the worst personal data breach in Hong Kong, the incident came to light on March 27 when electoral officers went to pack up at the AsiaWorld-Expo, fallback venue for the election of the city’s leader the day before. Two notebook computers stored in a room were missing, presumably stolen.

One contained the names of the roughly 1,200 members of the Election Committee that picks the chief executive. The other contained information about all Hong Kong’s registered voters, including their names, addresses, ID card numbers, and the geographical constituencies in which they were registered.

Police classified the case as theft.

In a special Legislative Council panel meeting in April, electoral officials claimed the practice of storing all voters’ data in a computer was for cross-checking information of Election Committee members when needed. They maintained the risk of a leak was low because the data had undergone “multiple layers of encryptions”.

But the Privacy Commissioner’s report criticised this practice, saying it was “not well thought out or adaptive to the special circumstances of the case”.

The commissioner has served an enforcement notice on the electoral office, directing it to take remedial and preventive measures, including no longer using data of the wider electorate when handling inquiries in chief executive elections.

As for the loss of the computer containing the names of Election Committee members, the commissioner was satisfied there was no breach of privacy regulations as information was were already publicly available.

A spokesman for the Constitutional and Mainland Affairs Bureau said it would study the report and follow up on the recommendations.

A separate government task force looking into the incident is expected to release its report on Tuesday.