Read More
The Office of the Privacy Commissioner for Personal Data (PCPD) released its investigation report regarding the data leak incident that the Electrical and Mechanical Services Department (EMSD) reported back in April.
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
The incident involved the personal information of over 17,000 residents, collected for compulsory testing during the pandemic, including their names, phone numbers, ID card numbers, addresses, vaccination status and diagnosis records. The data was collected between March and July 2022.
The privacy watchdog said EMSD failed to comply with the Personal Data (Privacy) Ordinance requirements, as the citizens' data could be searched on the cloud platform used by EMSD.
It added that EMSD has "fallen short of reasonable expectations of the public."
Privacy Commissioner Ada Chung Lai-ling said EMSD failed to establish a written policy for the retention period of personal data and did not request the contractor to delete the relevant data after the usage.
She added that EMSD was also responsible for failing to proactively delete the personal data and not following up with the contractor on the data deletion.
She stressed that the Department could not sit back and wait for the contractor to act, nor could it solely rely on the contractor without actively monitoring progress, as the approach constituted notable deficiencies.
