Hong Kong’s Privacy Commissioner for Personal Data, Ada Chung Lai-ling, said most personal data leaks in the city stem from employee negligence rather than systemic failures, calling such mistakes “unacceptable.”
Her comments came as her office yesterday revealed eight cases of personal data breaches in violation of the Privacy Ordinance, with one involving an insurance company mistakenly reusing customers’ identity card copies as scrap paper for printing, leading to a data leak.
Speaking on a radio program Tuesday, Chung said “these are mistakes that shouldn’t happen even with basic privacy awareness,” urging companies to strengthen staff training and supervision.
Among the eight cases, the Office of the Privacy Commissioner for Personal Data (PCPD) issued enforcement notices for two cases, warning letters for three, and advisory letters for the remaining three.
In the first half of this year, the PCPD received 97 data breach reports—a figure consistent with last year’s numbers.
In one case, an insurance company—despite having policies and a contracted recycling vendor for secure document disposal—allowed staff to repurpose discarded resumes and ID copies as scrap paper.
These documents, containing sensitive personal data, were then mistakenly sent to external parties.
Chung called the error "unacceptable," noting that while the company had proper procedures in place, an employee’s oversight caused the breach. The insurer has since reminded staff of proper protocols, and the PCPD confirmed the number of affected individuals was small.
Chung emphasized that while Hong Kong businesses have generally improved in data protection awareness, stricter oversight is needed to ensure compliance. She recommended simplifying workflows with visual guides and regular audits.
Additionally, the PCPD encouraged organizations to establish data breach response plans to mitigate risks and handle incidents efficiently.
"A well-prepared plan helps contain damage and respond swiftly," Chung added.
Read more:
