Press Releases
The Ombudsman comments on Registration and Electoral Office’s loss of two notebook computers containing electors’ personal data
18 July 2017
In the course of the 2017 Chief Executive (CE) Election, the Registration and Electoral Office (REO) lost two notebook computers, one containing the personal data of 3.78 million electors, which it had kept at AsiaWorld-Expo (AWE), the fallback venue for the Election. The Office of The Ombudsman received a number of public complaints over the past few months requesting investigation by the Office. The Office’s stance then was that since the Constitutional and Mainland Affairs Bureau (CMAB) had set up a Task Force to review the incident, and the Office of the Privacy Commissioner for Personal Data (PCPD) had commenced an investigation, the Office of The Ombudsman should, for better use of resources, wait until the Task Force and PCPD had completed their reports before deciding whether and how to follow up as necessary.
Having examined those two reports together with the Report on the 2017 Chief Executive Election published by the Electoral Affairs Commission (EAC), The Ombudsman, Ms Connie Lau, commented on the following today (July 18).
The three aforementioned reports have already detailed the causes and consequences of the incident, encompassing the reasons why the REO took the notebook computers loaded with the Electors Information Enquiry System (EES) to AWE, and the various inadequacies of the REO regarding the handling of personal data, information technology (IT) security, security arrangements for election venues, as well as its internal supervision and vetting systems. As those three reports have practically already covered all the different areas and quite a number of recommendations have been made, the Office of The Ombudsman considers it not necessary to conduct yet another investigation into the incident.
Nevertheless, the Office has special concern about the following two issues:
(1) Why did the REO allow its staff to freely carry the notebook computers containing the personal data of 3.78 million electors to AWE, just for the purpose of verifying the identities of Election Committee (EC) members (altogether 1,194 only) when necessary?
(2) Why did the REO allow its staff to leave the notebook computers mentioned above perfunctorily in an AWE room without the necessary security facilities?
In this connection, the Office has scrutinised relevant information and interviewed REO officers to gain a more in-depth understanding of the issues.
On issue (1), the REO explained to the Office that in terms of the IT arrangements, during its preparation for the 2017 CE Election it had only focused on the new measures that would be introduced. It had not bothered to review practices adopted in past elections or to consider whether those practices were still applicable to the current election. The use of the EES loaded with the personal data of all electors of Hong Kong in CE elections had been REO’s standard practice in the past two elections (in 2007 and 2012), so it was never discussed or reviewed at any work meetings for the 2017 CE Election. In short, other than the staff of the Information Technology Management Unit (ITMU) involved, no one in the REO knew that the notebook computers brought to AWE contained the personal data of Hong Kong’s 3.78 million electors, let alone raised any queries about such a practice in the preparation process.
Furthermore, trials runs conducted by the REO prior to the Election were just simulations using dummy data. As a result, the fact that the computer system actually contained the personal data of all electors in Hong Kong had not been brought to light. In mid-March 2017, a frontline staff member of the Elections Division happened to discover that his/her personal data could be retrieved from the EES. Upon enquiry by the immediate supervisor of that frontline staff member, ITMU staff explained that extracting the data of EC members under the current configuration of the EES was not practicable. In the event, no follow-up action was taken, and the notebook computers in question were carried to AWE without any further query from anyone.
As regards issue (2), the REO pointed out to the Office of The Ombudsman that stringent security measures had in fact been put in place at the main venue for the 2017 CE Election, i.e. the Hong Kong Convention and Exhibition Centre, with bar-locked cabinets there for storing the notebook computers. However, there were no such security measures at AWE, the fallback venue. Arrangements for keeping the notebook computers at AWE were made by the ITMU staff of the REO. The REO management did not know the details.
Comments of the Office of The Ombudsman
Regarding issue (1), the Office of The Ombudsman is of the view that REO staff, in taking the notebook computers loaded with the EES to AWE, were continuing in the same old habit of past CE Elections. REO officers of various ranks (including the management) paid no heed to the problem, and never questioned or corrected it. As a result, the REO defied common sense once again and took the computers loaded with the EES containing the personal data of all 3.78 million electors to the venue just to verify the identity of some 1,200 EC members.
Regarding issue (2), the REO had taken the question of IT security at AWE too lightly. Staff were free to place the notebook computers atop a carton box in a room to which other people also had access. They ignored the fact that IT security was of equal importance at AWE, the fallback venue, as it was in the main venue. The Office of The Ombudsman considers that the REO’s awareness of security risk had been too low, resulting in the loss of the two computers in the end.
Ms Connie Lau said, “In the incident, REO staff at various ranks just followed old practices and were careless. The ITMU staff involved ignored the importance of personal data protection. More significantly, the REO management should be held responsible for incomprehensive planning and ineffective monitoring. The Office of The Ombudsman urges the REO to take reference from the incident and implement as soon as possible the recommendations of the CMAB, PCPD and EAC, so as to avoid recurrence of similar incidents.”
Office of The Ombudsman
July 18, 2017