***************************************************
Following is a question by the Hon Tsang Yok-sing and a reply by the Secretary for Commerce and Economic Development, Mr Frederick Ma, in the Legislative Council today (May 28):
Question:
Regarding the leakage of personal data of the public by government departments and public organisations, will the Government inform this Council:
(a) of the total number of such cases in the past three years and the number of people whose data were involved in those cases; among such cases, the number of those in which the authorities concerned had informed the Police, the Office of the Privacy Commissioner for Personal Data and the people affected about the leakage;
(b) whether various government departments and public organisations have issued to their staff guidelines, stipulating the restrictions on the access, downloading, copying and sending of personal data of members of the public through computers and their accessories (such as USB memory sticks and card readers), security standards and procedure on reporting loss of data; if they have, of the contents of such guidelines; if not, whether such guidelines will be issued; and
(c) whether various government departments and public organisations have plans to review the existing information security measures and systems, and enhance staff awareness of information security; if they have, of the details; if not, the reasons for that?
Reply:
Madam President,
Regarding the questions raised by the Hon Tsang Yok-sing, my reply is as follows:
(a) In the past three years up to May 22, 2008, there were 14 incidents involving the leakage of personal data of around 1,900 citizens were reported by Government Bureaux/Departments (B/Ds). During the same period, there were 16 cases of personal data leakage incidents occurred in public organisations involving about 44,000 citizens. At present, data users are not required to report leakage of personal data to the Privacy Commissioner for Personal Data under the Personal Data (Privacy) Ordinance. However, the Government has issued internal guidelines requiring B/Ds to report information leakage incidents to the central incident response office, which comprises members from the Office of the Government Chief Information Officer (OGCIO), Security Bureau (SB) and the Police. Of the above 30 cases, seven government departments and public organisations had notified the Police, Privacy Commissioner and the affected citizens. For the other 23 cases (which might involve crimes like theft or without the persons' contact information), the concerned government departments and public organisations had suitably reported to the relevant parties.
(b) Government has developed a comprehensive set of information security regulations and policies and has promulgated these to B/Ds. These regulations, policies and associated procedures and guidelines were developed with reference to international best practices and are reviewed from time to time to reflect changes in technology and security threats. The topics covered include access control to information systems and data, office security, software asset management and authorisation requirements for using software not supplied by Government. B/Ds are also required to periodically remind their staff including contract staff about the need to comply with information security provisions and provide training to them where necessary.
For public bodies, B/Ds which have purview over them will take into account the government security regulations and policies in their respective regulatory or administrative arrangements with the public bodies. Public bodies are generally recommended to adopt or reference government information security related policies, guidelines and technical information when formulating and implementing their own information security policy, programme and plans.
In case security incidents do occur, individual B/Ds are responsible for conducting initial investigations in the first instance. They are required to report the incidents to a central incident response office if the incident involves personal data or classified information, and if the incidents affect public services or the Government.
The afore-mentioned central incident response reporting mechanism does not cover public bodies. I understand that public bodies will deal with the incidents in accordance with any applicable legislation or regulations. They may also consider making public announcements about the incidents depending on the circumstances of the individual cases.
(c) While the investigations for some of these incidents are still in progress, the preliminary findings are that most of the incidents are caused by lack of awareness and/or alertness of the established information security regulations, policies and guidelines especially on the use of portable electronic devices and the file sharing software. As an immediate measure, two reminders have been issued to all Government staff including contract staff about their obligations to protect government information systems and classified/personal data. To further enhance staff awareness of and facilitate their compliance with information security requirements, the OGCIO and SB with the support of Civil Service Bureau are working closely with departmental IT security officers to design a communication programme to impress upon all staff the importance attached by the Government on information security and data privacy, and to build and sustain a high level of awareness, vigilance and commitment among all staff. The handling of official documents outside the office, or from home, will be a particular area of focus in these programmes.
On the governance side, the Government has established mechanisms for reviewing our information security management framework and measures to facilitate compliance by B/Ds. The OGCIO and SB play a leading role in this, with participation by other administrative, civil service training and law enforcement agencies on a need basis. The Government will review the information security policies, guidelines and facilitation measures in the next three to four months addressing these recent issues.
For public bodies, again B/Ds who have purview over them are expected to convey the latest development in the Government for their adoption and/or reference.
Ends/Wednesday, May 28, 2008
Issued at HKT 12:39
NNNN
