Hong Kong Police act over peer-to-peer data leakage

Friday, 3 September 2010

Central Government, Policy, Security, Technology

By Jianggan Li | 11 December 2009

Hong Kong Police Force has disciplined 21 officers over leaks in police data, according to Justice of Peace Roderick Woo Bun, Privacy Commissioner for Personal Data in the territory.

Photos

View photos

Related Categories

From this Section

NEWS

Woo paid a visit to Police Commissioner Tang King-shing on Monday to discuss the recent appearance on the internet of confidential police documents on blackmail and criminal damages cases. The files are believed to have been uploaded through Foxy, a file-sharing software application.

Tang revealed that the total of 28 personal data leaks discovered by last Friday were not caused by hackers or failures of the Police Force’s IT system, but by staff saving copies of police documents on their personal computers. These documents were said to be intended as templates for future use and the computers were installed with per-to-peer file-sharing application.

“Personal data collected by the Police in discharge of its law enforcement duties are often sensitive in nature as they may be associated with the investigation of crimes,” Woo said. “A high duty of care is expected of the Police in protecting the personal data privacy of individuals especially in connection with the information obtained from suspects or from witnesses to ensure that accidental or unauthorized access are minimised.”

“This is important not only in terms of protecting personal data privacy but also for the maintenance of the public’s confidence in the Police’s investigative process,” Woo added.

The Commissioners discussed about the available options to strengthen personal data protection, including access control and provision of a secure IT environment for police officers.

The Police Force has notified the affected persons so that they can stay alert. In the meantime, investigation with 26 of the incidents have been accomplished with 21 police officers disciplined.

The Police Force had run a sanitisation exercise, which completed in July 2008, to rid all Police common terminals of classified and/or personal data. A second round exercise was undertaken in February this year. The Police have also introduced 2800 USB drives with e-Cert encryption for inspectorate officers to store and transmit classified data.

The Privacy Commissioner said he was satisfied by the mitigation measures the Police Force has taken so far.

The force has also run seminars and workshops to brief its staff about the risk of peer-to-peer sharing, and internal cyber patrols have been deployed to prevent reoccurrence of data leakage incident.

Tang added that there might be further online spread of these personal data but he said it could be a manifestation of the leakages originated from previous online data security breaches.

The Privacy Commissioner is currently investigating into the cases. Saying that he will consider whether to launch an inspection of the policy data security system in order to make recommendations to the Police Commissioner, Woo however adds that the resources and manpower constraint might affect his decision.

Office of the Privacy Commissioner for Personal Data, established under the territory’s Personal Dat (Privacy) Ordinance, is a statutory body commissioned to protect personal data privacy of individuals and to ensure compliances with the Ordinance.