The privacy commissioner yesterday criticized the Independent Police
Complaints Council (IPCC) for failing to protect personal data of complainants
while the council complained they had not been given the opportunity to present
its case.
The incident took place in March when the personal information of about
20,000 persons was found on a certain website, and it was subsequently revealed
they were records of people who had lodged complaints with the IPCC.
Those information was put on the web by a contractor company who was testing
a new computer system for IPCC.
Office of the Privacy Commissioner for Personal Data (OPCPD) investigated the
matter and yesterday the commissioner Roderick Woo Bun announced completion of
the report.
Woo said that IPCC had breached the Personal Data (Privacy) Ordinance and his
office had formally demanded IPCC to make improvements.
So far the OPCPD has received 55 complaints concerning the information
leakage, he said.
He pointed out that IPCC had failed to employ sufficient measures to protect
those information, and there was a lack of discussion among the IPCC staffer
handling the information, his supervisor and the contractor as to whether or not
to use fake information for testing. Moreover, there were no clear guidelines in
the security notice on handling the classified information issued by IPCC to its
employees.
Woo said the IPCC's submission admitted that the incident was the fault of
the information user. He cited the submission as saying that since IPCC was not
user of the information and the employee concerned had resigned, it could not
take part in the hearings.
Woo said his office did not accept the IPCC stance since it considered IPCC a
user of the information concerned.
Countering the OPCPD report, IPCC Chairman Ronny Wong, however, said in a
press conference later that the council was not given the opportunity to
explain. He accused the OPCPD of quoting out of context when it said in the
report that the IPCC totally accepted that the incident was the information
user's fault.
He said the report also failed to mention the government's responsibility,
and that it was not fair to ask them to shoulder the blame for the IPCC
Secretariat. The OPCPD has confused the duties of the IPCC and its secretariat,
he stressed.
In a statement, a government spokesman said that the Administration respected
the course of action taken by the Privacy Commissioner in accordance with the
Personal Data (Privacy) Ordinance.