IPCC rapped for personal data leak

(China Daily HK Edition)
Updated: 2006-10-27 09:16

The privacy commissioner yesterday criticized the Independent Police Complaints Council (IPCC) for failing to protect personal data of complainants while the council complained they had not been given the opportunity to present its case.

The incident took place in March when the personal information of about 20,000 persons was found on a certain website, and it was subsequently revealed they were records of people who had lodged complaints with the IPCC.

Those information was put on the web by a contractor company who was testing a new computer system for IPCC.

Office of the Privacy Commissioner for Personal Data (OPCPD) investigated the matter and yesterday the commissioner Roderick Woo Bun announced completion of the report.

Woo said that IPCC had breached the Personal Data (Privacy) Ordinance and his office had formally demanded IPCC to make improvements.

So far the OPCPD has received 55 complaints concerning the information leakage, he said.

He pointed out that IPCC had failed to employ sufficient measures to protect those information, and there was a lack of discussion among the IPCC staffer handling the information, his supervisor and the contractor as to whether or not to use fake information for testing. Moreover, there were no clear guidelines in the security notice on handling the classified information issued by IPCC to its employees.

Woo said the IPCC's submission admitted that the incident was the fault of the information user. He cited the submission as saying that since IPCC was not user of the information and the employee concerned had resigned, it could not take part in the hearings.

Woo said his office did not accept the IPCC stance since it considered IPCC a user of the information concerned.

Countering the OPCPD report, IPCC Chairman Ronny Wong, however, said in a press conference later that the council was not given the opportunity to explain. He accused the OPCPD of quoting out of context when it said in the report that the IPCC totally accepted that the incident was the information user's fault.

He said the report also failed to mention the government's responsibility, and that it was not fair to ask them to shoulder the blame for the IPCC Secretariat. The OPCPD has confused the duties of the IPCC and its secretariat, he stressed.

In a statement, a government spokesman said that the Administration respected the course of action taken by the Privacy Commissioner in accordance with the Personal Data (Privacy) Ordinance.