The Privacy Commissioner for Personal Data has said that the Education University violated privacy regulations when it leaked CCTV screenshots earlier this month. The images appeared to show the individuals who posted slogans on campus “congratulating” education deputy Choi Yuk-lin over the death of her son.

After the messages appeared, EdUHK President Stephen Cheung said that the school was using security camera imagery to identify the responsible parties. A few hours after his statement, a CCTV screenshot leaked online of two men sticking up pieces of paper on the student union’s Democracy Wall. The university later said it strongly regretted the leak and would notify the Privacy Commissioner for Personal Data of the incident.

Signs saying “Congratulations Choi Yuk-lin on the death of your son” appeared on top of other signs protesting the removal of banners advocating independence on Education University’s Democracy Wall. Photo: Chung Kim Wah/Facebook.

The incident took place amid heated debate and minor clashes concerning the emergence of pro-independence banners across university campuses.

Whatsapp leak

The privacy watchdog said on Wednesday that the security guards had gone over the security footage and obtained two screenshots, then sent them to a Whatsapp messaging group of the university’s management. Some members of the group forwarded the pictures to 13 other teaching staff members and one student, so that they could assist in recognising the individuals.

The watchdog found that, whilst it was not against regulations for the university to transmit the information through Whatsapp, it should have reminded members of the group that the information was confidential and should not be forwarded. The pictures should have also been deleted once the task was completed, it said.

It also pointed out that the university did not take appropriate measures to prevent the pictures from being forwarded to different people indefinitely, or consider whether there was a need to forward them to the intended recipients – as well as whether the recipients were trustworthy.

“Because the Education University did not take all reasonable measures to ensure that the personal data of the two individuals are protected, it has violated data protection principle number 4.”

The principle states that “A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.”

A sign at Lingnan University, another university in Hong Kong. Photo: In-Media.

Following recommendations by the watchdog, the Education University established privacy guidelines in the group with regards to the circulation of personal information and pictures, set up policies and procedures over CCTV surveillance, and came up with detailed working directions for CCTV operations staff, the privacy commissioner added.

The watchdog also said that although CCTV surveillance has always been a topic of controversy, in many circumstances involving security and crime it was not only effective, but necessary.

Privacy Commissioner Stephen Wong said that although privacy protection was a human right, it was not absolute and should not act as a “safe harbour” for those who broke regulations or the law.

He added that where there are instances of crime, misconduct, dishonesty or cheating, in order to immediately and effectively detect these behaviour and based on the urgency of arrest and detention, “the privacy of these individuals will not override overall interests of society.”

Karen is a journalist and writer covering politics and legal affairs in Hong Kong for HKFP. She has also written features on human rights, public space, regional legal developments, social and grassroots activism, and arts & culture. She is a BA and LLB graduate from the University of Hong Kong.