Two government mobile phones containing the personal data of 122 residents in mandatory coronavirus quarantine have gone missing, raising concerns over a potential data breach.
The Office of the Government Chief Information Officer (OGCIO) announced the suspected theft on Wednesday after their staff conducted an inventory check of all 170 phones on Tuesday night.
The two missing phones were used at OGCIO’s temporary communication centre at the Customs and Excise Department head office in North Point. They were used to ensure persons under compulsory home quarantine remained in their residence through the collection of real-time locations and via video calls.
“A total of 122 persons had been contacted via the two mobile phones for monitoring purposes. Names, telephone numbers, shared locations and photos of these persons but no detailed addresses are stored in the phones,” the OGCIO said.
“The mobile phones are password-protected with information encrypted. The OGCIO has already terminated the communication services of the two phones,” the office added.
First detected in Hubei, China, more than 75,000 people globally have been infected with Covid-19, whilst over 2,100 have died from the disease. Hundreds of arrivals from infected areas are “self-quarantined” in their homes and hotels across Hong Kong, which has seen 65 cases and two deaths.
The OGCIO expressed regret over the incident and apologised to the residents concerned, adding they would step up information security immediately to avoid the recurrence of similar incidents.
The office reminded those affected to remove contacts with the two mobile phones, and advised them to inform the OGCIO and follow up with the Police if they had received any suspicious calls.
The Privacy Commissioner Stephen Wong had been informed of the potential data breach according to a statement issued by the office of the Privacy Commissioner for Personal Data (PCPD) on Wednesday evening. The privacy watchdog said they would conduct follow-ups and launch a compliance check to acquire more details.
It is not the first time government departments have lost electronic devices which stored personal information. In April 2017, the Census and Statistics Department admitted it lost two electronic tablets containing details of 12 households – involving 46 persons – during the population by-census in the previous summer.
It was revealed just days after the Registration and Electoral Office announced that it lost two laptops which contained the personal data of all registered voters.
Under the current Personal Data (Privacy) Ordinance, data users are advised to handle data breach incidents properly by reporting them to the PCPD, yet it is not a statutory requirement. There have been calls for a review of the ordinance, in particular, to study the necessity and feasibility of introducing of a mandatory notification mechanism.