A support centre run by the NGO Caritas Hong Kong has issued an apology after a social worker lost a USB flash drive containing personal information on over 100 university students.

In a statement released on Thursday night, the Caritas Family Crisis Support Centre – commissioned by the Hong Kong Polytechnic University (PolyU) to provide a counselling service hotline – apologised for leaking the personal data of 121 students after a staffer misplaced a data storage device on September 4.

Hong Kong Polytechnic University
Hong Kong Polytechnic University. File photo: PolyU.

The apology came a day after Yau Tsim Mong District Councillor Owan Li wrote on Facebook that he had received several requests for help from students, who said the centre had told them about the data breach but had not provided further information. Li said they were worried that their information might be used for illegal purposes.

The Caritas centre said it had strict guidelines for data privacy protection and the breach was due to personal negligence. It said it had reported the incident to police and the Office of the Privacy Commissioner for Personal Data and would take disciplinary measures against the employee responsible.

“We feel extremely sorry to the university and the students affected. We sincerely apologise for causing public disturbance and we will bear the responsibilities,” the support centre wrote, adding that it would set up a task force to prevent similar incidents in future.

Caritas Family Crisis Support Centre
Caritas Family Crisis Support Centre. Photo: Wikimedia Commons.

Li, who demanded an explanation from the Caritas centre, said the NGO had never responded to his letter. The district councillor accused the centre of “serious misconduct” in handling the loss of data, saying the public has lost confidence in the NGO: “[I] think Caritas should leave the social welfare sector as soon as possible.”

The support centre told local media that all information in the lost USB had been encrypted. This contradicted what PolyU told HKFP on Thursday — that some files which contained the personal data of a few students were not encrypted. HKFP has contacted Caritas for clarification but had not received a response at the time of publication.

The university said it had asked the NGO to submit a detailed report on the incident and propose solutions for improvement. But the school did not give an answer as to when it learned about the case, or whether the partnership with Caritas which began in 2016 would be affected.

Privacy Commissioner for Personal Data
Photo: Inmediahk.net, via CC 2.0.

“The university reiterated that the centre should strictly comply with all the requirements regarding protection of personal data as specified in the tender documents. We will ensure that all necessary assistance and support are provided to the affected students,” the email reply from PolyU read.

In response to HKFP’s inquiry, the privacy watchdog said it had received a data breach notification from the Caritas centre but did not state when. It said details of the case could not be disclosed at this stage.

Ho Long Sze Kelly is a Hong Kong-based journalist covering politics, criminal justice, human rights, social welfare and education. As a Senior Reporter at Hong Kong Free Press, she has covered the aftermath of the 2019 extradition bill protests and the Covid-19 pandemic extensively, as well as documented the transformation of her home city under the Beijing-imposed national security law.

Kelly has a bachelor's degree in Journalism from the University of Hong Kong, with a second major in Politics and Public Administration. Prior to joining HKFP in 2020, she was on the frontlines covering the 2019 citywide unrest for South China Morning Post’s Young Post. She also covered sports and youth-related issues.