A member of staff at Hong Kong’s Registration and Electoral Office (REO) was found to have “committed gross misconduct of negligence” when handling personal data after documents containing some 15,000 electors’ details were sent to an unknown recipient, a report into the incident has revealed.
The data breach occurred in March, when the REO employee wrongly sent two Excel files containing 15,070 electors’ particulars to herself but entered the wrong email address, the REO report released on Tuesday said.
The files included electors’ names and their residential or registered addresses. There was no other personal data such as ID card number, dates of birth and gender, the report stated.
The REO said it reported the incident to the Electoral Affairs Commission, the Constitutional and Mainland Affairs Bureau and the Office of the Government Chief Information Officer. The police also launched an investigation and contacted the unintended recipient of the email, which was not opened and had been deleted.
The staff member was found to have not followed guidelines prohibiting the use of “personal email accounts of official duties or for transmitting classified information or personal data.”
“The REO is taking follow-up action against the staff member concerned under the existing civil service disciplinary mechanism,” the report said, adding that technological restrictions had since been imposed to prevent any similar incidents from occurring again.
The REO on Tuesday released a second report into a separate incident involving the chief executive election, when an REO worker in April wrongly attached a reply slip containing the personal data of an Election Committee (EC) member to 64 other members or their assistants.
The 1,500-strong committee was responsible for determining the city’s leader, John Lee, who ran uncontested to helm Hong Kong.
According to the report, REO collected the email addresses and mobile phone numbers from EC members and their assistants in a form of a reply slip in early April. The data was used to inform them of the most updated electoral and contingency arrangements on polling day.
The report said that REO issued a total of 13 batches of test emails to 848 EC members and their assistants on April 28. Later that day, the office discovered that “a soft copy of the reply slip returned by an EC member to REO in early April 2022 was wrongly attached in a test email issued to 64 EC members or their assistants.”
The affected member was not named in the report, but it said “[t]he personal data involves the names, email addresses and mobile phone numbers of the concerned EC member and his assistant, as well as the signature of the EC member.”
The REO concluded that the copy of the reply slip had been “accidentally attached” and said the breach was immediately reported to the relevant authorities and the unintended recipients were asked to delete the attachment “immediately and permanently.” The staff member involved was “deployed away from his existing duty and would not be assigned with duties involving the handling of personal data,” and would be investigated.
The authority said it would review the workflow of handling personal data and make necessary enhancements.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.