EMSD responds to PCPD report - Government World Magazine

     The Electrical and Mechanical Services Department (EMSD) noted that the Office of the Privacy Commissioner for Personal Data (PCPD) has completed its investigation of the leakage of personal data from an online server platform of the EMSD's contractor, and released the investigation report today (December 9). The personal data were collected by the EMSD in "restriction-testing declaration" operations to combat COVID-19 in 2022. The EMSD will study the report in detail for stringent and appropriate follow-up actions.

     The EMSD attaches great importance to information security and personal data privacy. Relevant policies and guidelines (including the retention period of personal data) have been formulated and circulated to staff regularly. The procurement terms between the EMSD and the contractor providing the online server platform stated that the relevant data would be deleted after termination of the service, and the EMSD had clearly informed the contractor of the expiry of the service by the end of February 2023. Since noticing the leakage of the data on April 30, 2024, the EMSD has been acting in a proactive and responsible manner in reporting the case to law enforcement agencies, and has been co-operating with the PCPD on the investigation. Noting that the PCPD has announced earlier that there were cases of leakage of personal data involving the same online server platform provided by the contractor during the same period, the EMSD immediately conducted an in-depth enquiry with the contractor about the operational details of the server platform to ensure the complete removal of the relevant data.

     Having consolidated the experience from this incident, the EMSD is committed to establishing a more robust privacy security framework and a corporate culture for personal data protection to prevent the recurrence of similar incidents. It has since taken a series of measures, including reinforcement of privacy management, holistically reviewing and enhancing guidelines in handling personal data, stepping up staff training, and monitoring contractors of online server platforms. It will also enhance computer system support, including developing a dedicated platform to store personal data in its own server. For outsourced services involving the handling of personal data, the EMSD will remind the contractor to delete the relevant data by the end of the retention period, and will proactively check with the contractor to confirm that the deletion of personal data has been completed.