Data Breach Incident of EMSD in HK

Data Breach Incident of EMSD

According to the sources, the investigation was initiated after EMSD reported a potential data breach on May 1, 2024, suspecting that personal data related to COVID-19 testing conducted in 2022 had been leaked. The breach affected the personal data of over 17,000 individuals, including sensitive information such as names, addresses, Hong Kong Identity Card (HKID) numbers, and PCR test results.

Key Findings by PCPD

• Lack of Data Retention Policies: EMSD had no written policies governing the retention and disposal of personal data, leading to ambiguity regarding data handling.
• Failure to Request Data Deletion: When notifying the contractor not to renew the service contract, EMSD did not explicitly request the deletion of personal data, which should have been a crucial step.
•  Inaction on Data Deletion: EMSD waited for the contract to expire without taking proactive measures to delete sensitive data, risking unnecessary retention.
• Assumption of Contractor Compliance: EMSD assumed the contractor would delete the data without follow-up, neglecting to monitor or verify actions taken regarding data deletion.

The Privacy Commissioner, Ms. Ada Chung Lai-ling, concluded that the EMSD did not comply with the Personal Data (Privacy) Ordinance (PDPO) and failed to meet public expectations.

PIA

The findings in this case serve as a stark reminder of the importance of conducting Privacy Impact Assessments (PIAs). A PIA helps organizations identify and mitigate risks associated with personal data processing. Here are some key reasons why PIAs are essential:

• Risk Identification: PIAs allow organizations to pinpoint potential privacy risks early in the data processing lifecycle.
• Compliance Assurance: By aligning practices with GDPR requirements, organizations can avoid costly fines and reputational damage.
• Informed Decision-Making: Organizations can make better-informed decisions about data use, ensuring that it is lawful, fair, and transparent.

ISO 27701 Certification

Achieving ISO 27701 certification can further enhance an organization's commitment to privacy management. This standard provides a framework for managing personal data in accordance with privacy regulations, including GDPR. Key benefits of ISO 27701 certification include:

• Enhanced Trust: Demonstrating compliance with international standards can build trust among customers and stakeholders.
• Structured Approach: It offers a structured approach to privacy and data protection, making it easier to implement effective practices.
• Continuous Improvement: Organizations can regularly assess and improve their privacy management processes, adapting to evolving regulations and risks.

By implementing robust Privacy Impact Assessments and pursuing ISO 27701 certification, organizations can not only mitigate the risk of violation, but also foster a culture of privacy that respects and upholds the rights of individuals.

DQS Related Services:

• DQS provides ISO 27701 Privacy Information Management System Certification Services;
• DQS HK provides Privacy Impact Assessment (PIA) service.