Hong Kong’s Electrical and Mechanical Services Department exposed data of 17,000 people

Hong Kong’s privacy watchdog has rebuked the Electrical and Mechanical Services Department for exposing the personal information of 17,000 residents online, saying the government branch “fell short of the reasonable expectations of the public” in protecting sensitive data.

In a separate case also flagged up on Monday, the Office of the Privacy Commissioner for Personal Data said job advert platform JobsDB was publishing postings that could allow swindlers to collect personal data from unwitting victims to use for fraudulent activities.

During the Covid-19 pandemic in 2022, the department collected data on 17,000 public housing residents subject to restriction-testing declaration operations, including their names, telephone numbers, identity card numbers and addresses.

As a regulatory body and law enforcement agency with regard to electrical and mechanical safety, the department was tasked with using an electronic form submission platform associated with a cloud system operated by a third-party contractor.

On April 30 this year, almost two years after the testing operations were completed, the department realised the personal data collected could be browsed by anyone at the third-party platform system, called ArcGIS Online, without need of a password. The same day it made the discovery, the department removed the data.

“It is clear that not only did [the department] fail to comply with the requirements of the [privacy ordinance], it had also fallen short of the reasonable expectations of the public,” Hermina Ng Wing-hin, senior legal counsel of the watchdog, said at a press briefing.

“The privacy commissioner understood that amid a severe epidemic situation, departments … needed to supply resources and act quickly,” the office said. “However, since then, the [department] has not formulated a policy on the retention of the personal data, nor has it made another physical request to the contractor for data deletion.”