The government is considering making breaches of personal data a criminal offence, said Secretary for Constitutional and Mainland Affairs Stephen Lam at the Legislative Council (LegCo) yesterday.

Following concern expressed by some legislators about a recent series of personal data losses by several government departments , Lam said that the government is conducting a comprehensive review of the Personal Data (Privacy) Ordinance with the Privacy Commissioner for Personal Data.

"We and the commissioner will examine ways to strengthen protection of personal data," he said. "We will consider whether leakage of personal data should be made a criminal offence."

As the proposal will have wide-reaching implications for the whole community, Lam said the government has to prudently consider whether criminalizing such actions will compromise freedom of expression and autonomy of different organizations.

And since the ordinance applies to all government departments, there is no need to legislate for the management of government records, he said.

When asked if the government will expand the power of the commissioner, he replied the ordinance has already given appropriate power to the commissioner to follow up the data leakage incidents effectively.

Meanwhile, Lam said the departments involved in the data losses have carried out different measures to avoid a repeat of the incidents.

At the same time, there is a new set of internal guidelines for all civil servants to follow.

The guidelines were designed to strengthen staff's awareness of data security and relevant handling procedures.

According to the guidelines, all departments are required to use software or storage devices that support encryption or allow the use of passwords.

Officers must obtain approval from supervisors before storing data on portable storage devices.

In regard to the leakage of patients' personal data on electronic devices, Secretary for Food and Health York Chow says in a written reply to the LegCo that the Hospital Authority (HA) has received nine such reports since May last year.

Seven cases took place in hospitals and two outside hospitals.

Six cases involved theft, and the rest staff negligence.

To protect patient data, the HA has issued new guidelines to staff.

HA staff are not allowed to take removable electronic devices containing patient data outside hospitals without the approval of the hospital's chief executive.

From Monday on, any loss of patient data must be reported to the hospital in accordance with the internal reporting system as soon as possible.

The HA has also set up a task force to review existing data security policies.

(HK Edition 05/22/2008 page1)