There have been 30 cases of data loss from government departments and public bodies over the past three years involving information belonging to over 46,000 members of the public.

Secretary for Commerce and Economic Development Frederick Ma revealed at a Legislative Council (LegCo) session yesterday that in the past three years up until last Thursday, there had been 14 cases of personal data leaks from government bureaus and departments, involving personal data belonging to approximately 1,900 citizens.

During the same period, there were 16 other cases of personal data leak from public organizations involving 44,000 members of the public.

Ma pledged that the government will review policies on information security within a few months.

The police force lost the biggest amount of data among the responsible departments.

It leaked data belonging to 720 individuals, on top of the data that it leaked via the file-sharing program Foxy in recent days.

The Department of Health came in second. The department leaked data of 668 persons.

The Education Bureau and the Intellectual Property Department followed with leaks that involved 200 and 180 persons respectively.

Other government departments involved include the Immigration Department, Social Welfare Department and Hongkong Post.

Among the public organizations involved, five are universities.

The City University and University of Hong Kong had each leaked data belonging to 68 persons. The Polytechnic University's leak involving 1,780 persons took place during a dissemination of examination results last year. The Hong Kong Institute of Education leaked data of 204 persons.

The Independent Police Complaints Council was responsible for leaked data belonging to 26,341 persons, and the Hospital Authority 15,878 persons.

Ma said the government has not received any claim for compensation as a result of these leaks, but added that only seven of the departments and public bodies had notified the police, Privacy Commissioner and the affected citizens.

He added the law does not require the incidents to be reported to the Privacy Commissioner.

Most of the incidents are caused by lack of alertness to information security policies and guidelines, especially on the use of portable storage devices and file-sharing software, Ma said.

Two reminders have been sent to all government employees including contract staff to raise awareness in personal data protection.

Legislators are concerned about the series of data leaks.

Jasper Tsang Yok-sing from the Democratic Alliance for the Betterment and Progress of Hong Kong (DAB) suggested that staff should be prohibited from taking personal data home.

LegCo security panel chairman James To said it should be made mandatory for all public organizations to report data leaks to the Government Information Security Incident Response Office and the Privacy Commissioner.

He also urged the government to launch an independent investigation into the incidents.

Another DAB legislator Chan Kam-lam said the government and public organizations should upgrade their information technology system.

(HK Edition 05/29/2008 page1)