The Privacy Commissioner for Personal Data revealed on Thursday that some deficiencies exist in security safeguards concerning the school drug testing pilot scheme in Tai Po. The commissioner disclosed that while there has yet to be a breach of security, there are flaws in the information technology and communications systems that could pose potential threats to the security of data.

The Narcotics Division of the Security Bureau and the Education Bureau jointly carried out the voluntary drug testing program at 23 Tai Po secondary schools in 2009. Student participation was strictly voluntary.

Even before the program was inaugurated, the commissioner, Allan Chiang Yam-wang noted that there had been no prior privacy impact assessment to assess risks. Chiang said those assessments were vital, due to the importance and sensitivity of the data.

The commissioner noted that since there was a lack of comprehensive policies and an absence of unanimity as to how data should be handled, different parties receiving sensitive data handled personal information in various ways.

"What we see is that each organization does things in its own way. They have their own policies for dealing with privacy protection," he said. "But with the drug testing scheme per se, those policies are not adequate."

He cited as one example the student consent forms. There were no consistent and standardized security guidelines for assuring the privacy of the forms. They were kept differently according to which agency had them in their possession. Some were kept in locked cabinets, while in one case, they were placed in a cardboard box in a principal's office, so that under the right conditions, anyone might have gained access to the information.

The commissioner also identified several weaknesses in information technology security safeguards. One example is that: school staff used personal computers to process students' personal data without assigning any security to the data that was being stored.

One school even chose a contractor, who was placed under no obligations to provide security measures to protect personal data, and who was empowered to make random selections of students for testing, then to store the results on a remote server. "I don't see any reason why the school had to contract out the testing and couldn't have it done by the school staff," Chiang said.

The watchdog also found that in two schools, the USB flash memories containing student consent files, and records of the passwords were placed together, thus defeating the purpose of using the passwords.

Chiang declined to offer an opinion when asked if the drug testing program was "lucky" to have escaped a data breach, responding that there should be concrete policies in place for future programs, to ensure that security breaches can be avoided.

The Security Bureau said it welcomed the recommendations of the privacy commissioner and that it has made improvements, implemented the Healthy School Programme in 2011/12.

The bureau spokeswoman said the bureau has advised participating schools and the student drug testing teams to encrypt computers and USB flash memories used for storing data. Those computers should be run independently with Internet access closed. All devices should be kept in locked drawers, she added.

The government claimed the voluntary drug testing contributed to a sharp decrease in the number of drug abusers aged under 21. According to the Central Registry of Drug Abuse, the number dropped 41 percent from 3,388 in 2009 to 2,006 in 2011.

The government plans to consult the public later in the year on a community-wide drug testing scheme.

mingyeung@chinadailyhk.com

(HK Edition 07/27/2012 page1)