The Registration and Electoral Office has lost many voter data over the years. In March of this year, a corrupt employee sent the data to a private email, but the wrong email address was sent to an unknown email by mistake, resulting in as many as 15,000 Legislative Councils. The personal data of local voters was leaked, involving the Chinese and English names and addresses of these voters.
The Registration and Electoral Office today (April 13) released a summary of its investigation report, stating that the staff member violated the department's guidelines. Human negligence is involved, and the Office of the Privacy Commissioner for Personal Data is following up.
One of the incidents involved the information of voters in the geographical constituencies of the Legislative Council.
(file picture)
More than ten minutes without receiving the email, the party found the wrong email address
The first incident occurred on March 23 this year. The report stated that one of the main duties of the staff involved was to supervise his subordinates to check the addresses of voters. At that time, the staff was dealing with the public housing estates provided by the Housing Department and the voters had terminated. Information on the tenancy agreement of the unit to facilitate verification and enquiry.
The staff of the REO sent two emails to their personal emails at 5:43 pm and 7:03 pm on the same day respectively. The first one contained the names of about 1,000 voters, and the second one contained the names of the voters. Two files containing a total of 15,070 electors (103 of them deceased).
More than 10 minutes after sending the second email, the personal account was still not received, only to discover that the email was sent to another unidentified email address by mistake.
She then sent the above email containing the information of 15,000 voters to her private email address at 7:58.
The staff involved later confirmed that the above files had been deleted from their personal email accounts.
After receiving a report from the REO, the police immediately launched an investigation and successfully contacted the recipient to confirm that the recipient had not opened the email containing the voter information file and had deleted the email.
After investigation and review of the evidence gathered, the police confirmed that there is insufficient evidence to prosecute anyone and therefore no prosecution will be taken.
As for the Elections Office, it issued a press release on March 25 to announce the incident and notify the affected voters in writing.
The Registration and Electoral Office announced two cases of personal data leakage.
(file picture)
The staff involved negligently processed personal data and violated department guidelines
The Elections Office criticized that after the staff member knew that the email in question had been misdirected to an unknown recipient, he still did not consider it carefully, and then sent the email containing the voter data file to her personal email account again: "The staff member did not comply with the department. The guidelines set out in the relevant circulars are 'Only use the department's email system to transmit confidential information by email' and 'Do not use personal email accounts for official business or transmission of confidential or personal information'."
The report goes on to say that the staff involved committed misconduct of negligent handling of personal data and violation of the department's IT security guidelines.
"The staff member admits and apologises for the wrongful act of sending a file containing voter information to his personal email account. The department is now following up on the staff member's misconduct under the existing civil service disciplinary mechanism."
The Registration and Electoral Office will update the system afterwards. Unless there is a real operational need, staff cannot send emails to the Internet email accounts through the department's email system, and their computers cannot browse the websites of commonly used Internet email service providers in Hong Kong. Privacy of personal data The Commissioner's Office is investigating the matter.
The second case involved the election of the chief executive, and the information of the election committee was leaked.
(file picture)
The Election Committee e-Reply Slip was mistakenly attached to the email
The second case occurred in the early morning of April 28, 2022. At that time, staff of the REO sent a total of 13 batches of test emails to 848 Election Committee members and their assistants, reminding the Election Committee of the information about the Chief Executive election.
On the morning of the same day, the staff of the REO found that one of the emails sent to the 64 ECs or their assistants earlier on the same day had mistakenly attached a reply slip sent to the Office by one of the ECs in early April 2022. , the personal data involved include the name, email address, telephone number of the electoral committee and its assistants, and the electoral committee's signature.
On the same day, the Elections Office transferred the staff involved from their original jobs, prevented them from handling work involving personal data, and launched an investigation.
The REO's investigation found that it is believed that some staff members accidentally attached the electronic version of the reply slip of the relevant election committee to the test email sent to the election committee or their assistants during the work process, resulting in this incident.
The survey revealed the following deficiencies in the procedure for sending test emails: 1. The information on the reply slip sent by the election committee had to be manually entered into the computer, which was prone to errors; 2. In order to reduce waste and improve verification efficiency, staff Use the computer to check with the electronic reply slip sent by the Election Committee earlier instead of the paper reply slip.
This verification method may cause the electronic reply slip to be accidentally attached to the test email; 3. Before sending out the test email, the staff did not double-check whether the email contains other inappropriate attachments.
According to the report, the REO will take appropriate follow-up actions in response to the incident reflecting the work performance of the staff concerned.
Representatives from the Office of the Government Chief Information Officer, the Constitutional and Mainland Affairs Bureau and the Registration and Electoral Office have set up a working group to conduct a comprehensive review of the information security work of the Registration and Electoral Office. The Office of the Privacy Commissioner for Personal Data has also launched an investigation into the incident.
The information of 15,000 voters was leaked to an unknown email. The REO apologized and reported the case to the police. 60 staff involved have been transferred and investigated