Skip to content

Something urgent? Call us now! (852) 3416 1711

Ally Law
Boase Cohen & Collins
Blog

Data security: time to review

By Claire Chow

Hong Kong, 3 February 2023: Two personal data leaks by Hong Kong’s electoral office – both caused by human error – have highlighted the importance of cyber security and information protection in the digital age. Businesses and organisations should take note and review their safety mechanisms accordingly.

An investigation by the Office of the Privacy Commissioner for Personal Data found the government’s Registration and Electoral Office (REO) had breached regulations and failed to protect voters’ information. The REO had not taken “all practicable steps” to ensure such details were shielded from unauthorised access, according to the Privacy Commissioner’s report.

In the first incident, during Hong Kong’s fifth wave of Covid-19 infections in March last year, a clerical officer tried to send two spreadsheets with the names and addresses of some 15,000 voters to her personal email so she could work from home the next day. But she typed in the wrong email address and the files went to an unknown recipient.

The following month, during preparations for the Chief Executive election, another REO employee mistakenly attached a reply slip containing details about an Election Committee member when sending a test email to 64 other members or their assistants.

In her investigation, Privacy Commissioner Ada Chung found the first incident stemmed from the officer’s negligence and lack of awareness of the REO’s own guidelines, which stipulated “[staff should] only use the email system of the REO for transmission of classified information through email” and “[staff should not] use personal email accounts for official duties or for transmitting classified information or personal data”. Ms Chung also found the REO had not put in place appropriate information security measures.

The second breach was down to collective negligence and lack of awareness by several staff members and deficiencies in the REO’s workflow, according to the Privacy Commissioner. While working long hours and under pressure to meet deadlines, employees had resorted to last-minute manual checking, thus increasing the risk of human error.

Ms Chung noted: “The two incidents revealed that the Registration and Electoral Office had not taken all practicable steps to ensure that personal data was protected from unauthorised or accidental access, processing, erasure, loss or use.” She concluded the REO had contravened the Personal Data (Privacy) Ordinance. The REO was served with two Enforcement Notices and has since enhanced security measures, including monitoring of its email system, and reviewed workflow procedures.

Concluding her report, Ms Chung provided businesses and organisations with the following recommendations for handling personal data:

  • Thoroughly implement a personal data privacy management programme;
  • Conduct privacy risk assessments and formulate specific guidelines for non-routine work;
  • Devise effective education and training plans on personal data security; and
  • Deploy information security measures to mitigate the risk of human errors.

In conclusion, it should be noted that the digital age is a double-edged sword. While it has brought countless ingenious solutions for processing information, this also means greater threats in terms of cyber security. Personal data loss may include financial, personal and health information.

Such breaches can have devasting consequences for all parties. For an individual, their privacy and security are compromised. For a business or organisation, there are legal, financial and reputational implications. For these reasons, and as highlighted by the REO examples, it is obvious that compliance with relevant data protection laws and robust cyber security measures are in everyone’s best interest.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Criminal Matters, Civil and Commercial Litigation, and Intellectual Property. She can be contacted at Claire@boasecohencollins.com.

40+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

Futuristic travel has no time for squares

Dear Friends and Colleagues Hong Kong, 21 January 2026: Stroll amid the high-rise blocks of Lok Fu and a strange sight looms into view: a huge concrete-covered slope, almost 100m tall, painted with red and white squares. It is Checkerboard Hill, for decades a visual guide for pilots making the notoriously difficult landing at Kai […]

Read more

CFA gives clarity to bankruptcy procedure

By Alex Liu Hong Kong, 16 January 2025: A significant judgment from the Court of Final Appeal presents a clear legal framework allowing for the imprisonment of a bankrupt individual who wilfully refuses to disclose assets and income. The ruling provides welcome clarity in the complex regime governing bankruptcy protection and enforcement action. The top […]

Read more

Law & More: Episode 61 – Neil Kaplan KC

Hong Kong, 14 January 2026: This time our guest is Neil Kaplan KC, one of the world’s leading authorities on arbitration. Neil reflects on his long and distinguished career, beginning as a barrister in London before relocating to Hong Kong to serve in the pre-handover Attorney General’s Chambers. He discusses the joys of working in […]

Read more

Unlawful finfluencers feel the heat

By Arthur Chan and Jasmine Kwong Hong Kong, 5 January 2026: In a landmark case, a so-called finfluencer has received the first custodial sentence in Hong Kong for providing investment advice without a licence. The hearing highlights the perils of unlawful financial guidance from online sources and the determination of enforcement agencies – both here and overseas – […]

Read more

A warm welcome to Kristian Odebjer

Hong Kong, 2 January 2026: We are delighted to announce that experienced business law practitioner Kristian Odebjer has joined Boase Cohen & Collins as Consultant. With dual admissions as an Advokat in his native Sweden and as a Solicitor in Hong Kong, Kristian straddles the civil-common law divide and will help drive the firm’s cross-border […]

Read more
See all news and knowledge
Ally Law