The Hong Kong Electrical and Mechanical Services Department (“EMSD”) is a department of the government of Hong Kong. As a habitual conduct of its responsibility in survey operations during COVID, EMSD carried out COVID-19 tests for residents or visitors in certain buildings. In this particular case, EMSD procured and used the services of an e-Form Platform (“the e-Form Platform”) associated with the cloud platform ArcGIS Online for which the EMSD created 14 e-forms and conducted restriction testing reported in restriction-testing declarations (“RTD”). The relevant e-forms and data collected in them were stored in the data repository of ArcGIS Online. The personal data of 17,325 individual persons was involved.
Accordingly, EMSD had contracted with ArcGIS Online to provide the services to EMSD during a contract period expiring in late February 2023 which was of course the contractual termination of the COVID period.
It was the understanding and even belief of EMSD that the e-Form Platform account set up by ArcGIS Online would be invalidated automatically upon expiry of the contract with the related immediate automatic deletion of relevant information communicated to and stored in ArcGIS Online.
EMSD received a notification from PCPD in April 2024 under the Personal Data (Privacy) Ordinance (“PDPO”) that the personal data of persons who had undergone restriction testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online. Following this notification from PCPD, EMSD immediately requested ArcGIS Online to remove the personal data from the e-Form Platform so that the browsing of the personal data could no longer be open to the public access. This failure to remove was a breach of:-
(1) Data Protection Principle 2 of the PDPO in failure by EMSD to take all practicable steps to ensure that the personal data involved was not kept longer than necessary for the fulfilment of the purpose for which it was collected and used; and also
(2) in respect of in contravention of Data Protection Principle 4 of the PDPO failing to take all practicable steps concerning the security of the personal data to secure and protect it against unauthorised or accidental access, processing, erasure, loss or use, findings established that EMSD had not only failed to comply with the requirements of the PDPO but had also failed to assure the reasonable expectations of the public.
All these breaches can be said to have been due to a lack of formal written EMSD policies in RTD operations and also to the failure of EMSD to take the initiative to delete the personal data involved.