LCQ12: Computer theft incident of the Registration and Electoral Office |
Following is a question by the Hon Lam Cheuk-ting and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Patrick Nip, in the Legislative Council today (February 28): Question: On March 27 last year (i.e. the day following the 2017 Chief Executive (CE) Election), the Registration and Electoral Office (REO) discovered that two notebook computers placed in a room of the Asia World-Expo (which was the fallback venue for the CE Election) were lost, one of which contained the personal data (including names, addresses and identity card numbers) of 3.78 million Geographical Constituencies electors across the territory. The Police subsequently classified the incident as theft. The then Secretary for Constitutional and Mainland Affairs established a task force in April last year to examine the causes of the incident and recommend improvement measures on related issues. The task force submitted its report in June last year. In this connection, will the Government inform this Council: (1) of the progress of the Police's investigation into the aforesaid case; (2) as REO indicated in July last year that it was following up thoroughly the various improvement measures recommended in the aforesaid report, whether those measures will be implemented in the 2018 Legislative Council By-election to be held on the 11th of next month; and (3) as the aforesaid report suggested that the authorities should consider taking follow-up actions by commencing the performance appraisal or disciplinary procedures in respect of the officers and their supervisors concerned, whether the Civil Service Bureau has taken follow-up actions in this regard; if so, of the outcome; if not, the reasons for that? Reply: President, Our reply to the Hon Lam Cheuk-ting's question is as follows: (1) On March 27, 2017, staff of the Registration and Electoral Office (REO) found that two notebook computers stored inside a room at the AsiaWorld-Expo, the fallback venue for the 2017 Chief Executive Election, were suspected to be stolen. On the same day, REO staff reported the incident to the Police which then classified the case as theft and initiated criminal investigation. The investigation is still ongoing and no arrests have been made so far. (2) On June 13, 2017, the Task Force on the Computer Theft Incident of the Registration and Electoral Office (the Task Force) published a report putting forward a series of observations and recommendations regarding the REO's handling of personal data, information technology (IT) security, general security of election venues, as well as on aspects pertaining to the permanent establishment of the department. The REO has implemented the majority of the recommendations made by the Task Force. Such measures will be implemented in the 2018 Legislative Council (LegCo) By-election to be held on March 11, 2018. On handling of personal data, the REO has updated the relevant internal guidelines and procedures which will be circulated among staff on a regular basis. Briefing sessions for staff concerned will be arranged before every major election in future to enhance their awareness on personal data protection. In this regard, a briefing session was held in January 2018 for the LegCo By-election to be held on March 11. As for the implementation of a privacy management programme (PMP), it has been introduced in the REO's updated internal operation guidelines. The REO is now working in parallel on the formulation of a PMP in the long run, including commissioning a suitable consultant through tender to assist in the development and implementation of the system. In respect of IT security, all members of the REO staff are prohibited from using the Electors Information Enquiry System (the system was installed on one of the notebook computers suspected to be stolen during the 2017 Chief Executive Election) in election venues, including those for this LegCo By-election, for the purpose of verifying voters' identity and handling enquires. The REO has also updated its internal guidelines on IT security, and will ensure that its IT systems are in keeping with the latest requirements of the Government's IT security policies, procedures and guidelines. As for the general security of election venues, the REO will formulate a venue security plan for each election (including the coming By-election), and seek comments from the Police and the Electoral Affairs Commission on the relevant security arrangements. The arrangements for the usage of personal data, together with the security arrangements, will be personally endorsed by the Chief Electoral Officer. The REO will also avoid storing any personal data in fallback sites before their actual activation. As regards the establishment, the Constitutional and Mainland Affairs Bureau has already submitted a proposal to the LegCo for converting the time-limited supernumerary Principal Electoral Officer post of the department into a permanent one, so that the planning and operational aspects of electoral activities can be overseen effectively, and that valuable experiences can be retained for sustainable review and improvement of the electoral system. Subject to the approval of the LegCo Finance Committee (FC), the proposal will be implemented with effect from April 1, 2018 at the earliest, or with immediate effect upon approval of the FC, whichever is later. Moreover, a number of permanent posts will also be created under the REO to retain part of the core staff with electoral experience at the end of an election cycle to enable a detailed review of the electoral arrangements and the exploration of feasible improvement measures, so that electoral work will be better organised in the next election cycle. The REO will also assign civil servants occupying permanent posts to take up key planning and supervisory duties as far as possible. (3) As regards the disciplinary investigations against civil servants concerned, civil servants of various ranks were involved in the incident. The Constitutional and Mainland Affairs Bureau is following up on the case in accordance with the established civil service disciplinary mechanism. We will not comment on individual cases. Ends/Wednesday, February 28, 2018 Issued at HKT 15:00 NNNN
|