Hong Kong’s Privacy Commissioner for Personal Data (PCPD) in late February issued an enforcement notice to Hong Kong Broadband Network (HKBN) to among other things “to devise clear data retention policy”,
The data retention policy must specify the retention period of personal data of customers and service applicants, which is no longer than the necessary for the fulfillment of the purpose.
The enforcement notice is contained a recently published PCPD report following the investigation about the data breach incident at HKBN that compromised the personal data of about 380,000 customers.
The incident was discovered in April last year. The leaked information included name, email address, correspondence address, phone number, HKID card number and credit card information.
“The Privacy Commissioner found HKBN to have failed to take all practicable steps to erase personal data stored in the database in question, where it was no longer needed and retained, for an excessive period of time, personal data of customers,” said PCPD in a statement.
HKBN was found to contravene section 26 of the privacy ordinance on data erasure and Data Protection Principle 2 (2) of the Schedule 1 to the ordinance on data retention.
The PCPD investigation found the following:
- The database in question should have been deleted after a system migration in 2012, but was nevertheless retained and remained connected to internal network owing to human oversight. Its existence escaped the memory and attention of HKBN. No updating of security patches or encryption was carried out with that database either.
- HKBN failed to conduct a comprehensive and prudent review after the system migration, leading to the failure to delete the database in question;
- HKBN failed to give due consideration to the retention period of former customers’ personal data or provide relevant internal guidance. It also retained, for an excessive period of time, data of former customers.
- HKBN has since implemented new data protection measures immediately after the security incident surfaced.
Nevertheless, PCPD in its investigation report outlined several remedial actions that the company has to undertake as part of its enforcement notice.
In addition to putting together a clear data retention policy, HKBN was instructed to do the following:
- Devise clear procedures to specify the steps, time limits and monitoring measures for deleting personal data in obsolete database(s) after system migration;
- Devise a clear data security policy to cover regular review of user privileges and security controls of remote access service;
- Implement effective measures to ensure that the policies and procedures would be expressly informed to relevant staff members and effectively executed; and
- Erase all the personal data of customers and service applicants which is retained longer than the retention period(s) as specified in the data retention policy devised.
“The Privacy Commissioner urged organizations to adopt an accountability approach in handling personal data by incorporating data governance, stewardship and ethics, namely being respectful, beneficial and fair, as part of corporate governance, and apply them as a business imperative throughout the organization, starting from the boardroom,” the PCPD statement said.