The Privacy Commissioner has said the Registration and Electoral Office (REO) contravened privacy rules after it lost an election computer containing the personal information of all voters. It has demanded improvements. The commissioner’s office launched an investigation after two computers were lost from a backup polling station for the chief executive election in March. It was discovered a day after the election that the two machines had disappeared from a locked room, despite there being no sign of a break-in. One of the lost computers contained the names, addresses, and the identity card numbers – considered private information – of all 3.78 million Hong Kong voters. The data was stored in an encrypted format and did not include telephone numbers and voting records.
The system had been used since the 2007 chief executive election in order to handle any potential enquiries relating to electors. However, the REO was unable to provide any information relating to the approval of the use of the system during the 2017 election. It was also unable to confirm whether approval had been obtained.
The commissioner confirmed that there were indeed layers of encryption present on the computers. Hong Kong identity card numbers were encrypted before being stored on the system, while other personal data was stored in plain text.