2.1

The Personal Data Leakage Incident was first reported in a local newspaper on 10 March 2006, stating that a database apparently sourced from the IPCC containing complaint data such as CAPO reference number, the identity card number, name and address of each complainant was found accessible on the Internet.   A subsequent investigation revealed that in early 2004, an information technology person who was known to the IPCC Secretariat as an employee of the outsourced contractor engaged by the IPCC Secretariat for enhancement of the computer statistical system (CSS) of the IPCC had uploaded the database to a server which was made accessible on the Internet.   The complaint data was collected from CAPO in accordance with Section 62 of the Personal Data (Privacy) Ordinance (the Ordinance) to prepare statistics and carry out research as one of the terms of reference of the IPCC.