Office of the Privacy Commissioner for Personal Data

11/13/2025 | Press release | Distributed by Public on 11/12/2025 21:03

Ensuring Information System Security Privacy Commissioner’s Office Completes the Inspections of the Personal Data Systems of Two Educational Institutions

Date: 13 November 2025

Ensuring Information System Security
Privacy Commissioner's Office Completes the Inspections of
the Personal Data Systems of Two Educational Institutions

The Office of the Privacy Commissioner for Personal Data (PCPD) has completed inspections of the personal data systems of HKICC Lee Shau Kee School of Creativity (HKICC) and the Hong Kong College of Technology (HKCT) earlier and published the inspection reports today.

The HKICC and the HKCT had notified the PCPD of their respective data breach incidents in 2024, both involving unauthorised access by hackers into information systems containing personal data. The PCPD conducted and concluded a compliance check and an investigation respectively into the data breach incidents in accordance with established procedures in 2024 (see Annex 1 for details).

Against this background and given the upward trend in data breach incidents involving educational institutions in recent years, the Privacy Commissioner for Personal Data (the Privacy Commissioner), Ms Ada CHUNG Lai-ling, subsequently carried out inspections of the personal data systems of the two educational institutions under section 36 of the Personal Data (Privacy) Ordinance (PDPO). The inspections were undertaken to assess the effectiveness of the remedial measures taken by the two institutions, to further examine the data security of their information systems containing personal data comprehensively and to make recommendations to the education sector in relation to the protection of personal data based on the results of the inspections.
  1. Results of the Inspection Regarding the HKICC
The inspection results revealed that after the hacker intrusion, the HKICC has implemented various technical measures to enhance the security of its information systems, including establishing a patch management system, enabling two-factor authentication for virtual private network (VPN) login, and enforcing strong password requirements. For access control, the HKICC adopted the "least privilege" and "role-based" access control mechanism, granting users only necessary permissions based on their roles. Additionally, the HKICC provided training on the protection of personal data and information security to staff and regularly communicated relevant policies and guidelines. Overall, the Privacy Commissioner considers that the HKICC has complied with the requirements of Data Protection Principle (DPP) 4 of Schedule 1 to the PDPO concerning the security of personal data in handling the personal data of students and staff.

Despite the above, the Privacy Commissioner recommends that the HKICC establishes more comprehensive and specific policies on information security and data retention, enhances detection capabilities for information systems, and strengthens management and oversight of data processors in the proper destruction of the personal data held by them.
  1. Results of the Inspection Regarding the HKCT
The inspection results revealed that the HKCT has implemented various technical measures to enhance the security and detection capabilities of its information systems after the data breach incident, and has also established a personal data privacy management programme, appointed a dedicated data protection officer, and provided staff with training and information on the protection of personal data to enhance staff awareness on cybersecurity and to safeguard them against suspicious emails. The HKCT has adopted the "least privilege" principle and "role-based" access control mechanism, under which department heads grant the minimum necessary access rights to staff based on their roles and job responsibilities. The HKCT has also established a data breach incident response plan. Overall, the Privacy Commissioner considers that the HKCT has complied with the requirements of DPP4 of Schedule 1 to the PDPO concerning the security of personal data in the handling of the personal data of students and staff.

Despite the above, the Privacy Commissioner recommends that the HKCT establishes more comprehensive and specific policies on information security and data retention, enhances the review of records for information systems containing personal data, and conducts regular security audits to further strengthen the protection of the personal data held by them.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, said "Educational institutions handle vast amounts of personal data of students and staff in their daily operations. Given the sensitive nature of such personal data and the risks associated with the processing of such data, I hope the aforementioned inspections will help assess the adequacy of the measures taken by educational institutions to protect personal data. This will not only help the relevant institutions further strengthen information system security management, data security, and prevent personal data breach incidents, but also serve as a useful reference for the education sector to assist them in complying with the requirements of the PDPO."

Through the above inspection results, the Privacy Commissioner would also like to make the following recommendations to educational institutions that handle vast amounts of personal data of students and staff members to ensure data security, including:
  • Establish a Personal Data Privacy Management Programme and appoint designated officer(s) as Data Protection Officer(s);
  • Establish clear internal policies and procedures on data governance and data security, and ensure thorough implementation of the same;
  • Provide staff with training on the protection of personal data and information security upon onboarding and at regular intervals;
  • Adopt the "least privilege" principle and "role-based" access control mechanisms;
  • Implement effective measures to prevent, detect, and respond to cyberattacks;
  • Conduct comprehensive security risk assessments and audits for information systems regularly;
  • Exercise due diligence in appointing and managing data processors; and
  • Formulate response plans for data breach incidents and incidents involving artificial intelligence.
The PCPD encourages organisations to make reference to the "Guidance Note on Data Security Measures for Information and Communications Technology (ICT)" and "Guidance on Data Breach Handling and Data Breach Notifications" issued by the PCPD to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. To assist enterprises and organisations in safeguarding data security, the PCPD has launched a Data Security thematic webpage[1], a data security hotline (2110 1155) and the "Data Securtity Scanner"[2] , which is a self-assessment toolkit for enterprises and organisations to assess the data security measures for their ICT systems.
-End-

The 2025 Legislative Council General Election will be held on 7 December 2025 (Sunday). The PCPD urges voters to actively cast their votes so as to fulfill civic responsibility, and contribute to building a brighter future.

Annex 1

The Data Breach Incident of the HKICC

On 13 May 2024, the HKICC submitted a data breach notification to the PCPD, reporting that its servers had been compromised, resulting in the encryption of the personal data stored in the servers, which affected approximately 1,300 individuals. The affected personal data included the names, addresses, email addresses, phone numbers, dates of birth, Hong Kong Identity Card (HKID card) numbers, photos, bank account details relating to students, parents, employees, freelancers, alumni and tenants, and tax information relating to employees and tenants. Upon receiving the data breach notification, the PCPD initiated a compliance check in accordance with established procedures, and issued an advisory letter on strengthening information security to the HKICC upon the completion of the compliance check.

The Data Breach Incident of the HKCT

On 21 February 2024, the HKCT submitted a data breach notification to the PCPD, reporting that one of its servers containing personal data had been attacked by ransomware and maliciously encrypted, affecting the personal data of approximately 8,146 individuals, including students, course applicants and former employees. The affected personal data included names, HKID card numbers, mobile phone numbers, residential phone numbers, dates of birth, email addresses, genders, photos, Hong Kong Certificate of Education Examination results and proof of academic results, staff positions, corresponding departments, names of supervisors and their comments, addresses, bank account numbers and partial bank transaction records. Upon receiving the data breach notification, the PCPD initiated an investigation in accordance with established procedures, and issued a warning letter to the HKCT upon the completion of the investigation.

Office of the Privacy Commissioner for Personal Data published this content on November 13, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on November 13, 2025 at 03:03 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]