Hong Kong’s privacy watchdog has found that the city’s electoral office breached regulations and failed to protect voters’ personal data following investigations into two incidents involving mistakes based on human error.

Ada Chung Lai-ling, the privacy commissioner for personal data, on Thursday said the two incidents involving the leakage of voters’ personal details showed the Registration and Electoral Office had not taken “all practicable steps” to ensure that such information was protected from unauthorised access.

The first incident occurred on March 23 and involved a clerical officer who was arranged to work from home on a select basis to reduce social contact amid the city’s fifth coronavirus wave.

The clerk intended to send two spreadsheet files which contained around 15,000 voters’ Chinese and English names, as well as their residential addresses, to her personal email account as part of her plans to work from home the next day

But the files went to an unknown recipient after she used the wrong email address. The clerk realised her mistake 10 minutes later when she was unable to find the email in her personal inbox, before reporting the incident to an assistant electoral officer.

Chung said the data breach incident stemmed from negligence and the clerk’s lack of awareness on the subject of data protection, which led to a break of the electoral office’s guidelines.

The privacy commissioner added that staff should only use the electoral office’s email system for sending and receiving classified information, warning them against using personal email accounts for official duties.

The office is a government department that executes the decisions of the Electoral Affairs Commission, an independent statutory body. It handles matters such as voter registration and the organisation of local polls.

The second incident occurred on April 27, during preparations for the chief executive poll, when another electoral office employee wrongly attached a reply slip containing the personal data of an Election Committee member and sent it to 64 other members or their assistants as part of a test email.

The committee is responsible for selecting the city’s leader, as well as electing 40 lawmakers to the Legislative Council.

The leaked information from the reply slip included the committee member’s name, contact details and signature.

“The Registration and Electoral Office did not have any written procedures in relation to the mechanism of sending test emails, thus increasing the risks of human errors,” Chung said.

The privacy commissioner attributed both incidents to human error and issued two enforcement notices to the electoral office, which directed it to take remedial measures and prevent future mistakes of a similar nature.

Chung called on the government body to introduce security measures that could monitor its email system, as well as review and improve the workflow involved in the collection of Election Committee members’ personal data and the issuing of any resulting bulk emails.

The electoral office should also strengthen staff training on information security and protecting personal data, she added.

The electoral office on Thursday said it had accepted the results of the investigation report, adding it would comply with the enforcement notices and take on board Chung’s recommendations to prevent similar incidents in the future.

The government body also agreed with the conclusion that both leaks were the result of human error and a lack of awareness regarding data protection. Stricter precautions would be implemented to help prevent further instances resulting from negligence or non-compliance with guidelines by staff, it said.