Purpose

The Clerk to the Panel on Home Affairs indicated that Members of the Legislative Council would like to know the progress of the implementation of Y2K compliance, including contingency planning and testing, in the Office of the Privacy Commissioner for Personal Data ("PCO"). This paper describes the action taken by the PCO in tackling the Y2K problem and the current position on this matter for Members' information.

Background

PCO Computer System

2. Like most organisations, the PCO relies on computers to support its major business functions. The computer system in the PCO mainly comprises the Office Automation System and the Complaint Handling System ("CHS"). The system is based on a Client Server architecture with IBM compatible PCs as Client and a Netware based system as the Server. If the Y2K problem is not addressed in time, the PCO may be deprived of the computer system to support its daily operations.

Resources to tackle the problem

3. The installation of the PCO's computer system has been funded by a Capital Account item under Head 177 Subventions : Non Departmental Public Bodies Subhead 918 PCO Item 104 "Installation of Office Computer System". As no additional funds were provided to deal with the Y2K problem, the PCO absorbed the costs to undertake the assessment impact of the Y2K problem and the necessary modification and validation of the computer system from this Capital Account.

4. The PCO has no Information Technology staff on its establishment. A Y2K project team has been set up to monitor progress. The team comprises six members and is managed by an officer at Executive Officer I level. The Y2K project is included as an agenda item in the bi-weekly Management Steering Committee chaired by the Privacy Commissioner and attended by all members of the PCO's management.

Progress of Y2K rectification exercise

5. In July 1998, the Hong Kong Productivity Council ("HKPC") was commissioned to conduct an independent risk assessment to assess the PCO's computer system against Year 2000 Compliance Requirements at a consultancy fee of $60,800. The project lasted for about a month and a "Year 2000 Assessment Report for the PCO" was submitted to PCO on 31 August 1998. The report recommended that remedial action be taken in various areas requiring enhancement/upgrading of the computer system to address the Y2K issue. These include on-site service to update the BIOS for PCs and servers, to install Y2K compliant software and to set up a testing environment for the CHS, as well as the purchase of hardware and software to replace those that are identified as Y2K non-compliant. The report prepared by the HKPC provided information on our Y2K situation as summarised below:

1. Hardware items (26 out of 46 were non-compliant)
   
   
2. System software - all will be compliant by applying Y2K patch
   
   
3. Application systems - all were Y2K compliant
   
   
4. Commercial off-the-shelf software (10 out of 28 were non-compliant)
   
   
5. Other areas
   
   
   1. Telephone facilities
      - compliant as confirmed by HK Telecom
      
      
   2. Hotline
      - non-compliant - (compliant upgrade from vendor operational from 2 December 1998)
      
      
   3. Copying machines, fax machines
      - all were compliant.

6. In November 1998, the PCO appointed LECCO Consultants Ltd. ("LECCO") to undertake on-site services to implement the Y2K compliance project including the drawing up of a contingency plan for the CHS system used in the PCO and the supply of the requisite hardware and software at a total cost of $672,000.

7. By the end of January 1999, all the non-compliance systems had been rectified, except for the Chinese Windows 95 software for which Y2K patches from the supplier are not yet available.

Compliance Testing of Complaint Handling System (CHS) and Y2K Contingency Plan

8. In February 1999, the HKPC was further commissioned for consultancy services at a fee of $140,700 for the purpose of :-

1. assisting the PCO to perform testing on the critical application system (Complaint Handling System) regarding the Y2K compliance requirement; and
   
   
2. assisting the PCO to develop a Y2K contingency plan.

9 A testing team which comprises consultants of HKPC, user representatives from PCO and consultants from LECCO has been formed under the supervision of the Assistant Privacy Commissioner. The compliance testing is broadly divided into three stages, namely - test planning, test execution and post testing review as follows:

(a) Testing Planning

10. The test planning is the most important part of the whole testing process. In order to ensure the quality of the testing, all test cases and test data as well as expected results will be defined before test execution. Consultants from HKPC will guide the user representatives from PCO to develop the plan.

(b) Test Execution

11. At this stage, the user representatives from PCO will actually input test data and compare test results against pre-defined expected results. Consultants from HKPC will monitor the whole process to ensure the testing is performed according to the test plan.

(c) Post Testing Review

12 After the test execution, HKPC consultant will assist PCO to review the whole testing process and recommend any further necessary actions to ensure the tested system is Y2K complaint.

13. The time-table for the implementation of the three stages is scheduled to be:

	Stage	Duration
(a)	Test Planning	15.2.99 - 30.4.99
(b)	Test Execution	3.5.99 - 21.5.99
(c)	Post Testing Review	24.5.99 - 28.5.99

14. At the moment, PCO is working on the test cases and should complete the test planning by end April 1999.

(d) Contingency Plan

15. The main purpose of the contingency plan is to guide the PCO in maintaining continuity of core business in the event that the Y2K problem impacts on PCO's computer hardware and software, equipment or other resources. The scope of the contingency planning is as follows: -

• Conducting a business impact analysis to pinpoint dependencies of core business process on computer hardware and software, equipment and other resources;
  
  
• Based on the analysed result identify strategies and options;
  
  
• Provide guidance and assist management in the selection of options; and
  
  
• Develop a baseline contingency plan and framework for testing of the plan.

16. Upon completion of the above tasks, HKPC will produce a risk assessment and contingency plan report.

17. It is expected that the compliance testing of CHS and the drawing up of a contingency plan for Complaint Handling System will be completed by early June 1999.

Reporting

18. Since September 1998 a Progress Report on Y2K Compliance in Non-Government Organisations has been provided to Information Technology and Broadcasting Bureau via Home Affairs Bureau on a monthly basis.

Publicity

19. The PCO has no plan to launch a publicity programme to keep the public informed of the latest development of the Y2K compliance exercise within the PCO and the related contingency plan as this is unlikely to be of significant general interest. A report on the action taken by the PCO to ensure Y2K compliance will be included in the Privacy Commissioner for Personal Data's coming annual report. In addition, if asked by the members of the public or the media, the PCO will of course provide the position on its Y2K compliance exercise.


Office of the Privacy Commissioner for Personal Data
19 April 1999
xjkwok:y2k