Raymond Tang recently took up the office of Privacy Commissioner for Personal Data. Hong Kong Lawyer spoke with him about the challenges of his new position
 

You became the Privacy Commissioner for Personal Data on 1 November. What did you do prior to taking up this position?

Immediately before that I was practising at the Bar as a barrister. Before that I was the chief counsel at the Securities and Futures Commission. And before that I was a solicitor. You might say I've been around.

What is the brief of the Privacy Commission?

If you look at the Personal Data (Privacy) Ordinance its principal purpose is to protect the personal data of individuals. That is the brief which I hold and that is the area covered by the ordinance. The overall objective of the Commission is to enhance the protection of personal data and one of the strategic exercises that we can conduct over the next five years will be to promote a discussion on the concept of privacy protection.

Privacy has different connotations at different times for different people. The law as presently enacted deals with the protection of personal data. It is not wide enough to deal with other aspects of privacy. Whether we should go beyond that is a matter for debate; it is a matter for the community to decide in the years to come - how far one's privacy, in the broader sense embracing other aspects of a person's private life, should be protected by law. At the moment it's limited to personal data and that is probably wide enough for now, at least until there is a better understanding within our community of the remits of privacy. 

I see myself in the next five years promoting the concept of privacy through an educational process. I believe that privacy is something that is best expressed in terms of respect for another person's right to privacy, as opposed to just protecting one's own privacy rights. Unless we are able to develop a culture of respecting other people's privacy we'lll never get to where we want to be. Take, for instance, anti-discrimination legislation. Some jurisdictions have very elaborate legal regimes to enforce racial equality. Have they solved the problem? You can only ensure racial equality if you develop a culture around that concept. No amount of law can force people to exercise racial equality unless the community as a whole understand and accept the rationale behind it. 

It's the same with privacy and that's what we would like to do - promote it through education and through the schools. By the time the students become working members of the population hopefully they will have accepted respect of someone else's privacy as a norm and the law will merely become a tool for enforcement.

What are some of the issues your office is currently dealing with?

We have quite a few matters on hand; for example, the proposed amendments to the code on consumer credit. At the moment, the Code of Practice on Consumer Credit Data allows certain sharing of information; for example, regarding default data, information on someone who is unable to pay his or her credit card debts. There is also other information that can be shared, such as the number of credit card applications submitted by an individual. 

The information available at the moment is restricted to that permitted under the code. We have been asked to consider relaxing the code and allowing a longer period of retention of the financial data within the database held by credit rating agencies. At the moment there is a relative short retention period allowed under the code. In the case of application data, it can be retained for 90 days. They can also retain 'file activity data', meaning how many times that particular person's data file is hit, for 120 days.

We have been asked to amend the code to allow a longer period of retention of data in both cases in order to develop a system of scoring for risk assessment purposes. A period of five years has been suggested. Whether or not five years is the appropriate period for retention of data is a matter for consideration and a decision will be made in the near future. There are differing views. It would mean a huge amount of data being concentrated in one location in a massive database. This raises serious questions regarding security, integrity and use of the data during this extended period. 

I can certainly understand and appreciate the objections that have been raised, principally by groups representing consumer interests. I think they have some very strong arguments. So the regulatory framework must be such as to ensure that any extended period of retention of financial data would not be unduly adverse to the individual's privacy rights. I emphasise the word 'unduly' because that is where a balancing exercise comes into play - a balance between private rights and community interests, the community interest here being the stability and integrity of the financial market and the soundness of the consumer credit environment. It's a difficult balance, I must admit.

We also have to consider where the sharing of financial information will eventually lead us. If the banking community has access to such data, what about other financial services providers such as insurers and other credit providers, like telephone companies, or even department stores and gas stations? They all provide credit in one form or another. A line has to be drawn somewhere.

So, as you can see, the legislative regime may be fairly discrete but if you take it and put it into a human context then virtually everything that involves human interaction can give rise to privacy concerns. Regulating and controlling it can raise some huge problems.

What about the Draft Code on Employee Monitoring?

We will be putting out a Consultation Paper on that fairly soon. I would like this to be out in the community for extensive discussion and debate as early as possible because of its importance and potential coverage. After all, there are more employees than employers. 

The provisional title to the paper 'Employee Monitoring' is misleading, probably inaccurate. It seems to suggest an emphasis on watching over employees' activities. As will be seen when the consultation is launched, this is not what the paper is about. The exercise is about data protection protocol at work, a protocol to which both employer and employee should subscribe and that will give due recognition to the proprietary rights of the employer as well as respect for the employee's privacy rights. We are giving some thoughts to changing it to a more appropriate title. 

Because of its importance to the community we will be providing a three-month consultation period instead of the usual eight weeks. It is an issue that can become emotional, and for good reasons, whether from the employer's point of view or the employee's perspective. Who would want to work in an environment where he or she is being 'watched over'? A working environment should not be so. It comes down to the issue of how an employer should administer his or her work environment in a way that would not cause offence to the employee. 

We have to develop a protocol, one that will be acceptable to both employer and employee, and in an environment of understanding. Employees need to understand why the employer has electronic devices to protect the workplace so as to prevent economic loss to the employer. But the working environment itself should not be a source of complaint. Employees should be able to have a reasonable expectation that their privacy rights will be respected and any monitoring policy transparently implemented. 

In light of recent terrorist events and resultant community security concerns, do you feel that the balance between personal privacy and the community's interests should perhaps now shift somewhat towards the community interest side of the equation?

I do not believe that there should be a 'shift' on account of isolated events because where do we then draw the line? I do think these events have changed certain people's perceptions of the sanctity of privacy rights. Our current legislation has exemptions for situations such as crimes, under which terrorism would fall. These are community interests that are already taken care of within the existing regime. So I don't believe that one should start shifting the legislative framework and regulatory philosophy on account of certain things happening. I am not one for knee jerk reaction. 

In your opinion, is the Personal Data (Privacy) Ordinance adequate in its present form?

Many of my professional colleagues have views about this ordinance. Some have described it as difficult to understand. I think that, by and large, this ordinance is not quite like other ordinances. It seeks to express a concept in legal language. But legal language seeks to drive home a certain legal requirement with sufficient clarity - either you're on this side of the line or on the other. If you look at this ordinance, it endeavours to promote a sense of respect for personal data and attempts to secure compliance by a roundabout route. Although the heart of the legislation is a collection of six data protection principles, a contravention of a data protection principle, important as the principle may be, is not an offence, and it only becomes an offence if an enforcement notice (requiring the data user to take certain steps that would have the effect of ensuring compliance with the data protection principle) is not complied with. 

The principles themselves are expressed in fairly vague and loose language, which is unusual for a piece of legislation. Often we have to steer very carefully to enforce this law, the primary purpose of which is to promote a concept, to develop a behavioural pattern within the community of respect for others' privacy.

Certain procedural requirements may need revamping, such as the time limitation stipulated in s 39 within which the Commission must make a decision on whether or not to conduct a formal investigation under s 38. As things stand, we must rely on both the complainant (data subject) and the respondent (data user) as well as other related parties providing us with information in time to enable us to make a decision whether to open an investigation, and that is something outside our control. Nonetheless we are bound by the statutory time limit. That should be reviewed.

As I have said, the present ordinance only deals with data protection, and data is strictly defined. Data that is not reduced into an accessible form of record may not be data as defined. What about real time CCTV monitoring where the images are not retained in a retrievable form? Many people will, no doubt, regard that as privacy intrusive. Whether legislation should be introduced to cover other aspects of privacy is a matter for the future.

What steps do you take to 'weed out' those complaints that are clearly malicious, vexatious or otherwise ill-motivated before seeking an explanation from the respondent?

Under s 39 of the ordinance, the Privacy Commissioner has the power to refuse to conduct or continue an investigation if the complaint is vexatious, malicious, frivolous, or not made in good faith. However, we have to answer and deal with every enquiry made to us and we treat every enquiry very seriously. We have to assume that a complaint was made with good reasons. Our front line officers listen to every complaint (all 85,000 of them from 1997 to September last year) with great care and patience because you're talking about people's feelings and personal privacy. So we have to be patient, considerate and understanding. 

If I come to the view that further investigation would not be justified then I inform the complainant that no further action will be taken and I have to set out the reasons as required by law. In terms of process, it's not difficult - it's all there in the legislation. The difficult part is to ensure that the complainant does not feel that he or she is not being taken seriously.

Do you consider that the provisions of the ordinance give sufficient recognition of regulatory bodies so as to enable them to undertake their duties effectively?

That brings into focus Part VIII of the ordinance, in particular s 58. In a way it was probably difficult for the drafters of the ordinance to take into account the requirements of every regulatory agency in Hong Kong. The ordinance has given the financial regulator special treatment. The other regulators have not been specifically dealt with in the ordinance. Section 58 does allow regulatory agencies exercising their functions to take advantage of the exemptions allowed under s 58. 

The exemptions, if applicable, would relieve the data user from compliance with, for example, data protection principle 3 (dealing with change of use), data protection principle 6 (dealing with right of access to data), and s 18(1)(b) (dealing with provision of copy of data to the data subject). 

So far I have not received any representations from professional bodies suggesting that they are having difficulty in this regard.

If, during an ongoing investigation by a regulatory body, there is a complaint to you on failure to produce data, which investigation will take priority if the two cannot continue simultaneously?

It is not an issue of priority; the issue is efficiency of regulatory function. Parallel investigations are not satisfactory. Overlapping investigations create undue pressure on the parties, not to mention a conflict of approach between 'competing' investigators. As stated in our published Complaint Handling Policy, we may not conduct an investigation if another regulatory agency is in the process of conducting one. In that event, we will defer to that other investigation. 

Of course, there is an element of judgment here and one has to decide which is more important. In the case of an investigation conducted by a law enforcement agency, the community interest involved may mean that other investigation will take precedent. That is not to say that we will abrogate our obligation - we simply delay our own investigation until the other one is concluded. If we see a privacy issue we can and do, on our own initiative, re-open the investigation once the other investigation is completed. 
 

 
This article was published in "Hong Kong Lawyer" (January 2002)