Response to the incident of online circulation of nude photos

1.    The Privacy Commissioner for Personal Data, Mr. Roderick B. Woo is concerned about the recent incident on the online distribution of nude photographs.

2.    "The incident is an unfortunate example of how leakage of personal data on the internet can cause harm and embarrassment to the individuals concerned.  As privacy regulator I am concerned with the compliance with the provisions of the Personal Data (Privacy) Ordinance (the Ordinance)." Mr. Woo said.

3.    The following sets out summarily the general observation of the Commissioner who will not comment on this or any other specific cases.


The relevant requirements under the Ordinance

4.    Generally speaking, photographs taken of individuals from which it is practicable for the data subjects to be directly or indirectly identified is "personal data" caught by the Ordinance.

5.    The Data Protection Principles ("DPP") that may be of particular relevance to similar incidents are DPP1(2), DPP3 and DPP4 in Schedule 1 of the Ordinance.

6.    DPP1(2) requires that personal data shall only be collected by means that are lawful and fair.  Any unauthorized access to personal data stored in a computer can amount to an unfair means of collection.  It may also be unlawful depending on the facts in each case.

7.    DPP3 requires that unless with the prescribed consent of the data subject, personal data shall not be used for a purpose other than the original purpose of use at the time of collection or its directly related purpose.  Any person who causes personal data collected to be used or further transferred or disseminated to others for purposes unrelated to the original purpose of collection may contravene DPP3.  Other examples of improper use are where photos are used for unlawful purpose or being sold in bulk as commercial commodity, falling outside the reasonable expectation of personal data privacy of the data subjects.

8.    DPP4 requires a data user to take all reasonably practicable steps to protect the personal data from unauthorized or accidental access, processing and use, etc.  The level of security should be commensurate with the kind of personal data involved, the kind of damage that could result on a security breach and the integrity and prudence of the persons having access to the data, etc.  Where personal data are held in electronic forms, the use of encryption and appropriate Privacy Enhancement Technology are useful in protecting personal data against hacking or other accidental access.

9.    Contravention of a data protection principle is not a criminal offence under the Ordinance.  However, where the Commissioner embarks on an investigation and at the conclusion of the investigation he finds that the data user is contravening a requirement under the Ordinance or has contravened such requirement in the circumstances that make it likely that the contravention will continue or be repeated, the Commissioner may serve an enforcement notice on the data user to direct it to take necessary step to remedy the contravention. If a data user fails to comply with the terms of the enforcement notice, he then commits a criminal offence.  In that case, the Commissioner will refer the matter to the Police for criminal investigation which may be followed by criminal prosecution.  Contravention of an enforcement notice is an offence that could result in a fine at Level 5 (at present $50,000) and imprisonment for 2 years.


Precautions to be taken by data subjects and data users

10.    "Both data users and data subjects should take care when uploading their own pictures and pictures of third parties onto the internet, e.g. via the blogs or social network websites which can be shared by others.  Pictures and personal data once exposed in the internet are liable to misuse by others or the situation may become even more worse.
 
11.    Sensitive or important personal data stored in computers should be encrypted to prevent unauthorized use. When computers are sent for repair, data users should as far as practicable remove the hard drive or the personal data inside it. Moreover, a reputable company should be chosen and the responsible technician should closely observe the requirements of the Ordinance, particularly the above three DPPs under the Ordinance."  Mr. Woo said.


Action to be taken by PCPD

12.    The Commissioner will respond to any complaint from a data subject in the incident.  However, he has received none.

13.    The Commissioner may, in appropriate circumstances, initiate an investigation even if he has not received a complaint.  He has to take many factors into account before deciding to do so.  However, the general practice is that while the incident is being investigated by the Police and legal proceedings are pending, it would not be appropriate for the Commissioner to mount such an investigation.

14.    The Commissioner's Office has been in contact with the Police and keeps monitoring the development of events.

15.    In the wake of this incident, the Commissioner will be joining hands with an alliance of nine IT professional bodies and three government departments to plan promotional and educational activities targeting the general public, such as guidelines and seminars, on how to protect online personal data and data stored in computers.  The Commissioner had, upon completion of the investigation against the Independent Police Complaints Council, launched an "Information Security Enhancement Campaign" to raise privacy awareness among IT professionals and the general public.  A publication on "Recommended Procedures of IT Practitioners on Personal Data Handling" was published. 


Exemptions under the Ordinance

16.    Various exemptions from some or all of the Data Protection Principles are provided by the Ordinance.  Notably:-
  (a)   s.52 which exempts personal data held by an individual solely for personal or recreational purposes;
  (b)  s.58 where personal data are used for an exempted purpose, such as the prevention or detection of crime or the prevention, preclusion or remedying of unlawful or seriously improper conduct, dishonesty or malpractice, etc. by person and application of DPP3 would prejudice the exempted purpose;  and
   (c)    s.61 where personal data are disclosed to a data user carrying on news activity and the person disclosing it has reasonable ground to believe that the publication or broadcasting of the data is in the public interest.


Law reform to be considered

17.    "The incident demonstrates clearly to the Administration that there is a pressing need to actively consider changing the law by the creation of a new offence for knowingly, without the consent of the data user, obtain or disclose personal data held or leaked by a data user or the selling of personal data so obtained. This can serve as an effective deterrent in sanctioning irresponsible behaviour in handling personal data online."  Mr. Woo said.


Protection of personal data

18.    Mr. Woo further added, "In the protection of personal data, apart from legislation, the cultivation in the minds of the young a correct attitude is extremely important.  In the past, we encouraged the younger generation to 'Respect Others and Protect Privacy'.  In fact, protecting privacy shows that we respect ourselves too."


END