Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs

The Privacy Commissioner for Personal Data, Mr. Roderick B Woo, spoke at the special meeting of Legislative Council Panel on Home Affairs today (July 4).  The script of his speech is appended below: -

Madam Chairman and Honorable Members,

The latest edition of the international journal “Privacy Laws & Business” has a lengthy article on Hong Kong.  It begins with the sentence “It is not easy these days being Hong Kong’s Privacy Commissioner.”  It goes on to say that “In the last three months, Privacy Commissioner Roderick B Woo, who oversees Hong Kong’s implementation of the Personal Data (Privacy) Ordinance, has issued at least 15 public statements (in fact there have been 26 since the beginning of the year) dealing with the incidents, appeared before the Legislative Council and, for the first time, invoked his office’s power to inspect personal data systems.”  Later in the article, it says “Woo and others say that Hong Kong – once a leader in private data protection, as one of the first jurisdictions outside Europe to have a data protection law – now needs to review and update its 12-year-old law to take into account new technologies and new realities.  Woo points to the efforts of Canada, New Zealand and Australia, which have begun reviewing their data ordinances in the past several years.”

When I sent in my proposals for a comprehensive review of the Ordinance last year, I said in my letter to the Secretary for Constitutional and Mainland Affairs, “I request for expedition of the legislative amendment process by the Government.  Like other privacy commissioners in overseas jurisdiction, I can see the increasing invasion of personal data privacy posed by the overwhelming technological advances.  Hong Kong will be seen to be regressing in its effort to protect data privacy if the Ordinance cannot keep pace with changes and development that are taking place.”


In another letter to the Secretary in February this year, I drew attention to the fact that since our presenting the amendment proposals, “things have happened which highlight the pressing need for legislative reform” and I concluded my letter saying “I think it is high time that Government do take proactive steps to expedite the legislative amendments process.”

I am aware the CMAB has many concerns and the review of the Ordinance may involve much work on the part of the government.  I was prepared to wait but with so many other pressing issues on the desk of the bureau chief, I wonder what his priority list looks like.

The annual subvention granted to my Office had not changed for six years.  In the past, the Commissioner sent in three formal applications for increase but all RAEs were rejected in total.  I suspect that it was only because of the publicity given to the increasing number of loss of personal data incidents that I was able to persuade CMAB to give extra resources this year purportedly not from the normal government channel but from the funds allocated to CMAB itself.  With the increased funding, I can hire one middle ranking and two lower ranking staff.  This simply is not enough.

The UK Prime Minister, after apologizing to Parliament about the loss of data containing records on 25 million people by Her Majesty’s Revenue and Customs, announced at the end of last year “We will give the Information Commissioner the power to spot check government departments, to do everything in his and our power to secure the protection of data.  We will do everything in our power to make sure that data is safe.”  Did he blame the Commissioner for the loss of data?  No.  Instead, he promised the Commissioner additional power and additional resources.

The UK Commissioner suggested to the Administration that those “who knowingly and recklessly fail to comply with DP principles could be subject to a criminal penalty.  He proposes unlimited fines but would not support custodial sentences.”  It was also on this occasion that the Prime Minister asked the Commissioner to No. 10 Downing Street to discuss matters concerning protection of personal data.

Will your Privacy Commissioner receive an invitation to meet the Chief Executive in the present climate?  I think it highly unlikely.  Why?  Well, in all my letters addressed to the Secretary for Constitutional and Mainland Affairs, I have yet to receive a letter from him.  The reply letters and matters for discussion have invariably been attended to by his senior staff.  As I said, I wonder and this Council may also wonder how serious the government is in helping the Privacy Commissioner to deal with the increasing number of data loss incidents.  It must allocate sufficient resources to tackle the problems.

In a recent coverage of my inspection of the Hospital Authority’s patient data system, a Hong Kong newspaper reported that in exercising my power of inspection for the first time, I could only spot check one hospital out of the 40 odd public hospitals under the management of HA.  At one time, I had to deploy more than half of my staff in the exercise.  In fact, I had to find four eminent experts as volunteers to help.  The press report said that faced with an influx of cases, the investigations which need to be done have to take turns.

This fairly sums up the current situation, an embarrassing situation no doubt.  I find that there is an increasing public expectation and without the resources and with the current legislation, I find it hard to close the expectation gap unless the government acts and acts promptly to give me help.