Year Ender 2011 of the PCPD
The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan Chiang briefed today (14 February) the major work accomplished by the Office of the Privacy Commissioner for Personal Data (“PCPD”) in 2011, as follows:
1. Complaint Cases
From January to December 2011, 1,486 complaint cases were received, which represent an increase of 26% on the number of cases received in 2010 (1,179) and an increase of 48% on that of 2009 (1,001). Of these complaints, 1,101 cases were made against the private sector, 131 against the public sector/government departments and 254 against individuals. Of the complaints made against the private sector, financial institutions ranked highest in the number of complaints received (200 cases), followed by property management (137 cases) and telecommunications (122 cases).
With regard to the nature of complaints, the highest number of complaints related to the purpose and manner of data collection (723 cases), followed by complaints about the use of personal data without the consent of data subjects (681 cases), data security (223 cases), accuracy and duration of retention (125 cases), and use of personal data for direct marketing (119 cases). The figures of the first four items are higher than those of 2010, reflecting a rise in public awareness of personal data privacy protection. On the contrary, the number of cases on the use of personal data for direct marketing purposes has decreased from 157 in 2010 to 119 in 2011, which may represent an improvement in the practices of the relevant industry players.
In 2011, the Commissioner issued one enforcement notice, directing the data user concerned to take specified steps to remedy the contravention. In 224 cases, the Commissioner issued warning letters and provided advice or recommendations to data users complained against. In 15 cases, the Commissioner accepted written undertakings by data users complained against to take steps to rectify the contraventions.
In addition, the Commissioner published eight investigation reports in 2011. This compares with 15 investigation reports in all published previously since the Ordinance came into effect in 1996. More frequent publication of investigation reports, coupled with the practice to name the corporate data user since June 2011, has effectively served to invoke the sanction and discipline of public scrutiny and discouraged non-compliant behavior on the part of data users facing similar investigation.
2. Conviction Cases
In 2011, 12 contravention cases were referred to the Police for consideration of prosecution. In the same period, in 4 cases the data users complained against were convicted of contravening sections 34(1) and 64(10) of the Ordinance. Compared with 10 convictions in all since 1996 when the Ordinance came into effect, this is a considerable achievement.
In the above conviction cases, the complainants had requested the data users complained against not to contact them for the purpose of direct marketing. However, the data users continued to contact them despite their opt-out requests. Under section 34(1), a data user should stop contacting the individual who has made an opt-out request.
3. Enquiry Cases, Compliance Checks and Matching Procedures
In 2011, the PCPD received a total of 18,680 enquiry cases, a rise of 4% as compared with 18,000 cases in 2010. Major issues of enquiries involved human resource and personal data, data access requests, use of personal data in direct marketing, and collection of ID card numbers or copies.
Moreover, the Commissioner carried out 154 compliance checks in 2011 to review the practices of data users suspected or alleged of contravening the Ordinance and urge them to take appropriate remedial measures. This represents an increase of 21% on the figure of 127 compliance checks carried out in 2010.
4. Review of the Personal Data (Privacy) Ordinance
The Ordinance came into force in 1996. To ensure the adequacy of the level of personal data privacy protection afforded under the Ordinance, the Government carried out a comprehensive review of the Ordinance with the assistance of the Commissioner. The Government formally commenced work in 2009. On 13 July 2011, the Constitutional and Mainland Affairs Bureau submitted the Personal Data (Privacy) (Amendment) Bill 2011 (“Amendment Bill”) to the Legislative Council. The First Reading and Second Reading of the Amendment Bill have been carried out, and the provisions of the Amendment Bill are being examined. The Commissioner’s submissions on the Amendment Bill has been presented to the Government and members of the Bills Committee. The Commissioner has also met many members of the Bills Committee, representatives of relevant industries, and the Under Secretary for Constitutional and Mainland Affairs to explain PCPD’s stance on the Amendment Bill and exchange views with them. Please see the two latest submissions by the PCPD to the Bills Committee at (www.pcpd.org.hk/english/files/review_ordinance/legco_paper_20111212_e.pdf) and (www.pcpd.org.hk/english/files/review_ordinance/standpoint_annex_e.pdf).
5. Promotion and Education Work
There is heightening public awareness of privacy rights regarding personal data. To ensure that data users understand their responsibilities and data subjects understand their rights under the law, the PCPD developed a number of new initiatives in promotion and education in 2011.
In 2011, young people were the targets of PCPD’s promotion and education efforts. Hence, the PCPD took an active role to incorporate the message of personal data privacy into Liberal Studies and Other Learning Experience under the New Senior Secondary curriculum. In order to encourage young people to convey the message of personal data protection, the PCPD launched the “Privacy Protection Student Ambassador Programme”, in which over 700 students from 31 secondary schools have enrolled as student ambassadors to promote the message of “respect personal data privacy” in their schools by various means.
Moreover, the PCPD published the Personal Data (Privacy) Ordinance Liberal Studies Teaching Kit to assist secondary school teachers in teaching students how to protect their personal data and respect others’ personal data privacy in Liberal Studies classes.
The PCPD has organized a large-scale first-of-its-kind educational programme on personal data privacy protection for university students. The PCPD visited ten universities/post-secondary schools in Hong Kong to promote the importance of personal data privacy protection among university students and show them how they can protect their personal data and those of their friends in everyday life.
Furthermore, in 2011, the PCPD conducted a total of 212 seminars and workshops (with a total audience of nearly 20,000), representing an increase of 76% over the previous year. There were three categories. First, free introductory seminars on personal data protection were offered to the public. To cater for increasing demand, the frequency of these seminars has increased from once per month to three seminars each month since February 2011. Secondly, the PCPD organized public seminars on topical issues. Starting from March 2011, seminars on the theme “Promotion of Personal Data Privacy – Proper Use of Technology in Daily Life” have been conducted once every month to educate the public on data protection in the use of Internet and advanced communications products, including social networking. Thirdly, the PCPD provided tailor-made courses in response to requests from individual organizations and demand from specific sectors. Since January 2011, free seminars have been specially arranged for university undergraduates and secondary school students.
The PCPD has launched a series of professional compliance workshops to suit the needs of executives dealing with personal data in different work contexts. The initiative received the support of 26 professional organizations and trade associations. A total of 52 workshops were held in 2011.
6. Guidance to assist Compliance
Guidance Notes on special subjects have proved to be extremely useful to professionals as they provide comprehensive and practical advice on compliance with the law based on our enforcement experiences and developments in the interpretations of the law. In 2011, two guidance notes (namely, electioneering and property management) were revised and three new guidance notes (namely, Internet services, use of portable storage devices and personal data erasure and anonymisation) were issued. In addition, three leaflets on specific data protection issues were issued/ revised to assist the general public’s understanding of data protection. These included “Making an Opt-out Request from Direct Marketing Activities under the Personal Data (Privacy) Ordinance”, “Protecting Online Privacy – Use Social Networking Sites Smartly”, and “Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance”.
7. Highlights of the 2012 Work Plan
The Commissioner expects that the Legislative Council will complete the review of the Amendment Bill and implement the amendments soon to offer better protection of personal data privacy. The PCPD will prepare for the implementation of the amendments, including the setting up of a new system to provide legal assistance to aggrieved parties to take civil action against data users.
In the area of public education, the PCPD will continue to carry out different promotion and education activities as well as to put efforts in the promotion and public education in relation to the new amendments for both data users and data subjects.
In enforcement work, the PCPD will strive to enhance efficiency to cope with the increasing workload.
Regarding the Data User Returns Scheme, the PCPD will continue to work with the four regulated industries (i.e. banking, telecommunications, insurance, and government and public bodies). It is expected that the Scheme will be gazetted in 2012 and implemented in 2013.