1 SALUTATION

2 INTRODUCTION

I would like to take a slightly different approach towards security issues by linking them with privacy issues.  The case I want to develop is for coexistence between privacy interests and security interests.  This may offer you a different context in which to reflect upon security issues whether they be of an international, regional or local nature.

First, a bit of history.  Privacy right is an aspect of human rights.  This proposition is universally accepted.  Although protection of privacy right, as a subject for black letter law, is relatively novel in many jurisdictions, the concept is by no means new.  As long ago as 1948, privacy was given recognition in the Universal Declaration of Human Rights, and later embodied in the International Covenant on Civil and Political Rights (commonly referred to as the ICCPR). 
There is a general consensus internationally on the basis and scope of protection of an individual's privacy rights. 

Article 12  Universal Declaration of Human Rights

On 19 December 1948, the General Assembly of the United Nations adopted the Universal Declaration of Human Rights, and in Article 12 privacy was established as a right.

Article 8  European Convention on Human Rights

Two years after the Universal Declaration on Human Rights, the Council of Europe gave consideration to the Declaration, and on 4 November 1950 adopted the European Convention on Human Rights, and in Article 8 privacy was given due recognition.  The language was slightly different from the Universal Declaration, but the spirit and effect was the same.

Article 17  ICCPR

In 1966, the Universal Declaration was made the subject of an international covenant open for signature by member states of the United Nations.  The ICCPR was adopted by the General Assembly on 16 December 1966, and entered into force on 23 March 1976.  You will see that the language follows that of the Universal Declaration.

That is the situation at the international level.  Locally, the international recognition of this aspect of human rights, namely, the protection of privacy is also reflected in our own laws in Hong Kong. 

Article 14  Hong Kong Bill of Rights Ordinance

The Hong Kong Bill of Rights Ordinance was enacted on 6 June 1991 and went into effect two days afterwards.  Same language as the ICCPR.

And then, with the resumption of sovereignty, the Basic Law came into effect, and, by Article 39 of the Basic Law, the ICCPR was incorporated into our own municipal laws.
 

Section 4 Personal Data (Privacy) Ordinance

The specific aspect of privacy protection in relation to personal data is then given effect through section 4 of the Personal Data (Privacy) Ordinance.  The data protection principles referred to in section 4 reflect the guidelines laid down by the OECD. 

In terms of personal data protection, Hong Kong is not lagging behind other jurisdictions.  We are as good as any other country and probably better than most.  We have a comprehensive legislative regime that covers collection, use, data integrity and access right to personal data.  That legislative regime underpins an effective regulatory framework that provides for inspection of data systems, investigation of infringements of the legal requirements and enforcement against persistent breaches.  The framework is complete with appeal mechanism in addition to judicial review by our courts.

What I purpose doing is to look at some general security issues in Hong Kong and relate these to privacy concerns.  Let me begin by emphasizing that in Hong Kong privacy is very much regarded as an important aspect of human rights - you can make your own judgment by counting the number of times privacy appears in media reports and comments.  At issue is whether there is a case to strike a balance between security as a public interest and privacy as a personal right.  My colleagues and I at the PCPD will give a resounding 'yes' to that question - whether we are talking about national security or other more localized aspect of security.  I do not regard a balance between privacy and security interests either as inconsistent or untenable.  I also believe that the general public in Hong Kong will likewise give an affirmative answer to the proposition of balance.

Presentation Overview

May I now offer you an outline of what I would like to be able to cover this morning.  More specifically, privacy interests in Hong Kong are largely concerned with the protection of personal data, as opposed to a more generic, and wider, interpretation of privacy.  You might like to bear that in mind. 
 

3 CONTEXT

May I commence by offering some thoughts on the heightened need for security that has arisen in the wake of the horrendous events of 11th September last year in New York and Washington.  It is apparent that the tragedy very clearly indicates to governments around the world that there is an urgent need to re-inspect the efficacy of security and intelligence agencies and their respective policies and modus operandi, if a repetition of such tragedy is to be averted.  Although any notion of a 100% secured State is perhaps unrealistic, there is nonetheless a demonstrated need for vigilance around security and the interpretation of intelligence. 

In my view the Hong Kong SAR Government has taken a very responsible approach to the initiatives taken by the community of nations in the response to international terrorism.  In the light of 9/11, my starting point is to comment briefly on Hong Kong's response, in the Hong Kong context, at the macro level as the backdrop to what I will later say regarding micro level interests relating to security, in this case, at the corporate level, or, in our privacy parlance, at the level of data subjects and data users.  I will conclude by using workplace surveillance as a case study for examining the coexistence of security and privacy interests.

Given the importance attached to privacy rights in Hong Kong I think that if those rights were to be diminished or swept aside on the grounds that they were in some way incompatible with our security needs there would be a public outcry.  In short, privacy rights are important to the citizens of Hong Kong and any resolution of security issues must accommodate those rights.

Security and Privacy - Case for Coexistence

This leads me to the proposition that a balance needs to be struck between maintenance of security (as a public interest claim) and preservation of privacy rights.  To some observers, there is already a very real prospect of security overkill in an attempt to attain the ideal of total security.  The pursuit of that ideal will likely result in a fundamental revision of security policies and practices, and, from a national security perspective, this may well be laudable.  However, my Office, the PCPD, would not wish to see a denial of privacy rights as one outcome of those revisions. 

Coexistence calls for moderation in approach.  As the American writer (Mark Twain) wryly observed:  "Moderation in everything, including moderation."
 
 

4 THE HEIGHTENED NEED FOR SECURITY –THE PUBLIC INTEREST

In the aftermath of 9/11, the natural response has been to critically reappraise national security issues and the security measures that need to be taken by the State.  Developments at the national level have been supported by a frenetic amount of activity at the international diplomatic level where the war on terrorism is being waged.  This, of course, is necessary if terrorism is to be eradicated, BUT, we say, moderation needs to be exercised.

To my mind, a considered and moderate approach, should be cognizant of personal privacy rights.  Although I am not a security expert, it seems to me that security needs vary from country to country and as a consequence there is probably no general panacea for threats to State security.  I have already questioned whether total security in the context of the State is any more realistic a notion than a totally secured computer system.  Whilst we should support all necessary efforts to preserve the integrity and security of the State, I would add that, because there are differences in the needs of the State, an appropriate and measured response to heighten security needs should take localised factors into consideration.

In summary, the case is for moderation and the protection of the basic freedoms and liberties that have come to characterize the modern democratic society.  A measured response would therefore suggest that a knee jerk reaction resulting in security overkill is not the most appropriate response.  Perhaps I can illustrate this with a simple example.

EXAMPLE
For a number of years I was a practising lawyer in London. During my time there the UK mainland was subjected to some appalling terrorist attacks perpetrated against innocent civilians.  National indignation at these events demanded that something be done to counter terrorist activity and it was done.  However, the government of the day resisted the idea of introducing a national identity card which, in the liberal traditions of English democracy, was, and remains, something of an anathema. 

Even post 11th September there has been no headlong rush to introduce such a card although the subject has been revisited and received extensive debate.  Indeed, I believe that drivers in the UK are still not required to carry their driving license on their person when driving a vehicle or any other identification for that matter.

Let me be clear, I am not saying that the 'British response' to the situation was right or wrong (that's not for me to judge, it's for the British public to decide). 

As we all know, Hong Kong has had a system of identity cards since 1947, and Hong Kong drivers are required by law to carry their driving licence with them.  But those requirements were not snap response to any sudden unforeseen event.  The point I am making is that, whatever may be the depth or magnitude of an event, we must resist the urge to allow that event to cloud the values that we hold sacred, values that make up the wholeness of our society.  The point I am making is that there is always the need for thoughtful reflection and an appropriate framework against which to take important security decisions.

Hong Kong - Post 9/11

Let me now turn to the matter of security in Hong Kong and offer you a rough guide; a snapshot if you like.  First, there can be no doubt whatsoever that the Government of the Hong Kong SAR has pledged its total support to the international community in the fight against international terrorism.  Our commitment to the cause is undoubted. 

Whilst there is no room for complacency, there do not appear to be justifiable grounds for introducing draconian measures purely and simply on the basis of what might, just might, happen.  The Secretary for Security is on record as saying that Hong Kong does not present itself as a high profile target for international terrorists.  Nonetheless, the Government is committed to pass legislation (the United Nations (Anti-Terrorism Measures) Bill) to reflect the United Nations?resolution on combating terrorism, to tighten security measures and contribute to international efforts to contain, if not defeat, international terrorism.  We already have a legislative framework to counter financing of terrorism or organised crime, to prevent Hong Kong, as one of the world's leading financial centres, from becoming a money laundering capital.  So, I do not think that we have been in any way lethargic in our response to our trading partners, allies or the global community in seeking to make a greater contribution to the cause.

Against that background I would like to offer you a few observations about Hong Kong as a society.  Our population is currently around 7.2 million, and, if we were to take many comparable cities in the world of that size, there is no question that Hong Kong compares very favourably on any indices of safety and security.  I think, with some justification, we are able to lay reasonable claim to the view that Hong Kong is a safe and largely law abiding society, and is seen as such by locals and visitors alike. I would like to offer some support for that assertion. 

1 First, our society is blessed with a comparably low crime  rate vis-à-vis other world cities of similar size, and this pays tribute to the efficiency and effectiveness of our policing, security and intelligence services.

2 Secondly, our police force is highly trained, highly visible and extremely well equipped.  Officers patrolling the streets, in high volume pedestrian shopping and entertainment areas and at transportation facilities are the norm in Hong Kong rather than the exception.

3 Thirdly, we have had the foresight to create specialist and highly trained police units that are charged with the responsibility of protecting security along our rather porous borders with the Mainland and at 'high risk' locations such as our international airport. The airport affords a good example of our approach towards security issues. In addition to its own police station it has a specialist team of internationally trained officers - The Airport Security Unit - that are on 24 hour patrol and clearly visible within the precincts of the airport. Our airport also has cutting edge technology for screening passengers and baggage and makes extensive use of video camera networks and surveillance equipment.

To the best of my knowledge since the airport opened in 1998 there has been no terrorist incident or major threat of such.

4 Hong Kong is also unusual in that since 1947 we have had a system of identity cards, originally introduced to stem the tide of illegal immigrants. This was seen to be a positive precautionary measure by the government of the day.  Generally, there has been no resistance from the community towards either issuing identity cards, or being required to carry them at all times.  In short, the public are acclimatised to possessing an identity card. It is a fact of life in Hong Kong that does not give rise to any great concern.

The recent initiative from our Immigration Department to issue a 'smart' ID card with multi-function capabilities has caused some concerns in the privacy community.  The 'smartness' has its value, of course; with a special chip and a biometric identifier, it makes counterfeiting and identity theft that much more difficult. 

 Two issues in particular are worthy of mention:
 

1 The first of these is that the smart card would be subject to 'function creep', that is, the risk that the card might be put to multiple uses, beyond its original purpose of introduction.  At the moment, the primary purpose of the smart card is for personal identification purposes.  We are told that, at the option of the individual, driver licence details and library access facilities may be included.  That is the sort of option that the Privacy Commissioner's Office would welcome because it respects the notion of informed choice, which is a core value in the world of privacy. 

2 The second issue is that of identity theft.  This was an issue that was looked at by the consultants appointed to investigate the introduction of the card.  As a consequence of their recommendations, it was decided to build a biometric identifier into the card.  The measure of biometric accuracy is, of course, the level to which they generate false negatives or false positives of the identity of the individual.  We are led to believe that the incidence of either outcome is extremely low. 

In summary, our view is that the same level of apprehension does not exist in all societies around the world in terms of the threat posed by terrorism, which, I believe, is often seen to be time and place specific.  If that argument is accepted, then the context of a society should be given some weight in terms of the magnitude and comprehensiveness of any response to heightened security needs.  Whilst we are committed to combat international terrorism, our perspectives may be different from those of the United States, or, for that matter, from many of the other places around the world which have suffered from terrorism.  A 'cookie-cutter' approach to security seems inappropriate. 

May I now turn to the need for good privacy practices that are designed to protect the personal data privacy rights of the citizens of Hong Kong. 

Personal Data Privacy in Hong Kong
 

5 THE NEED FOR GOOD PRIVACY PRACTICES –A PERSONAL RIGHT

Let me make it clear that the Ordinance that my Office regulates -The Personal Data (Privacy) Ordinance - is not oblivious to the needs of security.  Indeed, there are specific provisions built into the Ordinance that offer exemptions for security and crime.  The draftsmen of the Ordinance, and the legislators who enacted it, were fully aware that there was a need to ensure the free flow of personal data where there was reasonable suspicion of criminal wrong doing or where the security of the State was in jeopardy. 

The background to personal data privacy in Hong Kong commenced around 1993 when the Law Reform Commission reviewed the subject of privacy.  The consequence of that enquiry was a report that recommended the establishment of the office of the Privacy Commissioner for Personal Data.  Insofar as Hong Kong is concerned, privacy is defined in terms of personal data privacy of an individual. 

The Ordinance took effect in December 1996 so we have been in business for 5 1/2 years.  The creation of the PCPD established a regulatory framework for compliance purposes and is therefore in existence to ensure that the provisions of the Ordinance are upheld.  This means that we both encourage, and ensure, compliance and the adoption of good privacy practices by organisations and individuals alike.

Our Ordinance, in common with many, is derived from two milestones in privacy legislation.  The first of these is the early work undertaken under the leadership of Justice Michael Kirby in formulating the OECD Data Protection Guidelines.  This was a landmark achievement in seeking to codify a legal approach to privacy rights.  Out of those guidelines grew a number of fundamental tenets that have subsequently become embodied in privacy legislation in many jurisdictions in the world, including Hong Kong.  Under our Ordinance these are called Data Protection Principles. 

However, that was some 22 years ago and we have moved on a long way since then.  The approach to legislating for privacy in Hong Kong was significantly influenced by what some would call the European Model of privacy protection.  A vast majority of member states of the European Union have privacy legislation, and there is a considerable degree of conformity and consistency in Europe regarding the protection of information and personal data.  European Directives drew upon the OECD guidelines but went further by enhancing them and clarifying some of the issues that were less than clear.  By the mid 1990's, we had a situation in Europe in which there were generally held principles pertaining to information and personal data privacy rights. 

PD(P)O

The Ordinance that my Office regulates is concerned with the collection, accuracy, retention, use and security of personal data.  Good privacy practices are build around those aspects and seek to offer practical guidelines towards becoming a privacy-compliant data user.  The law has universal application and is therefore non-discriminatory. 

What are Personal Data?

What then are personal data?  Personal data include those identifiable pieces of information such as name, address, age, identity card number, salary, marital status, E-mail address, etc.  Our Ordinance in common with many others distinguishes between data users, for example employers, and data subjects such as employees or customers.

Personal data, therefore, relate directly or indirectly to a living individual, from which it is practical to ascertain the identity of the individual, and in a form in which access or processing is practical. This implies that there must be a record of personal data. 

Increased Interest in Privacy in HK - 3 main drivers

Three main drivers stimulated increased interest in privacy in Hong Kong.  I will not go into these in details but fundamentally they were technological developments, particularly the advent of the Internet, the emergence of privacy as a social value and human right, and global economic developments, that is, the movement from protectionist economies to global trade.  This economic development, in particular, had the resultant effect of transferring vast quantities of personal data around the world - i.e. transborder flow of data. 

PCPD's Approach to Upholding the Ordinance

Although we regard ourselves as the primary advocate of personal data privacy rights in Hong Kong, we do not regard ourselves as being privacy purists.  We see the need to strike a workable balance between the personal data privacy rights of the individual and other rights that exist within our society.  We seek to strike a balance between competing community interests.  For example, the privacy interests of the individual and the public security interests of the Hong Kong; the privacy interests of the individual and the economic interests of Hong Kong. 

Our approach towards upholding the provisions of the Ordinance relies very heavily upon the use of mediation and conciliation as opposed to confrontation, conflict and punishment.  Although we have the ability to draw upon various penalties and sanctions, our approach, largely speaking, has been softly, softly, rather than to resort to the use of the big stick.  In the main, we find that listening and mediating between parties in disputes is an effective means of resolving those disputes, and, in so doing, promoting a sense of mutual respect for personal privacy. 

Our efforts have enhanced public awareness of their personal data privacy rights.  They have offered benefits and utilities both to data users and data subjects and they hold out the promise of establishing a culture in Hong Kong that respects the personal privacy of the individual. 

I hope, ladies and gentlemen, this provides you with an insight to the background of privacy in Hong Kong and conveys to you that, if anything were to interfere, obstruct or diminish those rights, then this is something that would be taken seriously, both in our Legislative Council and the community at large.  The Government of the HKSAR and the PCPD are obliged therefore to factor privacy into any re-appraisal of security needs. 

6 STRIKING A BALANCE BETWEEN RESPECTIVE SECURITY AND PRIVACY INTERESTS

Striking the Balance

So, what is this state of co-existence I have alluded to?  I think, from a pragmatic viewpoint, enhanced security measures should not be introduced at the expense of privacy rights, unless there is substantial evidence to suggest that there is no alternative to this trade-off, i.e. that privacy rights must be subordinated to security issues.  I would also suggest that in the atmosphere we can expect in the future - calls for enhanced security measures - there is a need to use technology, not simply to identify threats, but to protect personal data privacy interests as well.  Enhanced security measures should go hand in glove with the application of what is termed 'PET' (Privacy Enhancing Technology) to ensure that legitimate privacy interests of the vast majority of law abiding citizens are protected. 

Privacy Rights under Threat?

In looking at technology, which is designed to heightened security capabilities, I think that there is a case to be made that developments have some way to go before they offer the level of protection that many jurisdictions would like to see.  That is a level of protection that borders on infallibility.  Technology is making tremendous strides in the furtherance of security, and yet, privacy-enhancing technology seems to take a back seat in such deliberations.  I have already mentioned the concerns in Hong Kong, not about holding or having on one's person an ID card, but the prospect of that ID card being hijacked, thereby permitted identity theft.  It has also been reported that finger print biometrics, and the application of digital face recognition technology in airport security systems, are not always as accurate as some exponents of this technology would have us believe.  There is, therefore, some substance to the view that technology needs to make a stronger case, rather than being regarded as a first resort option that should automatically be deployed to protect security. 

These factors suggest to me that whilst the intention of technology in protecting security is, without doubt, well intentioned, there are still holes that need to be plugged.  In seeking to overcome deficiencies, I would argue that there should be an attempt to secure the privacy rights of the individual that would give a measure of security to those rights. 

In summary, therefore the challenge is to develop strategies that enhance security and yet privacy-protective.  In Hong Kong, we already know, from our own research, that there are concerns that privacy rights are under threat.  I have mentioned the phenomenon of function creep in the context of the smart identity card.  However, we have had a number of initiatives proposed by policy bureaux of the Hong Kong government that have also given rise to privacy concerns within our community.  Let me raise two.

EXAMPLES
Last year our Health and Welfare Bureau put out a public consultation paper calling for the establishment of a centralized medical records' database.  This database would initially be restricted to public sector medicine, although the longer term objective is to extend it to private medical care and the welfare sector.  Of course, sound medical reasons were advanced for establishing this database. 

However, given the concentration of very sensitive information, and the fact that the database would be accessible by a large number of doctors, surgeons, paramedics etc., the proposal presents some significant issues.  Not the least of these are the integrity of personal data in transmission and in back-end systems, and the access and authorization protocols that need to be applied to ensure that medical data are subject to stringent safeguards. 

Then, we have the issue on the use of surveillance cameras in public places.  Hong Kong is not the UK, and has not been subjected to the terrorist attacks that the citizens of Britain have had to endure for a number of years.  One of the consequences of those attacks has been the massive deployment of CCTV cameras.  Hugh numbers were mentioned - 6,000 cameras inside London, and 2 million around the country.  Such numbers, if true, would dwarf what was proposed in Hong Kong.  Nevertheless, the very suggestion by the police that deployment of surveillance cameras in high pedestrian volume shopping and entertainment areas was being considered gave rise to privacy concerns and a lively public debate. 

One of the main counter-arguments advanced is whether the installation of surveillance cameras in public places is really about security, or about 'Big Brother' and a fatal attack on privacy.  Again, there are arguments for and against. 

Workplace Monitoring - a Case Study

In looking at my proposition ?the need for moderation and balance - let me now move to a case study that illustrates the very pragmatic issues that need to be resolved.  This case study involves surveillance in the workplace which, in Hong Kong, has become increasingly prevalent - first, because of advances in technology, and, secondly, because price competition has made the installation of surveillance equipment very affordable even for the smaller firms.  The net effect of this is that workplace surveillance has become much more pervasive.  That is, more employees in Hong Kong have become subjected to more forms of surveillance.  More importantly, there is evidence that under the pretext of security, productivity and other corporate interests in the workplace, privacy rights have been pushed to one side - rights that are conferred by the law and extend to the workplace.

For over a year, the PCPD worked on a consultation exercise on a proposed Code of Practice on Monitoring and Personal Data Privacy at Work. This Code seeks to apply our privacy law to workplace surveillance and offer employers pragmatic guidelines in terms of respecting employees legitimate privacy rights.  This initiative has brought to the surface a number of very real issues that need to be resolved in seeking to strike the balance between security and privacy. 

This project was essentially a response to a Law Reform Commission recommendation that the PCPD draft a code of practice that would inform and provide practical guidelines to employers, employees and members of the general public.  Before embarking on the project we commissioned a study to inform our decisions, and shed some light on how we should seek to strike a balance between the respective (and, I would argue, equally) legitimate rights of employers and employees.  The study revealed that the primary reasons for introducing surveillance measures in the workplace were in fact not related to productivity issues.  These issues could be addressed, equally effectively, in a more traditional way by face-to-face discussions or 'house rules'.   The most important reasons cited by employers for introducing surveillance in the workplace were (a) to ensure security, and (b) to try and regulate improper behaviour of employees.  Security was however by far the most important reason.  This is perfectly understandable and we would in no way wish to interfere with the managerial prerogative that seeks to best manage the affairs, assets and resources of the business.

However, the findings we obtained from our study suggested that there were privacy issues that were being disregarded by employers.  Let me give you an indication of what I mean.

1 First, we established that something in the region of 64% of employers surveyed had installed at least one form of monitoring device.

2 Secondly, one in three of employers had installed two or more forms of monitoring device. Rather alarmingly, a small minority had installed no fewer than five forms of five of monitoring device, which, to my mind, is bordering upon the obsessional.  Whatever happened to the good old fashioned approach of dealing with employer/employee issues through consultation and discussion?  Has the application of surveillance technology in organisations made talking to staff obsolete? 

3 Thirdly, we established that of the employers we surveyed only 22% had issued a written policy on employee monitoring.  This seems strange given that employers have written policies covering everything from punctuality to leave entitlement.  However, this does not address the privacy issue, which is, that our Ordinance clearly requires employers to notify employees of the collection of their personal data, and the uses to which that data are to be put.  If only one in five employers are doing that, then clearly a large number of them are intentionally or unintentionally violating the provisions of the Ordinance.  They are breaking the law.  As far as my Office is concerned this is not an acceptable state of affairs. Stewardship of the business is one thing, but it should not be conducted in a manner that disregards the personal data privacy rights of the employee - a statutory right. 

The bottom line for my Office in looking at these results is that concerns for workplace security, amongst others, have eroded privacy rights and in the process infringed the law.  As we do not regard this as something to be either accepted or tolerated, we decided to respond to the LRC's recommendation and press ahead with developing the Code.

In compliance with our statutory obligation, the PCPD has issued a consultation paper with a draft Code attached.  One of the questions we asked was whether a code or a set of guidelines should be issued.  So, in referring to a 'code', I am using the word somewhat loosely, and I would ask you not to assume that a decision has been made to issue such a code.

My colleagues and I regard the Code as an attempt to redress what is a clear imbalance between the rights of the employer - to manage security aspects of the business - and the privacy rights of the employee. 

Our approach to striking the balance has invoked the application of two principles, and I would suggest to you that these principles are generalizable to the interface between security and privacy.  To that extent the principles are not confined to the example that I have chosen to use, namely workplace surveillance.

Guiding Principles

The first of these principles concerns transparency.  That is, employees have the right to know about the security measures they may be subjected to in the workplace, and any threats they may pose to their privacy rights.  For example, employers accessing the content of personal E-Mails, where permission is granted by the employer to the employee to use E-Mail facilities at work for personal communications.

The second principle is that of proportionality.  That is, any form of surveillance in the workplace, no matter how well intentioned, should be proportional.  By proportional, I mean proportional to the risks to be managed and the benefits to be derived from surveillance in managing those risks.  A workplace environment that has five or more forms of surveillance may well be an intimidating environment that would seem to me to violate basic worker expectations around dignity, and the need for mutual trust between employer and employee. 

Our observations on workplace monitoring, bearing in mind that our study shows it to be primarily concerned with protecting security and improper behaviour, is that there has been a disparity between employer's surveillance practices in the workplace, and employee's perception of their invasiveness.  Whilst the reasons for introducing workplace surveillance are genuine, the implementation of surveillance measures have resulted in activities which many employees perceive to be invasive of their privacy.  One ramification of that is that the practice of unfettered surveillance, or surveillance overkill, may not be conducive to a healthy work environment characterized by good employee relations. 

The draft Code sought to accord respect to employer's interests pertaining to productivity, the misuse of company resources, service quality control etc.  On the other side of the scale are the employee's interests, such as dignity for the individual employee's privacy at work, and the right to expect a degree of trust from the employer, rather than to create a situation where the employee is under constant surveillance.  Surveillance for the sake of surveillance that is. 

Observations on Monitoring in the Workplace

In our research, we have established that there are at least three types of CCTV surveillance deployed in the workplace.  These are continuous, universal and covert.  Because there are conditions under which each of these forms of surveillance are legitimate, we have deliberately not sought to outlaw them.  What we have done is to establish the parameters or necessary conditions under which those forms of surveillance are acceptable, without violating the personal privacy interests of the individual. 

Although I have chosen an example that illustrates my proposition at the micro level, we believe that our approach to formulating the Code is indicative of how security needs and privacy rights can co-exist.  The Code does not deny either party their legitimate rights; both are worthy of incorporation in a framework of rules and regulations that are pragmatic in their application. 

Moreover, our Code encourages employers to disseminate an employee monitoring policy and take ambiguity out of the employment relationship, such that employees are left in no doubt as to the consequence of their actions.  In other words, there should be no unpleasant surprises.  Put in another way, let the employer be fair, and let the employee be aware. 

Of course, this approach may not be appropriate where matters of national security are at stake, but where that is not the case, coexistence remains, to my mind, a noble, and achieveable, objective.

Ladies and gentlemen, I have reduced my argument from looking at security and privacy at the macro level to something that is a lot more specific; workplace surveillance.  Nevertheless, I believe that there are lessons to be derived from this process that are worthy of consideration when seeking to develop appropriate security policies, procedures and practices.

In summary, I have appealed for co-existence rather than a situation in which privacy rights are given cursory consideration in any response to heightened security needs of the State or body corporate. 

Secondly, I have tried to convey to you the idea that privacy rights in certain jurisdictions, including a growing number of Asian countries, amount to a human right that citizens wish to have upheld.  They expect to exercise an element of control over their privacy, rather than have that control usurped by conveniently citing security as the reason for that usurpation, and using legal force to execute it. 

Thirdly, I have sought to offer, in the example of workplace surveillance, a framework for establishing a state of co-existence, which applies the principles of proportionality and transparency.  Two factors which may be accurately described as cornerstones of an appropriate security/privacy framework. 

Even if I were to concede that at the State level, it may not always be possible to exercise these principles, I do believe that those responsible for responding to heightened security needs should be guided by a principled approach.  Certainly, one of the aspects of that principled approach should, wherever possible, be a level of openness and transparency.  For example, if the privacy rights of the individual are to be compromised in the interest of the State or corporate security, what is the rationale for diminishing those rights?  The least that governments and employers can do is to offer reasoned explanation - an explanation that would appeal to a reasonable person. 

Safeguards should be introduced to guard against unauthorized, unnecessary or accidental accessing of an individual's personal data.  There may be circumstances in which extreme security levels may be the only effective solution, but I would suggest that there are many others in which it would not. 

May I therefore conclude, ladies and gentlemen, by suggesting to you that Hong Kong is a case in point insofar as moderation and coexistence of security and privacy interests are concerned.  This jurisdiction has demonstrated an unquestionable commitment to preserving security interests.  It would be a complete abrogation of government responsibility to do otherwise.  However, I have also indicated that Hong Kong is a society in which the human right of privacy is something which is highly valued.  Naturally, as the Privacy Commissioner, I have a vested interest in sustaining that value.  In the example of our Code on workplace monitoring, I have sought to offer you a model that you may wish to reflect upon, a model that wrestles with some conflicting and complex issues.  In this context seeking to balance security and privacy implies both capability and a commitment towards striking that balance.  That, ladies and gentlemen, is the fundamental challenge that lies before us.

Thank you.
 

END