PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
Review of the Ordinance
image
PCPD Activities
image
Information Centreimage
 Liberal Studies
image
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Opinion Survey
 

A Sample Survey of Web Sites in Hong Kong
on Practices in Relation to the
Collection of Personal Data on the Internet
(Conducted in July to October 1998)

Recommendations

Organisations hosting web sites which collect personal data are advised to implement the following measures to comply with the requirements of the Ordinance and as a matter of good practice:

  • Provide on-line PIC Statements - Organisations which provide forms to collect personal data on their web sites but without clearly stating the purposes for collecting the personal data and other matters as required by Data Protection Principle 1 (3) of the Ordinance may be in breach of the Ordinance. These organisations should prepare and make available on-line a PIC Statement setting out the purposes for which the data collected are to be used. The PIC Statement could be laid out on the same web page as the personal data collection form, or it could be on another page, as long as the form carries a clearly visible, well-described link to that separate page. Every personal data collection form in a web site should carry PIC Statement, not just some of them as some organisations were found in the survey to be doing.

  • Provide an on-line Privacy Policy Statement - Organisations with web sites collecting personal data should prepare and make available on-line an easy-to-find Privacy Policy Statement, informing visitors of their policies and practices in relation to personal data and the kinds of personal data collected and held and the main purposes for which the data are used. The Privacy Policy Statement should be set up as a linked page accessible from the home page and other pages from which personal data are collected.

  • Young Persons' Web Sites - Data Protection Principle 1 of the Ordinance stipulates, among other requirements, that personal data shall be collected by means which are fair in the circumstances of the case. Young persons are vulnerable and collecting information including personal data directly from them without appropriate parental control and supervision could be regarded as unfair collection of personal data. Sites aimed at minors are therefore strongly urged to consider carefully their policy in collecting information from young persons, and to involve parents/guardians in the data collection process. Good references can be drawn from some overseas sites aimed at young children (e.g. http://www.yahooligans.com/docs/safety/privacy.html and http://www.ctw.org/fyi/privacy/0,1452,,00.html) It was noted that many such overseas sites state clearly the purposes for collecting personal data and some have a Privacy Policy Statement. Some of these statements also provide guidance notes to parents on how to supervise their children who surf the Internet.

  • Be open about the use of cookies - Organisations making use of cookies should inform visitors in their Privacy Policy Statements about this practice and how non-acceptance of cookies may affect the functionality of their web sites.

  • Ensure a secure environment for the collection and transmission of personal data - Organisations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures. Organisations collecting detailed resumes from job applicants or credit card/bank account information for service payments would require a more stringent level of security, e.g. encryption. If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users in supplying the data.

  • Ensure a secure environment for access to personal data held - Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Data Protection Principle 4 of the Ordinance on the security of personal data. Again, a "harm test" can be applied. In addition, individuals providing the personal data concerned should be fully informed at the outset about the sort of access provided.

  • Anonymous browsing of a web site is encouraged - Analogous to window shopping or gathering of information publicly displayed, allowing anonymous browsing, or giving visitors an informed choice of anonymity, is encouraged.

To assist organisations in protecting individuals' privacy on the Internet, the PCPD has published two booklets in January 1998 - "Personal Data Privacy and the Internet - A Guide for Data Users" and "Internet Surfing with Privacy in Mind - A Guide for Individual Net Users". These booklets are available from the PCPD and can be found here on the PCPD web site. To assist organisations to prepare Personal Information Collection Statements and Privacy Policy Statements for their web sites in particular, the PCPD had added a new section to its web site, giving practical guidance on this.

Back to top

Previous PageimageNext Page


 

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer