Hong Kong was the first in Asia to legislate and to establish an independent privacy commissioner for personal data covering both the private and the public sectors. The law which came into operation in 1996 required the Privacy Commissioner, as part of his functions and responsibilities, to liaise and co-operate with other persons outside Hong Kong who perform similar functions in matters of mutual interest concerning the privacy of individuals in relation to personal data. Twelve years have passed and it is quite obvious that an international network of data protection authorities is increasingly more relevant today. Around the world, new data privacy laws are either passed or actively considered. In many advanced jurisdictions major reforms are in progress. Building and maintaining a global network is therefore essential for a universal data privacy standard to be gauged. In addition to keeping in constant touch with overseas data protection authorities, I am committed to taking an active part in the following two organizations, one global and the other regional, in their membership and aspirations.

"Discussions with privacy commissioners around the world had also provided us with a far greater insight than if we had to work in isolation on divers matters such as breach notifications, privacy issues with biometrics and data user registration." Mr. Roderick B. Woo, JP Privacy Commissioner for Personal Data

The International Conference of Data Protection and Privacy Commissioners (ICDPPC) is the only international forum for data protection and privacy commissioners to meet annually to discuss a wide range of data protection issues of mutual concerns. Hong Kong was honoured in 2007 to be appointed as one of the three members (together with France and the Netherlands) which made up the Credential Committee charged with handling applications for membership and making recommendations to the International Conference. Hong Kong had also been active in a movement aiming to consolidate the procedural and organizational arrangements for the future co-operation between members of that august body.

The Asia Pacific Privacy Authorities (APPA) is a cohesive body drawing together the data protection authorities in New Zealand and Australia (including New South Wales, Victoria and the Northern Territories), Hong Kong, Canada, British Columbia of Canada and South Korea. It continued to grow in membership and stature. Hong Kong played host to the 26th Meeting of APPA in November 2006 and will do so again before long. During the year, Hong Kong gave its full support to APPA's Privacy Awareness Week Campaign which helped promote privacy awareness throughout the region.

By positively participating in these two forums, Hong Kong had become recognized as a respectable and responsible member within the regional and the global circles of privacy protection authorities. We shared our expertise and experience with other members and at the same time learned from them. One example was the Commissioner's internal working party which submitted a comprehensive package of proposals in December 2007 seeking substantial amendments to the Personal Data (Privacy) Ordinance. Although we did not wait for Hong Kong's own Law Reform Commission to embark on this venture, my colleagues and I had been helped by those who were responsible for privacy law reforms in Australia, New Zealand, the United Kingdom, Canada and elsewhere.

By way of illustration, one of the recommendations made to the HKSAR Government was that Hong Kong should consider creating a new offence for anyone knowingly, without the consent of the data user, to obtain or disclose personal data held or leaked by a data user, or selling of personal data so obtained. This suggestion was prompted by the many serious improper uses of personal data that had been leaked on the Internet in Hong Kong as well as the theft of identities which had created many problems in other jurisdictions. In making the suggestion, we were able to draw from the experience in the U.K. whose privacy law contained a similar provision which had worked well in practice in the past seven years. Discussions with privacy commissioners around the world had also provided us with a far greater insight than if we had to work in isolation on divers matters such as breach notifications, privacy issues with biometrics and data user registration.

Data protection is also one of the key concerns of Asia-Pacific Economic Co-operation (APEC) of which Hong Kong is a member economy. APEC's Electronic Commerce Steering Group (ECSG) is responsible for promoting mechanisms to increase the trust and confidence of participants in electronic commerce. The Data Privacy Subgroup (DPS) under the ECSG works to foster the development of compatible approaches to data privacy within the APEC region. It had developed a Data Privacy Framework which had been endorsed by the APEC Ministers who also endorsed the Data Privacy Pathfinder Projects devised by DPS to probe the feasibility of setting up rules to regulate the flow of personal information across borders for protection of consumers while facilitating electronic commerce. These developments represent a positive step towards the establishment of a minimum standard for the protection of personal data applicable to cross-border data flows within the Asia Pacific region.

During the year, I continued to represent Hong Kong and actively contributed to the work of the DPS, providing expert opinions and participating in the Pathfinder Projects. I attended meetings of the DPS as well as the various inter-sessional telephone conferences. My Office had, throughout the year, provided written comments on many draft papers and guidelines.

On the domestic front, I believe the work of this Office over the years had borne fruit. This is evidenced by the fact that personal data privacy was a term frequently used in the community and that the number of enquiries and complaints of a simple nature had decreased while those that came our way were more complex and sophisticated. The trend is further reflected in the significant number of enquiries from law firms and government departments and bureaux which in the past seemed able to find all the answers to their own problems in respect of privacy issues.

The period under review had been a busy year for my Office. The work done by my colleagues in the several divisions are described in some details in this Annual Report and I shall not repeat them here.

I had been impressed by my colleagues' outstanding performance, their commitment and devotion to duty throughout the year. It was due to their collective efforts that this Office had successfully coped with the many challenges that the year had brought. They were not civil servants in the strict sense of the term but they had served the public faithfully and I wish to pay tribute to them.

Roderick Woo
Privacy Commissioner for Personal Data, Hong Kong