PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
Review of the Ordinance
image
PCPD Activities
image
Information Centreimage
 Liberal Studies
image
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Leaflet & Form
 

Personal Data Privacy and the Internet - A Guide for Data Users

Data users who are Internet Service Providers (ISP) - other considerations

=>Handling personal data flowing through an ISP site. If an organisation operates an Internet server, it is legally not a data user in respect of any personal data received from another server and passed on to a third party, provided it makes no use of the data for any of its own purposes. This applies to telecommunications organisations which provide the basic network for data transfer and ISPs which provide the "store and forward" function of data traffic and connectivity to the Internet. Personal data contained in web pages which the ISP hosts for its customers or e-mails in-transit would therefore not be the ISP's responsibility under the Ordinance. Even so, a good practice for an ISP would be to transfer the transit data to its destination immediately, by secure means of transmission, and delete the data from its server at the earliest opportunity according to its retention policy.

=>Handling personal data of subscribers. Subscribers to an ISP for its access service to the Internet are customers of the ISP. Inevitably, personal data will be collected from the subscribers for the purpose of account administration. In this respect, the ISP will be a data user as defined by the Ordinance as regards the customers' personal data that it collects, holds, processes and uses. Guidance provided in previous sections of this Guide is applicable to such data.

image
An ISP should inform its customers the purposes for using its customers' "clicktrails" information.

=>Using "clicktrails" information. Customers' activities and trails from site to site and stored on the server's log files as they surf the Internet, are personal data if it is possible to relate such clicktrails to an individual customer in any practicable way. The issue with clicktrails is that the information collected may be analysed such that a profile of the individual's interests and preferences can be built or sold, say for direct marketing purposes. It may also indicate personal interests or activities of a sensitive nature, e.g. regular accesses to a particular site. An ISP should not do this kind of analysis as the customer does not provide the data for such use. Indeed, most customers are probably unaware that such personal data about them may exist. ISPs should mention in their PIC Statements (see section on "Collecting personal data on the Internet") that such data collected will only be used for the purpose of system maintenance and troubleshooting.

=>Handling access request regarding "clicktrails" information. The Ordinance provides an individual a right to request a copy of the personal data relating to him/her held by a data user. Access to data that relates to an identifiable individual needs only be provided if it would be reasonably practicable to access or process such data. Hence, if the clicktrails records are held in such a manner that access on the basis of attribution to particular individuals is not practicable, the ISP is not required to provide a copy in response to such an access request.

=>Offering a secure environment that meets service commitment. An ISP in offering services will hold information related to its customers including personal data. Such information is usually held in computers in an ISP's office. Provision of security measures to protect them from unauthorised access or hacker attacks is a responsibility of the ISP as required by DPP4. To meet this obligation, an ISP should provide a secure location for its computers, establish policies about confidentiality of customers' e-mails and not using information seen there, make known its policies on personal data to all staff, and remind staff of these from time to time. ISPs with 24-hour staff cover or giving staff remote server access have a particular responsibility in this area. ISPs should be privacy-aware and constantly strive to offer privacy enhancing capabilities to their customers. For example, an ISP with server software that is able to handle encryption of data will be welcomed by customers who wish to transmit sensitive personal data.

Previous PageimageNext Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer