Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
February 2000 Issue No.2

Protecting Privacy on the Internet

The rapid development of the Internet and electronic commerce has raised significant privacy issues relating to the collection, use and security of personal data on the Internet. The PCPD has identified the protection of privacy on the Internet as a priority work area, and much efforts have been devoted into assisting organizations in complying with the Personal Data (Privacy) Ordinance on the Internet and raising individuals' awareness of the privacy risks on the Internet and the precautionary measures they can take to protect their privacy.

As part of such efforts, the PCPD completed last December a major compliance check exercise on 270 Hong Kong-based web sites to ensure that they have implemented measures to comply with the requirements of the Ordinance. The web sites in question were found in a survey in late 1998 to have failed to implement compliance measures.

The survey in 1998 was conducted on 531 web sites to assess the extent to which these web sites met the standards of good information handling practices in general, and the requirements of the Ordinance in particular. The survey then found that only 32% and 6% respectively of the web sites which had on-line personal data collection forms displayed a Personal Information Collection Statement ("PICS") stating the purposes for collecting the data, as required by the Ordinance, and a Privacy Policy Statement ("PPS") setting out their privacy policies and practices in general.

In a systematic follow-up to this survey, 270 advisory letters and 121 warning notices were sent last year to those web sites that were found not complying with the Ordinance.

Substantial improvements were made by the web sites as a result of such efforts. In the compliance check exercise concluded last December, while 34 of the 270 web sites checked were found to be no longer in existence or had ceased using any on-line data collection forms, 220 (93%) of the remaining 236 sites having an on-line personal data collection form had already displayed a "PICS" notifying visitors of the purposes for which their personal data were collected. The PCPD undertook formal investigations of the 16 web sites that failed to respond to its warning.

In addition, 25% of the web sites which had personal data collection forms posted a "PPS" to inform visitors about their general privacy policies and practices in relation to personal data.

Below is a reminder, to organizations hosting web sites that have personal data collection forms, of the measures that should be implemented:

• make available on-line a "PICS" setting out the purposes for which the data collected are to be used, which is a requirement of the Ordinance;
• make available on-line an easy-to-find "PPS", informing visitors of the organizations' policies and practices in relation to personal data. Although displaying such a statement on the web sites is not, strictly speaking, a statutory requirement, it is a good practice to do so;
• ensure a secure environment for the collection and transmission of personal data - organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures. For example, the collection of credit card/bank account information for service payments would require a more stringent level of security, e.g. encryption. If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative means to the users in supplying the data;
• anonymous browsing of a web site is encouraged - analogous to window shopping or gathering of information publicly displayed, allowing anonymous browsing, or giving visitors an informed choice of anonymity, is encouraged.

The PCPD will continue with its work in promoting privacy protection on the Internet. Apart from working with the Consumer Council to seek ways to protect consumer interests on the Internet and in E-Commerce transactions, the PCPD also plans to provide further guidance in this area by updating the three booklets it published on the subject.

Data correction request relating to an "expression of opinion"

An ex-employee of a university made a data access request to the university for all documents relating to his re-appointment. Having reviewed the documents, he took the view that certain data relating to his re-appointment were inaccurate. He then made a data correction request to the university to request correction to those data, but the university failed to respond to his request within the prescribed 40 days. He lodged a complaint with the PCPD alleging that the university had contravened section 23(1) of the Ordinance.

Upon investigation by the PCPD, it was ascertained that the personal data in issue were contained in assessments given by different assessors during the re-appointment exercise. The PCPD was satisfied that the data concerned were within the meaning of "expression of opinion" as defined in the Ordinance in that they were assertions of fact which were not practicable to verify.

In refusing to comply with the complainant's data correction request, the university relied on section 24(3)(b) of the Ordinance. Section 24(3)(b) provides, inter alia, that a data user may refuse to comply with section 23(1) in relation to a data correction request if the data user is not satisfied that the personal data to which the request relates are inaccurate. However, the application of section 23(3) in the above context does not release the data user from its obligation to respond to the requestor within the 40-days limit, which is a requirement of section 25(1) of the Ordinance. The data user should, in any circumstances, provide a reply to the requestor stating the refusal and the reasons for the refusal. Section 25(2) also requires a data user to annex a note on the relevant files where the allegedly inaccurate data relate and to provide a copy of the note to the requestor. This requirement aims to bring to the attention of any person having access to the files to be aware of the matters concerning the data correction request in order to minimize any adverse impact on the requestor to whom the data relate.

Direct marketing by telephone

A property owner complained that notwithstanding his repeated objections, staff of an estate agency had been contacting him through his mobile phone number to persuade him to sell his property.

Upon investigation by the PCPD, it was found that the estate agency had implemented a computer system to record messages of its clients who object to receive further cold-calls. It was ascertained that the complainant had at least on 4 occasions given instructions that he had no intention to sell his property and requested the estate agency to stop calling him for that purpose. However, the staff concerned ignored the recorded message. Other staff members of the same branch were also found to have insufficient training on compliance with the requirements of the Ordinance. An enforcement notice was issued to direct the estate agency to implement specific instructions to its marketing staff on complying with the opt-out requests from its prospects and to implement supervisory checks of the call logs of individual marketing staff to ensure their compliance.

To comply with section 34 of the Ordinance on the use of personal data for direct marketing, an organization should maintain a list of all individuals who do not wish to receive further marketing approaches, i.e. an "opt-out" list. In addition, the organization should also implement clear procedures for staff members to follow on accessing and updating the "opt-out" list and to comply with the opt-out request made by prospective customers.

Smart Cards and Privacy

A smart card is a credit-card sized device with an embedded microprocessor ("chip") capable of storing, retrieving and processing information. Examples in Hong Kong include the OCTOPUS card, which stores value and makes payment for common use on different modes of public transport, SIM card for mobile phones, and multi-purpose personalized cards which serve as a credit card and are at the same time used in other applications such as charging at supermarkets, access to facilities, or storing insurance policy data. With their many advantages, including competitive and costs advantages to the issuer and convenience to the consumers, and coupled with the universal push for electronic services, smart cards will be part of our daily lives in the digital age.

While a personalized card's portability and applicability can be an advantage to the individual, it also can make the embedded personal data accessible to many, thus diminishing the protection of the individuals' privacy. Transaction trails could lead to unwanted tracking and surveillance, and with stolen cards, frauds associated with identity theft would be more prevalent.

The Information and Privacy Commissioner of Ontario, Canada, has proposed the following privacy protection guidelines for all smart card applications:

• Smart card systems should be open and transparent to data subjects. They should know their inherent rights when using the card, what information the card contains, how it will be used, and what risks that use implies.
• Data subjects should have the right to participate in the determination of what personal information the card contains and who has access to it.
• Data subjects should have the right of access to and correction of information held about them on the card, as well as in any related databases.
• All uses and disclosures of information on the card should be subject to the prior and informed consent of the data subject.
• Where possible, individuals should be free to refuse the card without jeopardizing their access to the service involved. Similarly, holding a smart card should not confer benefits (other than perhaps enhanced service) unavailable to those who choose not to utilize a smart card.
• The full measure of security available through technology should be used to prevent misuse or inadvertent access. This should include the use of PINS, authentication protocols, encryption, and the segregation of multi-use applications to prevent possible merging or matching of various databases. The use of smart cards to conduct computer matches or linkages should be restricted.

The PCPD encourages issuers of smart cards in Hong Kong to follow these guidelines for reasons of compliance with the Personal Data (Privacy) Ordinance as well as good information and business practice.

We are a staff union. In the past our employer was willing to provide us with name lists containing new recruits, resignees and staff who are on promotion training and maternity leave. However it has refused to do so recently on the ground that such disclosure would contravene the Ordinance. Is this correct?

If the disclosure of the data to the staff union is for a purpose that is directly related to the purpose for which the data were to be used by the employer when they were collected, the data may be disclosed to, and used by, the union for that purpose without the prior consent of the individuals concerned. Given the nature of the data concerned, the general purpose for which the employer uses that kind of data appears to be human resources management. In our view, the organization and administration of a staff union is, as a general matter, directly related to human resources management. Hence, in general terms, such disclosure of the said data to the union without the consent of the individuals concerned by the company for the administration of the union is consistent with the requirements of the Ordinance. However, we consider that it would nevertheless be good practice for the employer to ask its employees on recruitment whether they have objection to such disclosure and not to so disclose the data of those who do so object.

I am a doctor. I intend to sell my practice to another doctor and transfer my patients' records to my successor. Is this in contravention of the Ordinance?

If your successor acquires the existing practice or undertaking operated by you, the transfer to and use of by your successor of patients' personal data for the purpose of providing the same service to the patients would not contravene the requirements of the Ordinance. Nevertheless, patients should be informed on or before the collection of their personal data that such data may be transferred to another doctor in the event of the practice being taken over. It is also advisable to give them prior notice of this when the event occurs actually.

Draft Code of Practice on Human Resources Management received good response

A total of 86 submissions from individuals, organizations and professional bodies were received in response to the Consultation Paper on a Draft Code of Practice on Human Resources Management (HRM) published last September by the PCPD for public consultation. The draft Code governs the collection, use, retention, security and other aspects of handling of personal data by HRM practitioners. Most of the comments in the submissions focussed on the retention periods suggested for different types of employment-related personal data and the recommended prohibition on the use of some "blind" advertisements, i.e. advertisements that do not reveal the identity of the advertisers and yet directly solicit the submission of personal data from applicants. The PCPD is now consolidating the comments and aims to issue the final Code within the third quarter of 2000.

PCPD supports the establishment of a self-regulatory press council

The PCPD made a submission to the Law Reform Commission in response to the "Consultation Paper on the Regulation of Media Intrusion", in which it supports the establishment of a multi-party self-regulatory "Press Council" to oversee matters relating to media intrusion. The PCPD believes that to be effective, such a Council will need broad-based support from the media industry. The Council should be comprised of members who represent the interest of what the PCPD has termed "the three rights": the right of the press to freedom of expression, the right of the individual to privacy and the right of the community to the rule of law. The Council should be required to develop a Code of Professional Practice that would operate in conjunction with an effective complaint and redress mechanism. Provisions relating to personal data privacy should be an integral part of this Code. An independent review of the Council's effectiveness should be conducted after a reasonable period of time of its operation.

The PCPD also made a submission in response to the Law Reform Commission's "Consultation Paper on Civil Liability for Invasion of Privacy", in which it supports the recommendation that a code of practice be issued on surveillance in the workplace. The two PCPD's submissions can be found on the PCPD web site at http://www.pcpd.org.hk.

Data Protection Officers' Club established

The PCPD has recently established a Data Protection Officers' Club which is a network of individuals with responsibility for implementing and co-ordinating compliance measures with the Ordinance within their organizations. The Club aims to provide a channel for the PCPD to effectively communicate its views to organizations and to receive feedback from organizations on the implementation of the Ordinance. It also provides a forum for data protection officers to exchange views and share experiences. Meetings of the Club are held once every four months. For those who are interested in joining the club, please call tel. no.: 2877 7171 for more details.

Privacy compliance self-assessment kit to be issued in March

The PCPD will shortly issue a privacy compliance self-assessment kit designed to assist organizations in assessing whether their personal data practices and procedures comply with the requirements of the data protection principles and related provisions of the Ordinance. Comprising checklists, guidance notes and a CD-ROM, the kit provides a means for organizations to perform systematic and self-monitored privacy check on compliance on an on-going basis. The kit is expected to be made available in late March 2000 for purchase by organizations.

PCPD organizes monthly seminars on the Ordinance