PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
November, 2000 Issue No.5
Privacy Must Be Protected with the New Smart ID Card
The new ID Card, proposed by the Hong Kong SAR Government, will serve not only to identify the individual, but also to have value-added applications built into the Card. These applications are intended to enhance the efficiency and delivery of government services as well as to provide community benefits, such as convenience and access. The indications are that the Card will contain substantial amounts of personal data, e.g. personal particulars including biometric attributes which uniquely identify the individual, and other personal data required to support the various applications. The concentration of personal data, some deemed to be sensitive, on a single card raises potential problems of data privacy:
Identity Theft: In the information age, with increasing automation and significantly less face-to-face contact for service application and delivery, identity theft using stolen or misplaced cards would increasingly be a major problem, as evidenced in the US where identity theft is on a steep increase with the advent of the Internet and electronic commerce.
Data Concentration, Sensitivity and Access: The Card with its capabilities to support the various applications can be regarded as quite a comprehensive personal dossier. While portability of the Card can be an advantage to the holder, it also can make the embedded personal data accessible to many, thus diminishing protection of the individuals' data and privacy. Richness in data tends to lead to "function creep", where data would be used for additional purposes beyond those original ones of data collection. The "function creep" in government activities tends to be justified on the basis of public interest, e.g. crime detection, welfare cheats etc. If personal data were to be used subsequently for purposes beyond those original ones of data collection, such possibilities could constitute or be perceived as an invasion of personal data privacy.
It is relevant to point out that, with the Government's announcement of this major initiative, the community has expressed considerable concerns on its potential privacy risks, including some public comments critical of this initiative as a move towards an increasingly surveillance-prone society. Given such concerns, the PCPD is of the view that, the planning, design and implementation of the new ID Card system should have the following considerations:
- Privacy Impact Assessment (PIA) should be conducted as an integral part of the planning and development of this project. PIA is an assessment of any actual or potential effects that the activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.
The design and implementation of the new ID Card system should consider the following privacy and fair information practice principles to afford data protection in a modern society:
Openness: The citizens should know their inherent rights when using the Card, what information the Card contains and how it will be used.
Information Self-Determination: The citizens should be aware of, for each application, what personal data the Card contains and who has access to it.
Informed Choice: As privacy is a very personal matter, therefore, where appropriate, the citizens should be free to choose the applications on offer. In other words, subscription to the applications should be voluntary.
Non-discrimination: The information on the Card, should not limit government services offered to him or be a condition for him to have access to government services; services offered through the Card should respect the universal coverage of government programs. However, it is evident that participation, although voluntary, may provide cardholders specific advantages, e.g. access outside of normal office hours.
Security: Adequate security features including appropriate hardware, software, encryption of data and administrative measures are required to prevent unauthorized or accidental access to and disclosure of data in the Card and personal data in the related application databases, to preserve data confidentiality, integrity and accuracy.
Right of Access and Correction: The citizens should be provided with the means to access, print, and interpret the data on their Cards and their personal data in the application databases, and if relevant, request for correction.
- Given the openness principle, different mechanisms should be considered by the Government to further assure the trust and confidence of the community to subscribe to the applications to be offered with the smart ID Card. As an appropriate measure, it is strongly suggested that based on the privacy and fair information practice principles an administrative code of practice should be developed, to provide specific and clear guidelines to Government departments, for the collection, retention and use including disclosure of data in the Card and the application databases.
Complaint against the disclosure of personal data to a newspaper
The complainant was employed by an educational institute. After a suicide attempt by the complainant, the principal of the institute, in response to enquiries by newspaper reporters, disclosed certain information about the complainant relevant to the background of the case. This information was published in the newspapers. The complainant complained to the PCPD about the disclosure of his personal data.
The PCPD conducted an investigation of the case. It was found that part of the information disclosed by the principal was based on his memory and understanding and not on any written record. Hence, the disclosure of that part of the information did not constitute disclosure of personal data within the meaning of the Personal Data (Privacy) Ordinance ("the Ordinance"). The remaining part of the information disclosed was based on employment records. Accordingly, its disclosure constituted disclosure of personal data of the complainant. Such information was related to a previous suicide attempt of the complainant and his previous work injuries as the result of which the complainant had claimed employees' compensation. The principal claimed, however, that he had released such information to the newspaper reporters to defend the institute against accusations by the complainant's wife that the present suicide attempt by the complainant had been caused by the institute's mishandling of the complainant's compensation claims. The PCPD formed the view that the disclosure of personal data by the institute to newspaper reporters in the case was exempted from the restrictions on the use (including disclosure) of personal data provided for in data protection principle 3 of the Ordinance. The relevant exemption was that provided for in section 61 of the Ordinance in relation to the disclosure of personal data to an organization undertaking news activities. Accordingly, no enforcement notice was served on the institute.
Transfer of seminar participant's personal data
The complainant provided his personal data on an application form in order to participate in a seminar. It has not been stated on the form the purpose for which the data would be used (including transferred and disclosed) and the classes or persons to whom the data would be transferred. After the seminar, the complainant received a telephone call from an insurance agent marketing insurance products to him. The agent admitted that the complainant's personal details were provided by the seminar organizer.
In its reply to the PCPD, the organizer indicated that the insurance company was one of its sponsors for the seminar and the personal details of the participants of the seminar were sent to the company. The organizer advised the PCPD that it was not its intention to disclose the complainant's data to the insurance company and was unaware that the act would constitute a transfer of personal data under the Ordinance. The organizer apologized for its oversight in this case and assured that such incident would not reoccur. In this regard, the PCPD was informed that immediate steps had been taken to review its policy on the collection and use of personal data and would ensure that all staff would abide by the policy. The case was then closed by mediation.
Senior Personal Data Officer - Mr Kenneth Leung
It's just another day on the Internet. You open your email account, only to be flooded by a tide of unexpected junk mails. Companies with names unheard of are addressing you endearingly, trying to sell products you're not even slightly interested in. Sometimes they seem to know everything about you, your address, your job, your friends and even your pet.
Yet for Kenneth Leung, the Senior Personal Data Officer, this is more than just an imagined scenario, but something he has to confront everyday.
"Last year, we had checked 400 websites based in Hong Kong to see if they complied with the requirements of the Personal Data (Privacy) Ordinance. We looked at the kind of information they collected from users and checked if they had provided enough notifications. It was indeed a very complicated investigative process with many steps and finally took up a whole year to complete the lengthy task. In the end, enforcement notice had been issued to company which mishandle customers' information,'' Kenneth says.
Yet it would not be a mission impossible for Kenneth because he is a veteran database specialist and has worked for years in overseas and local computer companies before joining the Office three years ago.
Such rigorous efforts are indeed welcomed. With the number of Internet-related crimes in Hong Kong rapidly increasing in recent years, the future development of the SAR's E-commerce depends much on how consumer rights are protected on-line.
"Nowadays we have a lot of cases involving the Internet," he says. "Later on, we will publish guidance materials to help companies on how to correctly handle personal data in e-commerce."
Internet is just one of the many areas Kenneth and his sub-ordinates have to look at. Any mishandling of personal data, unwanted surveillance or infringement on individual privacy falls within the responsibility of the operations division.
"Proactive investigation is just part of our job. Often, reactive investigation was spawned by notifications from the public or the media."
"Our role is quite different from say, the ICAC or the police. We are more like a mediator rather than a strict enforcer, although under certain circumstances we do have the power to enforce regulations imposed by the Ordinance,'' Kenneth explains.
In most of the cases, companies that break the rule will get a warning letter from the PCPD, advising them to rectify the malpractice within 45 days. About 90 per cent would respond positively to our warning but five per cent of them would still ignore the advice.
"At this stage, we'll kick into full investigation mode. We can demand relevant information from them and they have to reply within our stipulated time frame." he says. "If they fail to co-operate or the contravention is likely to be repeated, we have the power to issue enforcement notice to direct them to take remedial action."
"But what we really want is to educate people, to bring out the message for civilized change,'' he says. However, in the past, under certain circumstances the PCPD filed certain cases to the police for further follow-up actions.
But the story is never simply black and white. Very often Kenneth and his staff find themselves facing the questions of whether the case really involves infringement of personal data privacy.
"In many cases it is not easy to make a reasonable judgment. This very often happens when two parties are involved in some personal disputes. It is next to impossible to ascertain what constitutes the infringement of privacy under those situations since you may never know the true story,'' Kenneth says.
New technology also makes their work increasingly difficult. Kenneth points out that the very nature of the Internet makes it hard to track down offenders, as they often remain anonymous under false identities.
"Another thing about Internet is that the Ordinance generally can only govern activities inside Hong Kong. But many people with relevant computer or legal knowledge can easily exploit this situation, like publishing someone's personal information on a foreign site."
Many Hong Kong people need to have a better grasp of the concept of personal data privacy and the Ordinance, according to Kenneth.
Though it is almost an art in keeping the balance of the interests of all sides under a restrained framework of time, technology and space, yet Kenneth remains upbeat about his job. "We hope that we can bring out the message to the public so that they would realize the importance of personal data privacy. It is a gradual civilized change, which takes time,'' he says.
Surprisingly though, what he finds hardest in his job is not to trace down Internet hackers or mediate estranged couples accusing one another of privacy infringement, but to overcome his own "low-profile" character.
"I was used to dealing with computers, but now I have to come out and meet all kinds of people, from laymen on the street to CEOs of big companies. That presents a big challenge to a low-profile person like me," he says.
Needless to say, you probably understand why the author fails to obtain a photo from this shy privacy cop by now.
Senior Personal Data Officer - Mr Vincent Li
In an office adorned with certificates reminding visitors of his glorious past, Vincent Li, the Senior Personal Data Officer, muses over his reversed role.
The former police senior inspector seems to have expected you to wonder about his career move. "It's strange, right? Police is often accused of invading people's privacy and now I'm trying to protect privacy," he says.
Police is one of the largest data users in Hong Kong, Vincent reckons, having more than 30 types of personal data records, such as criminal records, fingerprints and identity card numbers.
Yet, having 12 years' solid background in criminal investigation proves to be in his current role an invaluable asset for Vincent, who supervises a PCPD operation team responsible for handling complaints.
"I had worked for six years in the Police's Commercial Crime Bureau and Criminal Intelligence Bureau. I've established strong working relations with the public sector like the ICAC, Immigration, Customs, various overseas police forces, as well as the private sector such as banks and credit card companies. Having a good grasp of how these organizations and the police function offers a useful alternative perspective to facilitate my present role," he says.
The mode of investigation at the PCPD, however, differs quite significantly from the police's investigative approach, Vincent says.
"For one thing, we rely heavily on written correspondences in investigations. Whereas the police would directly go to a company and search for evidence on the site, or invite people to go to the police station for a meeting, we seek information and co-operation from individuals by sending them letters," he says.
This approach saves time and efforts, Vincent says. But would it in any way compromise the investigation?
"The majority of our cases don't involve criminal offences. Most organizations would not take the risk to destroy evidence.
"Besides, the Personal Data (Privacy) Ordinance ("the Ordinance") aims more at promoting awareness among data users of potential violation. Legal liability aside, an organization should also realize violating the Ordinance will adversely affect its image as people attach an increasing importance on privacy," he explains.
What presents as a challenge for Vincent though, is having to be very hand-on involved in investigations again after years of being a commander - and of course, to do so without the perceived authoritative status as a police officer.
"I used to instruct my subordinates to carry out investigations, but now I have to call the people, introduce myself and try to seek their co-operation," he says.
"While people rarely challenge the police's authority, they are much more inclined to question our judgment and interpretation of the Ordinance. They would ask questions like, 'How can you say this doesn't infringe my privacy? Why should I take your advice to change my practice? Can I appeal?' " Vincent says.
"But I enjoy my present work; investigation is an art. You learn to improve your temperament. The complainants come from all walks of life. Some people are polite, some rude. Some are educated and polite, some are educated but very rude. If they question our power, I have to explain to them the scope of our jurisdiction and can't
do everything they ask for," he says.
Currently, the PCPD lacks prosecution power over parties who have violated the ordinance and relies on the police to do the work. Hence, Vincent's investigation background and past connections come in handy in handling such cases.
In fact, he brought about the PCPD's first prosecution case against a telecommunication company for breaching the Ordinance's provision on direct marketing approach. The case was taken to court in mid-October. "I happened to know the police officer in charge of the case but the eventual prosecution hinged on how well the groundwork of investigation was done," Vincent says. "Though the prosecution did not result in conviction after trial for a combination of factors, in particular some technicality issues, I am sure that the initiation of criminal prosecution has sent a clear message to the public that the requirements of the Ordinance are not to be taken lightly," he adds.
As people become more aware of the Ordinance and report relevant incidents to the PCPD, he predicts there will be an increase in the number of prosecution cases in the future. The next logical step will be, he says, for the PCPD to be empowered the right to prosecute.
"If we have the power of prosecution, we'd be more in control. Referring our cases to the police should only be an interim measure. It would be difficult for them who oversee so many ordinances to help us in the long-run," he says.
Vincent says he is more than happy to take up extra responsibilities should the change happen. So what does he hope to achieve ultimately at his job?
"A lot of people asked me why I was willing to giving up a stable and well-paid job to join the Office nine months ago," he says. "In this job, I can be directly involved in many respects and put to use what I have learnt in the past. I believe there is plenty of room for the PCPD to expand its scope of work as people's awareness of privacy is raised. This is the place where I think I can truly realize my aspirations."
Join the Data Protection Officers' Club
and keep up to date with key developments in the area of privacy and data protection!
You are invited to join the Data Protection Officers' Club - your gateway to an expansive network of professionals tasked with the responsibility of implementing and co-ordinating measures to protect personal data privacy in Hong Kong.
The PCPD organizes the Club to provide a channel for two-way communications between the PCPD and data protection officers across a broad range of organizations.
Membership of the club will not only assist you in implementing measures to comply with the Ordinance - it will give you access to a constructive forum where data protection officers can exchange views and share experiences.
The Club meets regularly to discuss relevant topical issues, PCPD activities, latest complaint cases, case studies of the compliance experience of major organizations, together with a networking Question and Answer session.
Privacy workshops exclusive for members will also be organized and certificates will be awarded to participants upon completion of the course.
Joining fee for each membership is only HK$300 per year which entitles you to all of the above privileges plus receiving all relevant PCPD publications.
The next meeting of the Club will be held in early 2001 - secure your place now by completing and returning the membership application form.
For any further details please call us on 2877 7171.
Extensive publicity activities on the Code of Practice on HRM
The PCPD has issued and gazetted the Code of Practice on Human Resource Management on 22 September 2000. The PCPD has undertaken different means to promote the Code of Practice on Human Resource Management and raise awareness among members of the public.
The PCPD has placed public notices in local newspapers to publicize the issuance of the Code. A 30-second Announcement of Public Interest (API) has also been produced for broadcasting on local televisions commencing November 2000. Copies of the Code and the "Compliance Guide for Employers and HRM Practitioners" are available from the PCPD or can be downloaded from the PCPD web site (www.pcpd.org.hk).
Three public seminars were held in October and November, in which over 1,100 participants were provided with the opportunity to obtain in-depth information of the Code, its interpretation and application. The Office will continue to promote the Code through training seminars and publicity activities to ensure that privacy of employees' personal data will be protected.
Joint Promotion Activities by the PCPD and the Hong Kong Baptist University Dramatics Club on the Personal Data (Privacy) Ordinance
The PCPD and the Hong Kong Baptist University Dramatics Club have jointly produced a drama show to highlight issues related to privacy of personal data. Through sketches depicting familiar day-to-day routines, the public is sensitized to the importance of privacy of personal data, and how the Personal Data (Privacy) Ordinance ("the Ordinance") provides for the protection of privacy.
Assisted by the PCPD, a lively and humorous script synthesizing the different aspects of the Ordinance has been written by the Hong Kong Baptist University Dramatics Club. The drama show will be staged at various community centres. There will be a Q & A session at the end of each show, and souvenirs will be distributed.
Given that privacy is now a very topical issue in the everyday life of the general public, community and social services organizations which would like to host this drama show for its constituents are welcome to call us at 2877 7171 for details. Advance booking is generally required.
Privacy News Around the World
Digital Signature (UK)
The use of digital signature has become legally admissible in court in the United Kingdom when the E-communications Act came into force in May.
On personal level, the use of digital signature will be widespread in the UK. Later on the year, a software will be introduced in Britain which enables Internet users to create a digital signature and establish a digitally safe identity at one of the Post Office's 18,000 branches across the country. The software will provide privacy and security for e-business transactions and will also be made available for download from the Royal Mail's website.
However, Internet experts have also warned that the use of digital signature may also lead to greater risks of privacy intrusion, such as surveillance and identity theft. Consumers may have fears about the dangers posed by computer hackers and the risks of using credit cards online or sending messages securely. Whether or not taking the risk for greater convenience is certainly your choice.
The Canadian Privacy Survey
The privacy survey conducted in Canada in 1999 revealed a surprising finding that Canadians had great willingness to make privacy tradeoffs in return for tangible benefits. Forty-two per cent of respondents said that they would agree to having their grocery shopping habits monitored, allowing the store to develop a client profile, in return for a 10 per cent discount on their groceries. Slightly more than a third of Internet users (36 per cent) would agree to having their online habits monitored by a reputable company in return for a new computer and free Internet access. (The two questions assume that the people involved in such programs would be fully informed of the personal information being collected and how it is being used, which might not be the case in the real world.)