This quarterly newsletter of the PCPD provides guidance on good data protection practices to organizations.

Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
May 2001 Issue No.7

The Process of Evolution in Interpretation of the Personal Data (Privacy)

If your work happens to involve the Personal Data (Privacy) Ordinance (the "Ordinance") in some way, or if you have from time to time encountered problems which involve the interpretation of particular provisions of the Ordinance, then you will probably know from experience that such interpretation is by no means an easy matter. Incidentally, this is true even for us at the PCPD, even though for some of us our work involves interpreting the Ordinance every day.

There are many reason why this is so. First, some people may consider that statutes, by virtue of their nature, tend to be difficult to understand. However, the difficulty in interpreting the Personal Data (Privacy) Ordinance has in addition something to do with the unique character of that Ordinance, in that its scope of coverage is exceptionally wide. Basically, the term "personal data" covers practically all recorded information about living individuals, from which the identity of such individuals may be practicably ascertained.

Given such wide scope of coverage, the core requirements of the Ordinance are laid down in the form of data protection principles. Because of the loose wording used in many of those principles, there is considerable flexibility in their interpretation. However, as the body entrusted with the enforcement of the Ordinance, the PCPD must strive to interpret the relevant provisions in a way which is at once legally correct, consistent and reasonable in the particular circumstances of the cases to which they apply. This has not been found easy, especially since the Ordinance came into operation as recently as in 1996, so that there have been relative little judicial precedents deciding on the interpretation of its various provisions.

On the other hand, there have been other circumstances which may have in a way speeded up the PCPD's work in formulating its position on the interpretation of various provisions of the Ordinance. One of these circumstances, is the increasingly high number of complaints of alleged contravention brought to the PCPD. (At the time of writing, there have been over 2,000 complaints brought to the PCPD during its four and a half years of operation.) In handling these, the PCPD has accumulated considerable experience in apply the provisions of the Ordinance to great variety of factual scenarios, which thus formed a solid basis for the development of standard "lines" of interpretation regarding those provisions. In some cases, the relevant views of the PCPD were formulated with the benefit of advice from leading experts in the relevant areas of law.

It is important to note, however, that although in the daily exercise of its functions the PCPD needs to form its own views on the interpretation of particular provisions of the Ordinance, the Ordinance does not make such views legally binding. In particular, where the PCPD's interpretation of a relevant provision is linked to its decision on a particular complaint, there is always the right by an affected party to appeal to the Administrative Appeals Board (the "AAB") against the said decision.

In fact, relative to the number of complaints handled by the PCPD, there have not been many appeals to the AAB. (At the time of writing, the total number is over 30). Although in the majority of those cases, the AAB has upheld the PCPD's decisions, in rare cases the AAB has indeed overruled the PCPD's interpretation of particular provisions of the Ordinance. (One notable example of this was a case in which, contrary to the PCPD's previous view, the AAB held that data protection principle 4 in Schedule 1 of the Ordinance applies only to the storage or transmission of personal data, but not otherwise.) When this happens, the PCPD will usually and subsequently adapt its view accordingly.

Another (theoretically available, but seldom invoked) channel for the PCPD's interpretation on a particular provision of the Ordinance to be challenged is through judicial review proceedings. So far, there has been only one instance of such proceedings being brought against the PCPD. However, the case was brought up to as high as the Court of Appeal, and the decision by that Court turned out to be one having a significant impact on the overall interpretation of the Ordinance.

In particular, in the case of Eastweek Publisher Limited v. Privacy Commissioner for Personal Data, the Court of Appeal decided that it is of the essence of an act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends to or seeks to identify. Insofar as no such express requirement is found in the Ordinance itself, this forms an important gloss on the interpretation of the "collection" of personal data. Subsequent to this case, the PCPD has incorporated the Court of Appeal's ruling in its own interpretation of the relevant provisions.

Now that the PCPD has accumulated over four years' experience in the enforcement of the Ordinance, it is felt that it is timely for PCPD to share with our community, in a systematic manner, its experience and learning over the years. Accordingly, the PCPD plans to publish by the end of 2001 a booklet on the PCPD's interpretation of various key provisions of the Ordinance. This, it is believed, will help to promote the public's understanding of the Ordinance the interpretation of particular provisions.

For the past three years, PCPD's Legal Director, Eric Pun, has dedicated his efforts to enforce such a cause. A former University of Hong Kong graduate who worked with the Legislative Council before joining the PCPD, Pun heads the three-lawyer department that deals with the legal aspects of the Personal Data (Privacy) Ordinance (the "Ordinance"). It is a position that demands good judgement, a clear vision, and perseverance.

"When I joined in 1997, I found the job offered a lot of prospects because the Ordinance was still very new,'' Pun said. "There's a need for making a clear legal definition of the Ordinance."

Pun likens his job to that of an all-round consultant. "Although I belong to the legal department, the scope of work I am involved with is very wide,'' Pun said. From monitoring various developments throughout Hong Kong to reviewing all publication materials and taking legal actions against those who fail to comply with the Ordinance, Pun and his colleagues are kept busy around the clock. "The subject of personal data is very broad. Any leaking of information about someone's identity is a potential infringement on a person's personal data privacy, and because the Ordinance is legally binding, we have to monitor relevant issues very closely and take mandatory action when necessary."

Being under pressure is nothing new to Pun, who assisted the Legislative Council in drafting the Chinese version of the Basic Law before joining the PCPD. He also spent many years practising commercial law and his solid background helped prepare him for his challenging role as Legal Director. Fully bilingual, Pun deals comfortably with proceedings in English and Chinese, a must for an international metropolis like Hong Kong.

His neat office belies the mound of paperwork Pun deals with on a day to day basis. One of Pun's first duties as Legal Director was to define accurately the Personal Data (Privacy) Ordinance. "I had to make sure we set a solid law,'' Pun said. Flipping through the PCPD handbook and reading all the different sub-sections of the Ordinance, it is obvious that Pun had to scrutinize each and every aspect in order to be able to present a clear, concise and explicit explanation of the applications of the Ordinance.

According to Pun, his goal as Legal Director is to help change people's attitude towards the Ordinance through education. This means upholding a legal standard that is consistent and fair and building a good rapport with society. "Communication is the key,'' Pun said. "Since the PCPD was established, we have taken surveys of the public to determine their understanding of the Ordinance. We have found that after several years of public campaigning and education, people have a much better
understanding of our scope of work."

At the moment, the PCPD does not have prosecution powers of its own. But if there have been any rules broken within the scope of the Ordinance, the PCPD can inquire by writing, in which case, the company must give a written undertaking not to commit the offence again. If it is repeated, the PCPD can forward relevant information to the police, who will handle the matter. Although some may scoff at the PCPD's lack of prosecution powers with only the ability to enforce its Ordinance through notices, Pun dismisses this notion and thinks that "people should look at it as a positive rather than a negative".

"You can say that we use a mild form of enforcement," Pun said. "But we will not hesitate to bring a party to prosecution if they repeatedly commit offences." Pun adds that the PCPD has a close working relationship with the police. "Several cases have already gone to court; we
are serious about the actions we take."

Under the auspices of Pun, the PCPD hopes to be able to set legal limits for both companies and the public in order to prevent possible misuse of personal information. Of the numerous professions the PCPD is involved with are human resources, consumer credit reference agenies as well as credit providers. The PCPD is also heavily asscessing the potential use of electronic ID cards to its implication on personal data privacy. "It's very important that we stay in touch with the pulse of society, because new applications of the Ordinance can arise and we must react quickly," Pun said. "If a new sub-section or code is necessary, we will get right on it."

Pun attributes increased media coverage as a catalyst for reform in people's social attitudes, and thus the legal department actively vets all PCPD's press releases and handles some media inquiries. Is Public Relations his cup of tea? "The point is to present the Ordinance in the best light," Pun said. "It is there to protect us, and the better people understand it, the better our lives will be."

Right now, however, Pun still has a lot of work ahead of him. But he takes it all in his stride . "The reason why I took this job was because of the challenge," Pun said.

PCPD's Ambassador

When Rebecca Lee joined the Office of the Privacy Commissioner for Personal Data (PCPD) as a training officer in 1999, she found out that there wasmuch more than meets the eye. In effect, she
was to become the public face of the PCPD.

"I knew I would have to face the public a lot in my job," Rebecca, a bubbly, while articulate person, said. "But there was a bit of pressure because my job deals with an Ordinance that affects many people."

Today, after one and a half years at her job, Rebecca now relishes the challenging nature of being the official trainer at the PCPD. Every week, she is responsible for giving between three to five talks to businesses, such as banking, insurance and human resources management, and the general public, making her a true ambassador for the protection of personal data.

"I enjoy meeting people from all walks of life on a daily basis," she said. "But this job has the added challenge of working with an Ordinance, which is legally binding."

Previously, Rebecca worked as a training officer at a public utilities company. However, working at the PCPD, was still a completely new environment for her. It requires her not only to know the Personal Data (Privacy) Ordinance, inside and out, but to be comfortable speaking to and dealing with the public without confusing them with legal jargon.

"I was not familiar at all with the Personal Data (Privacy) Ordinance," Rebecca said of her first days at work. So, to help prepare herself, she studied tapes of public speeches given by the Commissioner, and worked hand-in-hand with a training manager for her first assignment.
"I was really nervous that first time because the Ordinance is, in effect, the law and, as I was dealing with the public, I had no idea what kind of questions they would ask me," she explained. "I needed to understand the Ordinance and all its various codes well enough in order to help people understand it, too."

According to Rebecca, her first outing to meet the public gave her a powerful insight into some of the misconceptions people have about the Ordinance. One of the most common misconceptions that she encountered was that the Ordinance is all-encompassing and covers all areas of privacy, for example, stalking. This is not true. As she explained, the Ordinance is designed to protect personal data only, such as a person's identity, gender, other personal particulars and financial status.

Her research has also allowed her to tailor her talks to target specific audiences. For example, she sometimes conducts in-house training seminars for human resources staff on how to handle employees' personal data properly and on what protection the public can expect from the Ordinance once an intrusion of personal data privacy has taken place.

One hot topic that is currently on everyone's lips is the way banks use and sometimes unknowingly misuse confidential client information. In one case that Rebecca came across in her research, each of the two members of the same family had separate accounts with the same bank. The clients' data included their home addresses and phone numbers, which were the same. However, one person had an outstanding balance on a credit card but could not be contacted or tracked down. The bank did a search of its client database based on the same home address and phone number and came up with the other family member, who was contacted. According to the Ordinance, this is a misuse of personal data because without the individual's consent, personal data should not be used for the purpose other than originally intended. "Through examples like this, I make bank personnel realize that if they do the same thing then they could be infringing upon an individual's personal data privacy."

"The way I approach my job is to be a good storyteller. After all, this is about the Personal Data (Privacy) Ordinance and not everyone is going to be interested in it. But, if you can make it more lively for them with good examples, more people will want to learn about it," she said.

Few months ago, Rebecca participated in a high-profile week of drama shows jointly organized by the PCPD and performed by members of the Hong Kong Baptist University drama club. "It was a good way of reaching out to people. The performances help to demystify the Ordinance in a more lively way. In fact, the people who attended paid close attention to the show; they were quite interested," she added.

"I like meeting people and being able to talk to them, and it feels good when the audience thank me for helping them better understand the Ordinance; I feel like I'm doing something for society," Rebecca said.

Mr Stephen Lau, Privacy Commissioner for Personal Data (first right), Miss Susan Yeung, Director of Strategic Development, Hong Kong Commercial Broadcasting Co., Ltd and Mr Tony Lam, Deputy Privacy Commissioner for Personal Data at the launching ceremony of the PCPD roadshow at New Town Plaza.

The MC of the variety entertainment TV show, Miss DoDo Cheng and Mr Lam Hiu-fung.

This is the second privacy conference organised by the PCPD, in response to the overwhelming support received at the last seminar, the 21st International Conference in 1999. A full house of 300 attendees listened with great enthusiasm to the speakers and their presentations.

At the conference, the PCPD also launched a Management Handbook entitled "A Policy Approach to Building Trust and Confidence in E-Business", about the policy approach to building customers' trust and confidence in E-commerce. This is the first of a series of handbooks about online business practices that involve personal data collection. The PCPD will subsequently publish handbooks on other aspects of e-commerce in relation to personal data privacy, including privacy impact assessment.

The second day of the Privacy Week saw privacy officials from the Asian region gathering in Hong Kong to exchange views and share experiences in respect of privacy protection. The meeting also presented an opportunity for these privacy representatives from 10 cities to discuss the future trend of privacy protection in different jurisdictions.

Two large-scale consumer roadshows, targeted at the general public, took place at Times Square and New Town Plaza during Privacy Week. Local pop-stars were invited to perform and play games with the audience on the spot, attracting great attendance.

On 30 March, Mr Stephen Lau and the Director for Education Mr Matthew Cheung launched the "Privacy Website Design Competition for Youngsters". This exciting competition was jointly organised by the PCPD and the Education Department. Secondary school students had the chance to win valuable notebook computers, color laserjet printers, CD writers, desktops, cash prizes and trophies by submitting their designs for websites highlighting the importance of personal data privacy among their peers. The computer prizes were generously sponsored by Hewlett Packard Hong Kong Ltd, Automated Systems (Hong Kong) Ltd and System-Pro Computers Ltd.

As the human resource practitioners in town are aware, the Code of Practice on Human Resource Management has come into effect from 1 April. In addressing the issue, the PCPD organized two public seminar, during Privacy Week to provide opportunities for the public to learn more about the new requirements in relation to personal data privacy in every stage of the employment process. Related advertisements were broadcast widely on televisions and radios to generate public awareness.

The closing event of the Privacy Week attracted the greatest number of audience throughout the whole week - a live variety entertainment television show produced by TVB and broadcasted live on the Jade Channel. A total number of 1,208,000 viewers were recorded for this show and the PCPD received a tremendous number of enquiries after the show, which reflected the furtherance of awareness of the public in regards to personal data privacy.

The PCPD is pleased that Privacy Week was well received by the community. We will organise similar event at appropriate time in the future.

The keynote speaker, Mr Mozelle Thompson, US Federal Trade Commissioner and Mr Stephen Lau, interacted with the attendees at the keynote session of the Conference.

Mr Stephen Lau, Privacy Commissioner for Personal Data presented a souvenir to Mrs Carrie Yau, Secretary for Information & Broadcasting at the opening ceremony.

Mr Matthew Cheung, Director for Education and Mr Stephen Lau, launched the Privacy Website Design Competition for Youngsters.