My dearest mother,

I did not realize that you, in a faraway place, would be aware of what is happening here. As you know, I have handled many privacy issues since assuming office a year ago. However, you might wonder why I had not participated in the recent discussions about the privacy of artists. In fact, the current privacy law in Hong Kong mainly regulates the collection and use of personal data. Journalistic activities enjoy considerable exemptions. A decade ago, the Personal Data (Privacy) Ordinance ("the Ordinance") was passed in the Legislative Council to safeguard the privacy of individuals in relation to personal data, and to cope with the development of e-business by allowing free flow of personal data in countries which have implemented data protection law. Based on the data protection principles that are internationally recognized, the Ordinance meets the general standard of the European Union. As information technology and electronic data transmission were in their early stages of development at that time, the Ordinance put emphasis on the "persuasive" aspect instead of imposing heavy penalty on those who contravened the Ordinance, so as not to affect the development of business. Today, the social condition is different. Leakage of personal data may lead to serious problems of identity theft. It is therefore natural that more and more people begin to voice different opinions. Some think that the penalties provided by the Ordinance are too mild; some even believe that contravention of the Ordinance should be considered a criminal offence. Nevertheless, no consensus is reached in the meantime. I agree that there is still room for improvement in the Ordinance. In this connection, I have submitted a proposal to the Home Affairs Bureau and hope that it will be discussed in the Legislative Council as soon as possible.

In the past few months, several incidents about leakage of personal data happened one after another, evoking great responses in society. Why did they happen? To my mind, as personal data can be transmitted in large quantities on the Internet in a flash, slight carelessness will easily bring about serious privacy problems. For example, in the IPCC Incident, personal data of 20,000 people were disclosed in an instant. To investigate the case, my colleagues and I spent a lot of time interviewing the parties concerned. At the conclusion of our investigation, a detailed report was written and will be published in accordance with the provisions of the Ordinance.

My concern is that similar incident should not happen again. To attain this end, I have worked with IT professionals to formulate a set of guidelines for IT practitioners to follow. Seminars aimed at improving the handling of personal data are being organized.

Furthermore, I have handled two cases relating to fingerprint identification technology. One of them involved a primary school, which required its students to record their attendance and purchase of snacks by a fingerprint sensor, while the other related to an office employing a fingerprint sensor to enhance the security of valuable items. Though fingerprint sensors were used in both cases, my decisions were different. Many people think that a person's fingerprint will only be taken when he has committed an offence. After all, fingerprints are highly sensitive personal data. Unless there are good reasons, e.g. to safeguard valuable belongings, fingerprints should not be rashly collected.

Some organizations neglect the importance of safeguarding personal data. They refuse to face the issue squarely using excuses such as "we have no resources" or "we shall deal with this later". Apart from carrying out investigations on receipt of complaints, I am duly bound to promote and educate the public on personal data privacy issues. Recently, in a promotion campaign for the hotel industry, message about the protection of customers' personal data privacy was conveyed to over 20,000 hotel practitioners. I am very glad that the majority of the large hotels have participated in the event.

In this age of advanced technology, it is not easy to safeguard personal data privacy. In an ideal world, there is no misuse or leakage of personal data. How can that be achived? One of the ways is to intensify our compliance checks. Every day, my colleagues take note of all news concerning suspected contravention of the Ordinance. We will discuss whether or not to make enquiries or carry out investigation on our own initiative. Quite apart from that, I am planning to establish a register of data users under the Ordinance in order to monitor the situation of collection or use of data by organizations. Today, with the flow of large quantity of personal data, I believe it is time to implement this system to help safeguard our citizens' personal data more effectively.

Internationally, privacy protection as a topic of human rights has become increasingly important in developed countries. In November, I am going to host the 26th Asia Pacific Privacy Authorities Forum. Privacy Commissioners from different states of Australia and New Zealand, as well as representatives of South Korea will attend the Forum. Representatives of Thailand, Macau and Canada are also invited. I shall be very busy by then. However, I really enjoy the work I am doing and do not consider stressful. As a matter of fact, I constantly maintain a sense of gratitude.

Your son

Deputy Privacy Commissioner for Personal Data, Mrs. Bonnie Smith

When meeting Mrs. Bonnie Smith for the first time, one can immediately sense that she is quick to the point. Articulate, precise and frank, Mrs. Smith, who recently became the Deputy Privacy Commissioner for Personal Data after a long and distinguished career with the Hong Kong Police, is a woman of principle. "When I was in the Police, our mission was to serve the public. Although we have wide powers, it's the way we exercise our power that counts. To be fair and impartial is very important," she says.

Having risen from the rank of Inspector to Assistant Commissioner, Mrs. Smith achieved the highest rank among female officers in the force. She was recently honoured by the SAR government with a Distinguished Service Medal for Disciplined Services to acknowledge her outstanding performance in her 33-year career. Mrs. Smith's formula for success is more than just hard work and perseverance. "As one ascends the management ladder, one must learn to change tag and adopt a different management style at different levels. Apart from relying on hard facts and statistics, one must learn to develop and trust one's intuition," she says. "I don't believe in micro management; I believe in creating a path for the people I work with and let them run their own course."

It's the ability to change tag that made her decide to work for the Office of the Privacy Commissioner for Personal Data (the "PCPD"). It shares the common mission of serving the public. Therefore, when she retired from the police earlier this year, it is quite a natural decision that she applied for a position here in the PCPD.

Having joined the PCPD for a few months, Mrs. Smith is impressed by the dedication of her colleagues. "I am motivated by my colleagues' noble ambition and their commitment despite adverse situations and sometimes difficult clients."

Mrs. Bonnie Smith (centre), Mr. Roderick Woo, the Privacy Commissioner (right 3) and staff of the PCPD in a staff party.

The efficiency in the PCPD is also noteworthy. "In the 10 years since its establishment, the PCPD has made marked progress in successfully raising community awareness on personal data privacy protection as well as the provisions of the Personal Data (Privacy) Ordinance (the "Ordinance"). I've learned that the number of complaints has been on a gradual rise, but the number of enquiry calls has dropped. I can only surmise that the public value their personal data privacy and are getting more and more aware of their rights. In the meantime, they are getting more familiar with the provisions of the law; hence, the drop in the number of enquiries."

"Personal data is a relatively new subject and the enforcement of the Ordinance is very complicated because different circumstances of the cases may give rise to different conclusions. In many cases, we have to find an equilibrium and strike a balance between privacy rights and public interests," she says.

In the short term, Mrs. Smith would continue to work on sustaining a harmonious working environment in the PCPD. "I would like to quote a Chinese slogan of making sure that the staff joyfully come to work and safely return home."

The Chief Executive, Mr. Donald Tsang awarded Distinguished Service Medal for Disciplined Services to Mrs. Bonnie Smith.

In the intermediate term, she would like to see the PCPD take a more proactive approach. "Right now we react to complaints but I'd like to approach organizations in Hong Kong and to work more closely with them in complying with the provisions of the Ordinance before any contravention occurs," Mrs. Smith says. One of her current projects is the setting up of an internal knowledge management database. Under various categories, she is working closely with department heads and staff in creating an internal system that will enable the editing, compiling and retention of case information. "It's like setting a template for archiving data, so that next time, our search for information becomes easier and we can achieve more consistency," Mrs. Smith says.

By international standards, the provisions and enforcement of the Ordinance in Hong Kong are on par with other first world nations, according to Mrs. Smith. In the long term, she would like to join the rest of the privacy community in fostering privacy rights. "Our work in this area stands firm against the risk of being marginalized."

On a personal basis, Mrs. Smith says she tries hard to maintain her exercise regime of swimming and qi gong. "I think from my police background I've developed a love for exercising," she says. She's also an avid traveller, but admits that family obligations have taken a lot of her time.

In the meantime, she is settling well into the new career challenge. "I always try to apply one yardstick and to walk the talk."

Successful Conviction Case

On 15 September 2006, a telecommunications company ("the Company") was convicted of breaching section 34 of the Personal Data (Privacy) Ordinance (the Ordinance) and was fined $4,000 in the Kowloon City Magistrates' Court.

In October 2005, the complainant received a telephone call from the Company promoting its IDD service. He made an "opt-out" request explicitly over the phone, i.e. asked the Company not to contact him in the future for direct marketing purposes. The Company agreed to process the complainant's request by putting his name on the "opt-out" list. In December 2005, the complainant received another call from the Company promoting its broadband service. The complainant therefore lodged a complaint with the PCPD. After investigation, the Company was charged with an offence under section 34 of the Ordinance, which requires data users to cease further contact with the individual if the individual chooses to opt-out. Contravention of section 34 of the Ordinance is an offence under section 64(10) of the Ordinance.

As there are growing concerns among the public about the use of personal data in direct marketing which disrupts people's daily lives, the PCPD hopes the conviction in this case will serve to warn organizations against malpractice in handling personal data when carrying out direct marketing activities.

The last conviction of a similar offence was against a financial institution in December 2005.

Hotel Privacy Campaign

The Office of the Privacy Commissioner for Personal Data (PCPD) has jointly held a campaign, "Pursuing Excellence - Protecting Personal Data", with the Hong Kong Hotels Association, aiming to raise hotel practitioners' awareness of the protection of customers and employees' personal data privacy in their everyday work.

The inauguration ceremony was officiated by the Privacy Commissioner for Personal Data, Mr. Roderick Woo, Executive Director of the Hong Kong Hotels Association, Mr. James Lu, and famous artist, Miss Sheren Tang, on 27 June 2006. Management personnel from various hotels also attended the ceremony.

From July to October 2006, staff of the PCPD carry out promotional activities in individual hotels, including seminars, display panels, games and on-the-spot explanation of personal data privacy issues to hotel staff. In order to cater for the training needs of the hotel industry, i.e. to cope with their irregular working hours and diversified work nature, the PCPD has specially developed an on-line self-training module (www.privacyelearning.org) for them to learn the requirements of the Personal Data (Privacy) Ordinance (the Ordinance) at their convenience and at their own pace. Moreover, hotel personnel may take part in a writing competition to express their feelings about and experiences of the protection of personal data.

The campaign has received overwhelming support from the hotel industry. With participation of 44 hotels in the campaign, about 20,000 hotel practitioners have learnt about compliance with the Ordinance.

Privacy Commissioner releases the IPCC investigation report

The Privacy Commissioner for Personal Data, Mr. Roderick Woo (middle) held a press conference with Chief Legal Counsel of PCPD, Miss Brenda Kwok (left) and Chief Personal Data Officer of PCPD, Mr. K.T. Chan (right) on 16 October 2006 to announce a report on the result of an investigation of the leakage on the Internet of personal data relating to complaints made against the Police by the public.

On the same day, Mr. Roderick Woo, Dr. K.P. Chow, Committee Member, IT Division, Hong Kong Institute of Engineers (the first on the right), Ms Susanna Chiu, Immediate Past President, Information Systems Audit and Control Association (Hong Kong Chapter) (the first on the left), and Dr. Elizabeth Quat, President & Co-founder, Internet Professional Association (the second on the left) officiated at the inauguration ceremony of the "Information Security Enhancement Campaign".

On 26 October 2006, the Privacy Commissioner for Personal Data (the Commissioner) Mr. Roderick B. Woo published a report (the Report) on the result of an investigation of the leakage on the Internet of personal data relating to complaints made against the Police by the public.

The incident was first reported in a local newspaper on 10 March 2006. Personal data of about 20,000 people who had made complaints to the Police held by the Independent Police Complaints Council (IPCC) were posted on the Internet and became accessible by the public. The Commissioner immediately carried out a self-initiated investigation on 15 March 2006.

In the Report, the Commissioner found that the IPCC had contravened the requirements of Data Protection Principle (DPP) 4 of Schedule 1 to the Personal Data (Privacy) Ordinance (the Ordinance). DPP4 provides that a data user shall take all reasonably practicable steps to ensure that personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use. It requires a data user to implement security safeguards and precautions in relation to the personal data in its possession, the level of which should reflect the sensitivity of the data and the seriousness of the potential harm that may result from a security breach.

The basis of the Commissioner's findings was that the IPCC had failed to take: (i) any steps to prevent the data from being released to the outsourced IT contractor without due consideration of the necessity of doing so; (ii) any precautionary measures to safeguard the data that had been released to the outsourced contractor; and (iii) any practicable steps to ensure the integrity, prudence and competence of persons having access to the data, resulting in the leakage of the data on the Internet.

In the exercise of his power under section 50 of the Ordinance, the Commissioner issued an Enforcement Notice to the IPCC on 18 September 2006 directing it to do the following by 16 October 2006: 1. Devise the necessary policy and practical guidelines for the proper handling and protection of the complaint data when dealing with an outsourced contractor or agent; 2. Implement effective measures to ensure compliance by its staff with those policy and guidelines; and 3. Review the existing outsourcing contracts and endeavor to incorporate into those contract terms in respect of measures required to be taken by the contractors to protect the complaint data handed to them by the IPCC.

On 16 October 2006, the IPCC has complied fully with the Enforcement Notice.

Learning from this unfortunate incident, data users should be highly alert in handling sensitive or large quantity of personal data, particularly if they are in electronic form. In the event that they are asked to release database containing personal data to an outsourced contractor or agent, precautionary measures should be taken to prevent data leakage.

In an effort to prevent recurrence of similar incidents, the Commissioner has launched an informational campaign titled "Information Security Enhancement Campaign" jointly with three major IT professional bodies, namely Information Systems Audit and Control Association (Hong Kong Chapter), Internet Professional Association and Hong Kong Institute of Engineers, to raise the awareness of personal data privacy protection among IT professionals. As part of the Campaign, an information booklet, titled "Recommended Procedures for IT Practitioners on Personal Data Handling", is published providing guidance for IT professionals across all sectors.

Copies of the Investigation Report and the Booklet are available from the PCPD at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong. They are also available for download from thewebsiteofthePCPD (http://www.pcpd.org.hk).

New Book: "Data Protection Principles in the Personal Data (Privacy) Ordinance - from the Privacy Commissioner's perspective"

The PCPD has recently released a book titled "Data Protection Principles in the Personal Data (Privacy) Ordinance - from the Privacy Commissioner's perspective".

For nearly a decade, personal data privacy right has been statutorily recognized and protected as an independent right of individuals under the Personal Data (Privacy) Ordinance ("the Ordinance"). This book explains, in a systematic and in-depth manner, the ways in which the major provisions of the Ordinance have been generally applied by the Privacy Commissioner for Personal Data.

The book, being the first of its kind published by this Office, contains topics that are selected primarily on the basis of their practical importance to data users in handling personal data and to data subjects in understanding their rights. Where appropriate, references were made to the relevant case laws, Administrative Appeals Board's decisions and views taken by the Privacy Commissioner in the handling of complaints and enquiry cases in discharge of his regulatory functions and powers.

Given the implication that the Ordinance will have on public and private sectors alike, this book will be of special value to data users, legal practitioners, and individuals who are interested to acquire a better understanding of the Ordinance, especially from the compliance point of view.

This book provides English version only at this moment. Interested parties please fill in the Order Form and return it with the appropriate payment to the PCPD.

e-Inclusion Campaign 2006

The PCPD official website (www.pcpd.org.hk) has won the gold prize of e-Inclusion Campaign 2006, organized by the Internet Professional Association. The objectives of the campaign is to bridge digital divide in society so that everyone will have equal opportunities in sharing the benefits brought about by advanced information technology.

A self-portriat of "Ah Lo"

My parents are very strict. My mother has been highly interfering in my brother and my private affairs. Apart from "excessive" concerns in our academic achievements and social lives, acts of "unfair collection", such as intentional and unintentional telephone conversation monitoring, searches of my elder brother's room for his girl friend's love letters and inspection of rubbish bin for my monthly bank statements are usually found at home. I even doubt that my credit records held by my mother are more comprehensive than those held by credit reference agencies! (Fortunately, a powerful shredder has been installed recently)

No more about my mother. Let me talk about the challenges in my new job. As I am a person without much patience and do not like to talk too much, it is strange to my friends and relatives that I have been a teacher for eight years. Now, in the PCPD, in addition to complaint handling, my patience in hotline answering worries my family members most. Luckily, nothing goes wrong so far. In fact, listening to others' stories, speaking comfort to them, and offering some explanations and guidance are just the regular "OT" work I used to do at night when I was a teacher. The patience in listening to hotline enquiries, the ability of empathizing with others, and the skill needed to explain the Ordinance is exactly what I have benefited from teaching. Though the two jobs seem to be totally unrelated, the skills needed are somehow similar.

Apart from changes in my job, there are also some interesting changes in my private life. For example, my old student who had only called me for computing solutions asked me earlier whether it was reasonable if a principal requested her to provide her medical records during application for admission. In a gathering of my old students, the one who works in the personnel field asked me a series of job-related questions. It so happened that I, for the sake of fun, brought a copy of the "Code of Practice on Human Resource Management" as souvenir on that day. My old classmates in the field of property management and my ex-colleagues working in hotels have also asked me different kinds of questions relating to the Privacy Ordinance. Even the photo website that I often visit has asked me how to write the "Personal Information Collection Statement". I finally realize that the work in the PCPD is the same as teaching, i.e., we help people unwittingly and change the society gradually.

Let me go back to my "detective" mother. Since joining the PCPD, we have chit-chatted more about privacy protection. To my surprise, my mother has recently learnt to refrain herself from being too curious. It appears that imperceptible influence is more effective than shouting slogans in encouraging people to face the issue of respect for privacy squarely. I believe that "privacy protection" is quite similar to "environmental protection". Both require the nurture of protection awareness before mass participation can be resulted. As small achievement in the cultivation of "environmental protection awareness" can only be attained after more than a decade's hard work, we may not be able to change the views of our elders on privacy protection all at once. However, through promotion and education, not only can we change the mind of the current generation, but also nurture a younger generation with "privacy protection awareness".

Lastly, I would like to mention one more thing. Since I did not have an English name, I was labeled "Ah Lo" without a choice when I first joined the PCPD. Actually, you may call me "Lo Fan" if you like. In future, if you find my service satisfactory, you may simply say, "Thank you, Lo Fan!"

(Author: Mr. D.F. Lo, Assistant Personal Data Officer.)

Experience Sharing Meeting

The Data Protection Officers' Club has been striving to arrange different activities for its members to share their views on data protection. Learning that Sony Corporation of Hong Kong Limited has been remarkably successful in promoting the protection of personal data privacy to its staff, the PCPD invited it to attend the first experience sharing meeting of the Club.

In the meeting held at the headquarters of the corporation on 26 May 2006, Ms Candy Wong, Senior Manager of Sony's Legal Division, told members how effective and interesting methods were used to promote the awareness of personal data protection amongst employees. A short video on the protection of customers' data, written, directed and played by the staff of Sony, was also shown in the meeting. Members agreed that they had gained valuable experience in this brand-new sharing session.

Statistics on Complaints & Enquiries