PCPD News provides guidance on good data protection practices to organizations.

Privacy Awareness Week 2008

Privacy Awareness Week (PAW) is an annual promotion to raise awareness of the importance of protecting privacy by the PCPD and members of the Asia Pacific Privacy Authorities (APPA) group. In 2008, PAW was held from 24 – 30 August 2008 with the theme "Privacy is your Business". APPA members that participated in PAW 2008 were Australia (including New South Wales, Victoria and the Northern Territory), Canada (including British Columbia), New Zealand and Hong Kong.

Video Competition

An APPA-wide promotion, an international competition for secondary school students was conducted as part of the PAW 2008. The competition called for students to create a two-minute video about any aspect of privacy, such as their opinion of its relevance in today's society, how it does or does not affect them in their daily live, or the influence that the internet has had on privacy. Individual APPA member ran the competition and awarded the winners at local level. Winning entries were then put together and judged by all APPA Commissioners for APPA-wide prizes.

In order to attract more participants, the PCPD invited the Hong Kong Federation of Youth Groups and the Macao Personal Data Office to jointly organize the competition at local level.

The promotion also offered a seminar on protection of personal data, a visit to the Infinito Education Studio, and two workshops on creative thinking and multimedia production for young people's participation.

Snapshots taken at the various activities of the Video Competition.

Installation of fingerprint reader system by employer to record staff attendance

A staff member of an organization lodged a complaint with the PCPD complaining that his employer had installed a fingerprint reader system and required its staff to scan their fingerprints to record their attendance. Believing that his employer had intruded staff's privacy, the staff member complained to the PCPD.

The organization admitted that, instead of requiring its staff to clock in and clock out, it collected their fingerprint data to record staff attendance.

According to the Data Protection Principle of the Personal Data (Privacy) Ordinance ("the Ordinance") in relation to collection of personal data, a data user may only collect adequate but not excessive personal data by means which are fair in the circumstances of the case for a lawful purpose directly related to a function or activity of the data user.

After explanation of the relevant requirements of the Ordinance by the PCPD, the organization decided to provide its staff with less privacy intrusive alternatives in addition to the fingerprint reader system, including the provision of "auto-trigger camera and preset PIN" function. Following the suggestions of the guidance note "Personal Data Privacy: Guidance on Collection of Fingerprint Data" issued by the PCPD, the organization also issued circulars and formulated privacy policy to inform its staff of the purpose for fingerprint collection, measures to protect fingerprint data, the use of their fingerprints and how long the data would be kept.

A data user convicted for failing to comply with Enforcement Notice

A data user who was found guilty of failing to comply with an Enforcemen Notice ("EN") served on him by the Privacy Commissioner under section 50(1) of the Personal Data (Privacy) Ordinance was fined $5,000 by a magistrate sitting at Tuen Mun Magistracy on 17 December 2008.

The case arose from a complaint lodged with the Privacy Commissioner by Mr. X (who was formerly the supervisor of the data user) that the data user had secretly tape recorded their conversation during a lunch meeting and subsequently uploaded the recording which contained the personal data of Mr. X on a number of websites and online forums.

Data Protection Principle 3 ("DPP3") of the Personal Data (Privacy) Ordinance stipulates that unless with the prescribed consent of the data subject, personal data shall only be used for the original purpose of use at the time of collection or its directly related purpose. In this case, the Privacy Commissioner was of the view that the disclosure of Mr. X's personal data on the Internet by the data user for public access without the prior consent of Mr. X was contrary to DPP3. Accordingly, an EN was served on the data user directing him to remove the recording from the websites and online forums.

The data user did not comply with the EN but lodged an appeal with the Administrative Appeals Board ("AAB") against the Commissioner's decision. In April 2007, AAB dismissed the data user's appeal. Following that, the Privacy Commissioner required the data user to comply with the EN. Still, the data user failed to do so.

The case was then referred to the police for prosecution under section 64(7) of the Ordinance.

A laundry shop collected the identity card number of an individual who failed to produce a receipt in collecting the laundry

A woman wanted to collect from a laundry shop the laundry of her family member but had not brought along the receipt. The shop staff requested her identity card information but the woman suggested the family member's surname and telephone number instead, which was rejected. The woman then complained to the Privacy Commissioner.

According to Data Protection Principle 1(1) of the Personal Data (Privacy) Ordinance ("the Ordinance"), in relation to collection of personal data, a data user may only collect adequate but not excessive personal data for a lawful purpose directly related to a function or activity of the data user. The Code of Practice on the Identity Card Number and other Personal Identifiers ("the Code") restricts the collection of identity card number to the situation provided for in paragraph 2.3 thereof.

After investigating, the Privacy Commissioner concluded that, although the laundry shop claimed that they collected identity card numbers in accordance with paragraph 2.3.3.3 of the Code, i.e. to safeguard against its damage or loss which was more than trivial in the circumstances, it in fact collected the numbers for providing to the police in case of fake claim. The shop could not back its claim that the collection of identity card numbers could safeguard against its damage or loss. It also admitted that there had not been any false claims of laundry since its opening over a decade ago. Therefore, the laundry shop had never sought assistance from the police in respect of any false claim of laundry, nor had the police instructed it to supply identity card numbers to them for investigation. The laundry shop could not collect customers' identity card numbers on the grounds that there might be false claims of laundry or that the police might request it to supply identity card numbers.

The Privacy Commissioner considers that the case mainly concerns whether the laundry shop's collection of identity card numbers for the purpose of ascertaining the identity of a customer when picking up laundry without a receipt is necessary and not excessive. The shop staff recognized the woman as a regular customer. To confirm if she was acting for the family member, the Privacy Commissioner believes that an effective way is to request the woman to give the name and/or telephone number of the customer on the record and details of the laundry, e.g. date, type, pattern, quantity, color, etc. for verification. If there are still any doubts, the shop can directly contact the customer for clarification or request the customer to pick up the laundry in person.

The Privacy Commissioner was of the view that the laundry shop had contravened paragraph 2.3 of the Code and Data Protection Principle 1(1) of the Ordinance, i.e. unnecessary and excessive collection of the woman's identity card number, and ser ved an enforcement notice directing it to stop collecting the ident i ty card numbers of individuals who tried to collect the laundry without a receipt, and to destroy the records of identity card numbers so collected previously

Inspection of the Hospital Authority's data system

In the past year, the PCPD handled a large number of personal data loss incidents that involved various organizations from both the public and private sectors. The most significant case was about a series of incidents concerning loss of over 15,000 patients' personal data by several public hospitals and a clinic under the management of Hospital Authority (HA). The incidents revealed inadequacies of the personal data system operated by HA, in particular patients' personal data in electronic form. The Commissioner found it in the public interest to exercise his inspection power to inspect HA's patients' personal data system in prevent ing occurrence of similar incidents in the future. It was the first time the Commissioner exercised his inspection power.

Apart from deploying the regular staff of the PCPD, the Commissioner invited four experts to help him as consultants. They came from privacy, legal, medical and information technology fields. After the inspection, the Commissioner published a report on 22 July 2008 making 37 recommendations to HA. They should help improve HA's patients' personal data system. The PCPD will join hands with HA to mount a privacy awareness campaign in the near future involving all public hospitals.

WebCare Award

The PCPD was awarded the "Web Care Award - silver prize 2007-08" in recognition of its corporate social responsibility in maintaining the PCPD website (www.pcpd.org.hk). The award was established by the Internet Professional Association to support a barrier-free Internet environment by providing the visually impaired equal opportunities in using the internet.

Number of Complaint Cases：427

（1 Jul-31 Dec 2008)

Number of Enquiry Cases：7,031

（1 Jul-31 Dec 2008)

"Personal Data Privacy Campaign for Estate Agency Trade"

Corporate Communications Officer (Education)
Office of the Privacy Commissioner for Personal Data

Estate agency practitioners are often involved in the collection and use of customers' personal data in daily work. Protection of personal data privacy is a vital part of their job.

Over the past three years, the number of complaints to the PCPD about estate agents accounted for less than 3% of the total figure. This reflected relatively few violations of the Personal Data (Privacy) Ordinance ("the Ordinance") in the industry. As estate agents liaise between buyers and sellers, or landlords and tenants, and need to handle customers' personal data properly, mutual trust can be built up, which helps business in the long run.

In August 2008, the PCPD jointly organized the "Personal Data Privacy Campaign for Estate Agency Trade" with the Estate Agents Authority ("EAA") to promote the protection of personal data in the industry. Since then, over 20 seminars have been organized for the EAA and various estate agencies with more than 1,000 agents attending.

Many questions were raised in the seminars about personal data privacy in their work. One participant recalled that, for a tenancy agreement, the landlord had insisted on a photocopy of the tenant's tax statement as financial proof. The tenant argued that this was absolutely unnecessary and, as neither party compromised, the deal fell apart.

Generally speaking, a landlord may collect from a tenant with details about his occupation but the landlord should not seek the tenant's tax demand as this is excessive collection of personal data. If the estate agent had been aware of the requirements of the Ordinance, a deal may have been struck smoothly.

I would like to express my gratitude to the EAA, which offered invaluable support and advice in the planning of the campaign. The PCPD and the EAA will publish a booklet on practical guidelines for the protection of customers' personal data for estate agents.

To enable DPOC members to grasp the requirements of the Ordinance in relation to human resource management and data access request, the PCPD organized eight sessions of workshops on "Code of Practice on Human Resource Management" and "How to handle Data Access Request" in November and December 2008. The workshops were well attended by over 200 members.

Education and Careers Expo 2009

To convey the message on the protection of personal data privacy to youngsters and job seekers, the PCPD participated in the "Education & Careers Expo 2009"which was organized by the Trade Development Council held from 19 to 22 February. For instance, job seeker should not rashly provide his personal data to an unidentified organization, such as"blind advertisement"advertiser.

Promotional leaflets were distributed and enquiries related to personal data privacy had also been answered. The staff of the PCPD also delivered a talk on "Protect job seekers' personal data privacy" during the Expo.

A message from a DPOC member

Privacy is what we all treasure and it is also one of our human rights. Commissioner ensures data users to protect it with all of their might. Personal data leakage affects all and is not just something out of sight. Data protection principles must be applied so that we all can sleep tight!

Peter K F CHEUNG Deputy Director of Intellectual Property

"Protect your personal data while engaging in IT-related activities"

Nowadays, most young people like communicating online via blogs or social networking websites for its speed and convenience, which poses privacy risk when they unknowingly expose their personal information to strangers in the cyber world. To remind young people of the importance of personal data privacy, the PCPD published a booklet titled "Protect your personal data while engaging in IT-related activities" about computer viruses and privacy, security of USB flash drives, file-sharing software, and the safe use of Wi-Fi.

PCPD 2007-2008 Annual Report The PCPD has published its Annual Report for April 2007 to March 2008. The theme of the Annual Report is "Global Privacy Protection" in recognition of how personal data flows freely across national and territorial boundaries. It brings out the message that only through international efforts can personal data protection be better available to people in Hong Kong. The report includes a general review of related developments during the period, and many case notes of complaint cases, enquiry cases and AAB cases.

Food companies collecting kids' personal data

A study conducted by the University of Wollongong in Australia found that young people are frequently offered online rewards to supply their friends' details to food companies, or to pass marketing messages to other people.

In Australia, some junk food companies obtain children's phone numbers, dates of birth, and even home addresses through their youth-friendly websites. Some companies go a step further, asking children and teenagers to explain their personal spending habits and interests.

Study author Professor Sandra Jones, of the University of Wollongong, said few parents knew what their children were signing up for. "I don't think a lot of parents realize that it's a lot of information to be collecting from a child. It's a real privacy concern, because if parents thought people were walking up to kids in the street asking for names and addresses they'd object. They might not know that is what's happening to their kids on these websites." Professor Jones said.

Survey about Security Concern on Personal Information

According to a survey released by the Unisys in December 2008, Hong Kong ranked second only to Brazil when it came to the overall level of security concern, followed by Germany, Malaysia, and another 9 other nations/locations in the world.

Hong Kong index stood at 178 out of 300, 11 points lower than the last survey in May 2008, but the level of concern on key security questions was still extremely high in comparison with other countries.

In December 2008, the top three areas of concern for Hong Kong residents were:

1. Unauthorized access to or misuse of personal information (82%)
2. Other people obtaining credit card / debit card details (78%)
3. Other people obtaining credit card / debit card details (78%)

The Unisys Security Index provides a regular, statistically robust measure of concerns about four areas of security - National, Financial, Internet and Personal security.

The latest index included additional research on the level of acceptance of biometrics as an identity verifier for trusted organizations such as government and financial institutions. In Hong Kong, the survey first asked about biometrics in 2007, when 89% said they would be happy using one or more identifiers, including biometrics, as proof of their identity to banks, the government and trusted organizations, which was down 4 percentage points from the survey results a year ago.

The survey result reflected the community's concern about the protection of personal information in the wake of a number of high-profile cases data loss incidents that took place in the year. Naturally, such incidents had affected public confidence and trust. The onus was on businesses and the government to educate consumers on what was being done to protect their information. Amidst growing economic uncertainty, the importance of personal information and financial security to consumers in Hong Kong was likely to increase.