PCPD News provides guidance on good data protection practices to organizations.

Consultation on Review of the Personal Data (Privacy) Ordinance

Twelve years have passed since the Personal Data (Privacy) Ordinance ("the Ordinance") came into force in 1996. The concept of personal data privacy protection has been rooted in Hong Kong society over this period. The public's awareness of and expectation for privacy protection have greatly risen. However, personal data privacy has been an evolving concept responding to changes and development in society.

The Privacy Commissioner, Mr. Roderick Woo said, "To cope with the technological development, it is necessary to examine whether the existing provisions of the Ordinance still afford adequate protection to personal data. With over a decade of regulatory experience gained in discharge of my regulatory duties and without losing sight to the macro international privacy perspectives that are taking shape, I find it appropriate and timely to conduct a comprehensive review of the Ordinance."

With these objectives in mind, an internal Ordinance Review Working Group was formed in June 2006 to assess the adequacy of the protection rendered to personal data privacy by the Ordinance. In December 2007, a comprehensive package of over 50 amendment proposals was submitted to the Constitutional and Mainland Affairs Bureau ("CMAB").

The Privacy Commissioner aims to achieve the following missions:
(1) to address issues of public concern;
(2) to safeguard personal data privacy rights while protecting public interest;
(3) to enhance the efficacy of regulation under the Ordinance;
(4) to harness matters that will have significant privacy impact;
(5) to deal with technical and necessary amendments.

The areas reviewed by the Privacy Commissioner includes:
‧ Scope of personal data
‧ Leakage of personal data on the Internet
‧ Disclosure of personal data by Internet or email service providers
‧ Handling personal data in emergency situations
‧ Prescribed consent given by individuals
‧ Data access requests
‧ Direct marketing activities
‧ Exemptions
‧ Investigation and prosecution procedures
‧ Enforcement and penalty

Discussions on the amendment proposals have been held between the Pr ivacy Commissioner and the Secretary of CMAB. Recently, the government has launched a public consultation on the review of the Ordinance. Copies of the consultation document are available for collection at the District Offices or can be downloaded from the CMAB’s website (www.cmab.gov.hk) or PCPD's website (www.pcpd.org.hk). The deadline for submissions is 30 November 2009.

To enable the public to have a holistic view of the ordinance review exercise, the PCPD has published a document, ”PCPD’s Information Paper on Review of the Personal Data (Privacy) Ordinance”, setting out the proposals made by the PCPD to the CMAB as well as relevant issues of privacy concern. The information paper can be downloaded from the PCPD’s website: www.pcpd.org.hk/english/review_ordinance/files/Odnreview_ Information_Paper_e.pdf

Mr. Woo said, ”I believe a comprehensive review of the Ordinance with participation by the general public will bring about an updated and recognized piece of privacy legislation that amply protects and enforces personal data privacy right in Hong Kong. I therefore call on the people of Hong Kong to be concerned with the consultation and express their opinion actively.”

Number of Enquiry Cases：8,495

（1 Jan-30 Jun 2009)

Number of Complaint Cases：413

（1 Jan-30 Jun 2009)

Bank lowering the fee of data access request

The PCPD received a complaint about a bank charging excessively for handling data access requests. After a compliance check, it was discovered that the minimum charge for a data access request was $200 and photocopying was $15 per page. The bank claimed that the actual data access request costs were more than $1,400 in general.

According to the Personal Data (Privacy) Ordinance (“the Ordinance”), a data user may be allowed to recover only the labour costs and actual out-of-pocket expenses involved in the process of complying with a data access request in so far as they relate to the location, retrieval and reproduction of the data requested. The labour costs should only refer to the normal salary of a clerical or administrative staff who are able to handle the location, retrieval or reproduction work. No charge for the sum incurred for legal advice or the time spent in redacting data or deciding which personal data should be disclosed or refused to be disclosed.

The PCPD therefore concluded that it had charged an excessive fee and contravened section 28(3) of the Ordinance.

The bank accepted the PCPD’s advice and lowered the fee for data access requests and withdrew the minimum charge. The fee was set according to the actual cost of handling a data access request, such as the average hourly wage of clerical staff.

Leakage of interviewees’ personal data by online survey

It was reported in the media that the personal data of 960 people who took part in an online survey was leaked on the Internet. The data included their names, telephone numbers, email addresses and addresses. The survey was organized by a computer magazine. The PCPD conducted a compliance check and found that the magazine used free software to carry out the online survey. But the magazine was not aware that the “summary data” could be accessed and downloaded, resulting in the personal data being leaked.

Data Protection Principle 4 of the Personal Data (Privacy) Ordinance states that all practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use.

The magazine was advised to take proper security measures. It undertook that it would not use the free software or similar software for online survey in future to avoid data leakage.

During the period of July and August 2009, the PCPD released three investigation reports to give a clear stance and guidance on different aspects of personal data handling.

1. Investigation Report – Employers Collecting Employees’ Fingerprint Data for Attendance Purpose (Released on 13 July 2009)

A furniture company (“the Company”) collected the fingerprint data of an employee on his first day at work to record his attendance. The employee said that the Company had not told him that it would need to collect and record his fingerprint data when he accepted the job. He believed that fingerprint data was sensitive personal data and lodged a complaint with the Commissioner.

After careful consideration, the Commissioner determined that the Company was excessive in collecting employees’ fingerprint data for attendance records and that the means of collection was unfair in contravention of Data Protection Principle (“DPP”) 1(1) and DPP1(2) of the Personal Data (Privacy) Ordinance (“the Ordinance”). The Commissioner served an enforcement notice to the Company pursuant to section 50 of the Ordinance ordering it to stop collecting its employees’ fingerprint data (unless prior express consent was given voluntarily by the employee) and to immediately destroy all previously collected data.

The Company complied with the enforcement notice and used passwords instead to record attendance.

The Commissioner is of the view that, before deciding to collect employees’ fingerprint data, employers need to ensure compliance with the requirements of the Ordinance, especially DPP1(1), which states that data is collected for a lawful purpose directly related to a function or activity of the employer. Employers also need to carefully assess whether the advantages of collecting employees’ fingerprint data are greater than any disadvantages.

The Commissioner made a series of practicable recommendations in the report for employers to consider before deciding to collect employees’ fingerprint data.

2. Investigation Report – Tutorial Centre Using a Student’s Results Notice for Promotion without the Student’s Consent (Released on 3 August 2009)

A tutorial centre (“the Tutorial Centre”) used the Hong Kong Certificate of Education Examination (“HKCEE”) results notice (“the Notice”) of a student to advertise and promote its services without the student’s consent.

The student took a HKCEE English course at the Tutorial Centre. After the results were released, the staff inquired the student by phone about her results. When the staff learnt of the student’s excellent performance in English, the student was informed that she could receive an award of HK$2,000. The student went to the Tutorial Centre to collect the prize and was interviewed by a magazine. She was asked by the Tutorial Centre to present the results notice for verification.

The student discovered later that the Tutorial Centre had placed an advertisement in a magazine featuring a copy of the results notice, which clearly showed her name, the name of her school and the grades she got for various subjects. The student complained that the Tutorial Centre had misused the Notice for an advertisement without her prior consent.

After investigating the case, the Commissioner decided that the Tutorial Centre had contravened Data Protection Principle (“DPP”) 3 of the Personal Data (Privacy) Ordinance (“the Ordinance”). The Commissioner served an enforcement notice pursuant to section 50 of the Ordinance on the Tutorial Centre requiring it to stop publishing Notices containing students’ personal data for promotion, unless it had obtained their prior consent of the data subject.

The Tutorial Centre confirmed in writing that it would comply with the enforcement notice. A sign would be posted at its counter to let staff and students know that it would not publish results notices containing students’ personal data for promotion, unless consent has been obtained from the student involved.

3. Investigation Report – Food Company Collecting Participants’ Personal Data in Lucky Draw Activity (Released on 7 August 2009)

A food company (“the Food Company”) collected excessive personal data from customers who intended to participate in a lucky draw.

The complainant purchased a product from the Food Company and called the hotline to register for a lucky draw (“the Lucky Draw”) in accordance with the instructions on the package box. Information such as the name, address, telephone number, date of birth (day, month and year) and identity card number were requested. The complainant believed that in general date of birth was not required for lucky draws. She therefore refused to provide the data and so could not join the Lucky Draw. She lodged a complaint to the PCPD.

The Food Company told the PCPD that it had to collect the names, addresses, telephone numbers and identity card numbers of the participants in the Lucky Draw to ensure contact with and verification of the winners. The PCPD also noted that when participants called the Lucky Draw hotline, they were invited to join the membership of the Food Company. But the dates of birth were collected before the participants gave their consent to join the membership.

Generally speaking, winners can be identified by unique lucky draw numbers, together with the registered names, addresses and telephone numbers. The names of the winners can also be checked against their identity cards. It is not necessary for the organizer to collect the identity card numbers of the participants. The Commissioner is therefore of the view that the collection by the Food Company of identity card numbers of participants holding unique lucky draw numbers for the sole purpose of the lucky draw was excessive and contravened Data Protection Principle 1 (1) of the Personal Data (Privacy) Ordinance.

The Commissioner also opines that the Food Company has no need to collect the dates of birth of the participants for contact with and identification of the winners. Therefore, the Food Company had contravened DPP1(1) for the collection of the dates of birth of the participants for the sole purpose of the lucky draw.

In the course of investigation by the PCPD, the Food Company destroyed the personal data of all non-members and undertook to assign unique lucky draw numbers to participants in future lucky draws activities so as to avoid collecting their identity card numbers (or other personal identifiers) and date of birth.

Privacy Awareness Week 2009

The PCPD and other members of the Asia Pacific Privacy Authorities (“APPA”) organized the third Privacy Awareness Week (“PAW”) to raise the awareness of privacy protection in the Asia Pacific Region. APPA members include the Privacy Commissioners of Australia (including the Commissioners of New South Wales, Victoria and the Northern Territory), New Zealand, Canada (including the Province of British Columbia), the Korean Information Security Authority, and Hong Kong.

PAW 2009 was held from 3-9 May. The theme was of “Privacy is Your Business” with a focus on reminding young people of the importance of protecting personal data privacy especially when using the internet.

Short Animation Video

To mark the event, APPA members jointly produced a 2-minute animation video to remind young people to be careful when uploading their personal data. You are welcome to visit the PCPD’s website (www.pcpd.org.hk/english/images/ frontpopup/animation_e.swf) and forward the video to your friends.

"Privacy Reports"

Four secondary schools were invited to make short video on ”Privacy is Your Business”. Four topics were featured, including the Security Measures of Smart Identity Cards, Privacy Risks Arising from Social Networking Websites, Installation of CCTV in Public Areas, and IT Security.

The PCPD invited various experts to speak to and share their experiences with the students. The guests included Ms. Ruby Woo and Mr. Yim Kim Ho, news anchors of ATV; Mr. James To and Mr. Samson Tam, Legislative Councillors; Mr. Raymond Lok, Assistant Principal Immigration Officer of the Immigration Department; Ir. Dr. K.P. Chow, Centre Associate Director of the Centre for Information Security and Cryptography at the University of Hong Kong; Mr. Roy Ko, manager of the Hong Kong Computer Emergency Response Team Coordination Centre; Mr. Ong Yi Hing, a renowned artist and writer; and Mr. Allen Ting, Cheif Privacy Compliance Officer of PCPD. The videos are available on the PCPD’s website at (www.pcpd.org.hk/english/ activities/promotion.html).

The four schools are Wah Yan College Hong Kong, Po Kok Secondary School, C.C.C. Kwei Wah Shan College and Salesian English School (Secondary Section).

(Upper left) A student of Wah Yan College Hong Kong interviewed Mr Raymond Lok. Assistant Principal Immigration Officer of Immigartion Department (Upper right) Student of Po Kok Secondary School interviewed Mr. Samson Tam. Legislative Councilor. (Lower left) A student of C.C.C. Kwei Wah Shan College interviewed Mr. James To. Legislative Councilor. (Lower right) A student of Salesian English School (Secondary Section) interviewed Mr. Roy Ko. Manager of Hong Kong Computer Emergency Response Team Coordination Centre.

Ms. Ruby Woo and Mr. Yim Kim Ho, news anchors of ATV shared their views on news reporting with students.

Privacy Awareness Week 2009 Inauguration Ceremony

The Privacy Awareness Week 2009 was launched at Wah Yan College Hong Kong on 3 May by distinguished guests.

Guests of Privacy Awareness Week 2009 Inauguration Ceremony: (from left) Mrs. Bonnie Smith, Deputy Privacy Commissioner; Mr. Raymond Lok, Assistant Principal Immigration Officer of Immigration Department; Mr. Man Wing Cho, vice-principal of Po Kok Secondary School; Mr. Tam Siu Ping, principal of Wah Yan College Hong Kong; Mr. Roderick Woo, Privacy Commissioner; Mr. James To, Legislative Councillor; Ir. Dr. K.P. Chow, Centre Associate Director of Centre for Information Security and Cryptography, University of Hong Kong; Mr. Lam Yuk Tai, principal of Salesian English School (Secondary Section); Mr. Ip Tin Yau, principal of C.C.C. Kwei Wah Shan College; Mr. Allen Ting, Chief Privacy Compliance Officer of PCPD.

The 31st Asia Pacific Privacy Authorities Forum

The 31st Asia Pacific Privacy Authorities (APPA) Forum was hosted by the PCPD from 11 – 12 June 2009. Privacy commissioners and representatives of the privacy and data protection agencies of Australia (including Victoria), Canada, New Zealand and South Korea were present. Representatives from the National Commission for Data Protection in Portugal and the Office for Personal Data Protection in Macao were also there as observers.

The main objective of APPA is to facilitate the sharing of knowledge and resources among privacy authorities in the Asia Pacific region, fostering cooperation in privacy and data protection, promoting best practice among privacy authorities and working to improve their performance in carrying out their respective privacy laws. APPA convenes twice a year.

The first day (11 June) of the Forum was a closed session. Members reported on their achievements and developments, including complaint-handling practices, and employee monitoring in the workplace. The Commissioner of New Zealand reported on a survey about the use of portable storage devices in the public sector, contributing to discussions on strategies to deal with challenges created by new technologies. The importance of building strong relationships with private sector stakeholders in promoting privacy compliance audits was also discussed. Members resolved to share strategies for enhancing privacy protection and compliance across the region.

The second day (12 June) of the Forum included APPA members and guests, including representatives from the Department of Justice and the Constitutional and Mainland Affairs Bureau. Members discussed jurisdictional reports, the latest developments on data breach notification, privacy law reform in Hong Kong, and updates on the APEC Privacy Framework and related initiatives being undertaken through the OECD.

12 June 2009 – Public Forum – Electronic Health Record Sharing

In the afternoon of 12 June, a public forum discussing Hong Kong’s proposed electronic health record sharing system was held. Over 180 people from public and private medical institutions, government departments and members of the Data Protection Officers’ Club attended. Presentations were given by three distinguished local experts, Dr. Choi Kin, former President of the Hong Kong Medical Association; Dr. Cheung Ngai Tseung, a Consultant (eHealth) from the Food and Health Bureau; and Dr. Elizabeth Quat, Co-founder and former President of the Internet Professional Association. The Privacy Commissioner, Mr. Roderick Woo, and the Commissioners of Australia, Canada, and New Zealand also held a panel discussion to share overseas experiences of electronic medical systems.

Conference in Macao on "Data Breaches – Problems and Solutions"

A conference on “Data Breaches – Problems and Solutions” was organised by the Office for Personal Data Protection, Macao, and the Legal and Judicial Training Centre, Macao on 13 June. The Privacy Commissioner, Mr. Roderick Woo, and representatives from APPA, Portugal, Macao, and mainland China discussed developments on privacy protection in different jurisdictions, data breaches, and the seventh amendment of the Penal Code of the People’s Republic of China.

"Care for patients - Protect their personal data" Campaign

The PCPD and the Hospital Authority (“HA”) jointly launched the first largescale educational campaign to encourage the protection of patients’ personal data. Patient data is more secure and patient interests are protected when medical data is accessed by the right person at the right location and at the right time.

The 12-month campaign covered a wide variety of educational activities, including seminars, a “Privacy Desk”, display panels, games, quizzes and an online self-training module, which were provided to all HA staff to raise their awareness about privacy risks at work and to teach them how to handle patients’ personal data correctly.

HA staff actively participated in the “ Care for patients – Protect their personal data” campaign carried out in public hospitals.

Deputy Privacy Commissioner for Personal Data Assumed Office

Ms Margaret Chiu Sai-fong took up her new post as Deputy Privacy Commissioner for Personal Data on 14 September 2009.

Ms Chiu had been with the PCPD as Legal Counsel for six years and is conversant with the personal data privacy law and the general operation of PCPD. Her major contributions to PCPD included a strong participation in the first ever Inspection (of the Hospital Authority’s patients data system) undertaken by PCPD, and the publication of the legal reference book, Data Protection Principles in the Personal Data (Privacy) Ordinance - from the Privacy Commissioner’s perspective.

Plenary Meeting

On 5 May 2009, over 120 members attended the first plenary meeting for this membership year (2009-10). The meeting was part of Privacy Awareness Week 2009 (3-9 May).

Ms. Sonia Chan, Coordinator of the Office of Personal Data Protection, for the Government of Macao Special Administrative Region, was invited to speak on the topic of “Personal Data Protection Act”. Besides, the PCPD staff briefed members about the PCPD’s investigation reports and the decisions of the Administrative Appeals Board. Members were able to learn more about the interpretation and application of the Personal Data (Privacy) Ordinance.

PCPD staff briefed members about the PCPD's investigation reports and the decisions of the Administrative Appeals Board.	Ms. Sonia Chan, Coordinator of the Office of Personal Data Protection, for the Government of Macao Special Administrative Region, spoke on the topic of "Personal Data Protection Act".

Introductory Seminar

Two introductory seminars were held on 9 July and 28 August 2009 to enhance new members basic knowledge of the Personal Data (Privacy) Ordinance.

Be careful of using social networking websites to protect personal data

Using social networking websites is no more limited to young people. A research in the U.S. found that over half of the people aged between 35 and 44 used social networking websites. Moreover, the number of people over 34 using social networking websites has increased more than 60% over the same period last year. Although the use of social networking websites has become more and more popular, the issues of personal data privacy involved should not be neglected.

An investigation reports recently published by the Office of the Privacy Commissioner of Canada found that there were many privacy loopholes in the social networking website, Facebook. Improvements have to be made to enhance the protection of users’ privacy. The report pointed out that although Facebook had measures on privacy protection in place, they are confusing and incomplete. For example, the page of “account setting” only teaches users how to suspend an account, but does not tell them how to delete their personal data completely. Moreover, it was found that Facebook had permanently retained users’ personal data. The report suggested Facebook enhance transparency, adopt measures to prevent unauthorized third parties (e.g. programmers) from accessing users’ personal data, fix data retention period, etc. so as to ensure the protection of the privacy of over 12 million Facebook users in Canada.

The U.S. president Obama is also very concerned about the privacy issues raised by social networking websites. In a recent dialogue between Obama and students of a secondary school in Washington, D.C, Obama advised the students not to disclose too much personal data in social networking websites. When asked how to be a president, he said, “Well, let me give you some very practical tips. First of all, I want everybody here to be careful about what you post on Facebook because in the YouTube age, whatever you do, it will be pulled up again later somewhere in your life……And I’ve been hearing a lot about young people who -- you know, they’re posting stuff on Facebook, and then suddenly they go apply for a job and somebody has done a search.”

Proper Handling of Customers’ Personal Data by Estate Agents

The work of estate agents involves collecting and using customers' personal data, including names, telephone numbers, addresses, identity card numbers, and information of individual customers in the provisional sale and purchase agreement or tenancy agreement. The PCPD and the Estate Agents Authority “( EAA”) jointly published a booklet,“ Proper Handling of Customers’ Personal Data by Estate Agents”, to highlight and explain the six data protection principles, the requirements on the use of personal data for direct marketing, the processing and transfer of customers’ data, as well as some practical tips.

Revised Guidance on Cross-Marketing Activities

The PCPD revised the Guidance on Cross-Marketing Activities, which is a general reference guide on compliance with the requirements of the Personal Data (Privacy) Ordinance in using personal data for cross-marketing. Under the revision, companies should ensure that the transfer or disclosure of customers’ personal data to a partner company or companies is not against any codes of practice or guidelines issued by the regulatory or professional bodies of its industry.