This quarterly newsletter of the PCPD provides guidance on good data protection practices to organizations.

Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
August 2001 Issue No.8

The issuing of the Code was considered to be necessary because, when a citizen has dealings with a financial institution not for a business purpose, e.g. obtaining a personal loan, such transaction will inevitably give rise to information about his financial behaviour, e.g. whether or not there may be subsequent default in payment. Such data will be valuable in assisting in the overall assessment of the credit-worthiness of the individual in any future transactions. It follows that financial institutions may wish to be able to access the credit history of individuals for the purpose of their credit assessment. In one sense, to allow financial institutions to do so is also in the public interest, since this will help to prevent subsequent bad debts from arising, hence preserve the health and stability of the local financial industry as a whole.

However, since the credit data amount to the personal data of the individuals concerned, unlimited access to such information by financial institutions would possibly give rise to misuse and to contravention of the Personal Data (Privacy) Ordinance ("the Ordinance"). With a view to strike the right balance between the competing interests, the Commissioner therefore issued the Code pursuant to his power under section 12 of the Ordinance. Under the Code, a credit reference agency may collect from different credit providers credit data about an individual, put them together in the form of a credit report, and provide the same to a credit provider who may make an enquiry on the individual. Besides data from credit providers, the credit report may also include information from public sources, e.g. information about writs and bankruptcies. The important point to note, however, is that the collection, handling, retention and transfer of all of the said information by credit providers and credit reference agencies are subject to strict control under the Code.

From the past three and a half years' operation of the Code, it has come to the attention of the PCPD that certain revisions to the Code may be appropriate. First, in view of the change in economic climate and rising default rate among borrowers in general, it has been suggested that a broader basis for credit assessment is necessary. With this in mind, the PCPD is now considering relaxing the relevant provision in the Code to allow credit reference agencies to retain data relating to credit applications by individuals for a period of five years (as opposed to merely 90 days as currently allowed). Furthermore, in order to give credit providers a more objective basis for evaluation, the proposal is under consideration to allow credit reference agencies to conduct credit scoring, i.e. to use a statistically-tested algorithm to generate an overall credit score on each individual on which an enquiry is received, based on other data held on the individual.

Another area in which revision to the Code is considered desirable relates to the change in bankruptcy law in Hong Kong. Under the new law, after an individual has been declared bankrupt, a discharge in bankruptcy will occur automatically after the expiry of a certain number of years. When such automatic discharge happens, the fact of the discharge may not be publicly announced. This has created difficulty in that, under the current Code, any automatic discharge from bankruptcy may not be reflected in the records of a consumer credit reference agency in relation to the individual in question. It is therefore proposed to amend the Code to make it clear that the onus is on a discharged bankrupt to notify the fact of such discharge to a credit reference agency. Such a change to the Code, if implemented, will also be supplemented by public education to bankrupt persons in this regard.

Under section 12(9) of the Ordinance, before revising any code of practice issued by him, the Commissioner should consult with such interested parties as he considers appropriate. Accordingly, a Consultation Paper on amendments to the Code was issued by the PCPD in May 2001. A total number of 18 responses to the Consultation Paper have been received. As a second stage to the consultation, the PCPD has now raised further questions to relevant parties with the view of fine-tuning some of the proposed amendments. After this is done, the Commissioner will proceed to amend the Code, which amendments are expected to improve the Code as a basis on which credit evaluation on individuals may be carried out.

by Eric Pun
Legal Director, PCPD

Broadcast on Radio Television Hong Kong on 4 August 2001

Stephen Lau, Privacy Commissioner for Personal Data

4 August 2001

Dear Raymond,

Thank you very much for your e-mail and kind regards.

You said you felt shocked when you, learned from the news that I had decided to leave the post of Privacy Commissioner for Personal Data upon expiry of my five-year contract because all along, you are very appreciative of my performance.

Thank you very much for speaking highly of me. In fact, if you have knowledge of my work history, you would know why I come to this important decision. I have worked in the government, the banking sector and the IT profession during which I have made different endeavours and have faced new challenges. By doing so, I have derived great satisfaction from my work. On looking back, during the past five years when I was Privacy Commissioner for Personal Data, I had overcome many hurdles and had won the support of people of various sectors. The Personal Data (Privacy) Ordinance, which offers protection to the Hong Kong people in respect of their personal data privacy, became effective in December 1996. At that time, the society as a whole did not attach importance to personal data privacy, the organizations were not concerned about personal data privacy and the public did not know much about their rights under the Ordinance. In those circumstances, to promote a cultural shift in our society of 7 million people was in no way easy.

At that time, my most important job as Privacy Commissioner was to enlighten members of the public on the importance of personal data privacy, the reasons why personal data should be reasonably and suitably protected and what rights they have under the present Ordinance. For example, people have the right to make access and correction request to any organization in Hong Kong with respect to their personal data. In case they find that their personal data have been misused, they have the right to make a complaint to our office.

Let me quote here a very successful example of cultural shift. For many years, the Hong Kong Identity Card is a well-acknowledged document of identification. It is because of this widely accepted belief that in many cases, for example, in the application for jobs, booking of sports grounds and renting of bicycles, the organizations concerned often unnecessarily request for the photocopying of the identity card and even keep the identity card as security. Such a request may have contravened the "excessive collection of personal data" principle of the Ordinance and at the same time may also cause serious consequences to the individuals concerned. I think that you may still remember that years ago when it was much easier to obtain ID card copies, some rascals swindled money by impersonating property owners and sold their property. The consequence was that the unfortunate buyer not only had no claim on the property but also had to be responsible for the mortgage loan. The first important task after I became Privacy Commissioner was to compile the Identity Card Code of Practice to explicitly restrict the use of identity cards. The Code specifically provides when the ID numbers can (cannot) be recorded or when the ID card copies can (cannot) be made. Such guidelines not only promote the awareness of the public and the organizations on the use of the information contained in the identity cards but also reduce the incidence of frauds by impersonation.

Another promotion target of equal importance are the local organizations. Both the government departments as well as the private sectors, in the courses of their operation, have the obligation to comply with the six data protection principles of the Ordinance in the collection and use of the citizens' and their clients' or staff's personal data. It is believed that in recent years, members of the public, in applying for services such as the opening of bank accounts or the provision of mobile phone services, have found that the government departments, the industrial and business organizations, banks, telecommunication companies etc. all state in their application forms the purpose of collection of personal data and that the consent of the data subjects must be obtained should there be any change in the use of the data collected.

In the early stage when I was Privacy Commissioner, in the course of exchanging views with the industrial and business sectors, I found that they had reservations about the need to protect their clients' and staff's personal data. They were of the view that it would bring about extra work and would affect administration and operation efficiency. However, I often preach this : "The respect for personal data privacy rights is not purely for lawful compliance ; the respect for the rights of the citizens, staff and clients has become an important factor of success in the provision of services and products in this society of technological advancement. Without the confidence and trust of the members of the public, organisational endeavours are bound to result in failure." In our annual baseline survey of organizations, it was found that the percentage of organizations that generally agreed to this perspective had increased significantly from 40% in 1997 to 80% this year. This percentage exceeds that of any country over the world. Hong Kong should be proud of this and I am very delighted.

Yesterday a reporter asked me what advice I would give to my successor. My views are that the success of Hong Kong hinges on freedom, democracy, rule of law and fairness. As an regulatory body, the Privacy Commissioner should have "conviction" and "courage" and should adopt "a pragmatic approach" to maintain the spirit of the rule of law to protect the privacy rights of the citizens. Without "conviction", it is difficult to convince the members of the public and the sectors concerned as well as to generate resonance. Without "courage", it is difficult to face and to harmonise the different voices of the society. Without a "pragmatic approach", it is difficult to bring about a solution without damaging sectoral interests and at the same time duly protecting the privacy rights of our citizens under the law.

I will soon leave my present position. My greatest delight is that I believe we have already laid a solid foundation for our work. But my greatest regret is that I have to leave my colleagues who have been working so hard together with me for 5 years. Through their untiring efforts, the PCPD has won the acclaim of the public for a job well done.

I know that you are now travelling in Italy. Let's have a nice chat when you are back. Finally, please send my warmest regards to your wife, Penelope.

Sincerely,
Stephen

9 Golden Privacy Tips The US Privacy Journal has suggested a number of tips for protecting your privacy. This advice is based upon 25 years of experience in reporting invasions of privacy and privacy precaution in the US. To a certain extent these tips are appropriate in the Hong Kong context.

Be discreet when filling out application forms- whether on-line or off-line. Don't hesitate to say, " Because I am concerned about my privacy, I choose to keep that information to myself" when you feel uncomfortable about divulging excessive personal data. Protect the confidentiality of your ID card number. The HKID is a potential means by which a complete stranger may impersonate you, or link information about you from different data bases. Always ask why personal data is needed and don't provide it if you think it is unnecessary.
	Ask to inspect and to correct files kept about you by third parties. You have a right under the law to do this for credit, medical, employment, criminal and school record and any government records that contain your personal data.
	Attach conditions to the use of personal information which you regard as sensitive. Ask in writing for a third party's "Personal Information Collection Statement" to make sure that a data user does not change the use for which the data was originally collected.
	Never provide personal data over the telephone to anyone unless you placed the call and know the organization.
Remember that mobile and cordless telephones are not secure forms of communication and that e-mail is comparable to sending a postcard. Tell a telemarketing company that calls you, " Under the Personal Data (Privacy) Ordinance, I want to be placed on your 'opt-out' list".
	If you share a computer at work with others, disable "cookies" in your Internet browsing software or delete sensitive "cookies" in the browser.
	Subscribe to "Private Thoughts" to stay up-to-date on privacy matters. That way you will be aware of your rights and learn about new technologies that may both invade and protect your privacy. It is free of charge!

The Asian HR Awards

Mr Stephen Lau, the Privacy Commissioner for Personal Data , recently received the "Outstanding Contribution to Human Resources" award at the Asian HR Awards in June in Hong Kong. The prize presentation ceremony was held on 27 June 2001 at Hotel Nikko. The award recognizes the contribution of any organization, institution or individual that has made an outstanding effort in raising the profile and level of professionalism in Human Resources practice. Mr Lau received recognition for his efforts in drafting and introducing the Code of Practice on Human Resource Management, which offers practical guidance on personal data privacy in relation to employment data. This code has gained wide support by employers and human resources practitioners.

SME Market Day

The PCPD participated at the SMEs Market Day Exhibition 2001 from 5 to 6 July. The exhibition, organized by the Trade Development Council, provides support for Hong Kong's small and medium-sized enterprises (SMEs). The PCPD was among the 15 government departments and public bodies that set up booths at the Public Service Pavilion at the exhibition. A presentation was given by the PCPD, providing visitors an opportunity to understand the Ordinance and of its interpretation and requirements and its implications for SME's.

Summer Consumer Road Shows

A series of consumer road show were staged at five shopping centres during the summer months. Catered for parents and school children who were at their leisure during the summer holiday, the PCPD displayed promotional panels at various shopping centres, to raise the awareness of personal data privacy among people from all walks of life.

The road shows were held at Hau Tak Estate Shopping Centre (14-15 July), Yiu Tung Estate (21-22 July), Tsz Wan Shan Shopping Centre (28-29 July), Lok Fu Shopping Centre (18-19 August) and New Town Plaza (25-26 August).

Fact Sheet on Recruitment Advertisements

The PCPD has recently issued a fact sheet on "Frequently asked questions about recruitment advertisements" providing clear guidelines on the requirements of the Code of Practice for Human Resource Management in relation to employment personal data. Under the Code, recruitment advertisements that directly solicit personal data from job applicants and those that do not identify the parties that have placed them are prohibited. The Code was issued by the Privacy Commissioner for Personal Data in September 2000 and came into effect in April 2001.

News for Data Protection Officers' Club (DPOC) DPOC will offer a series of special interests workshops exclusively for its members from September to November. Topics include "Human Resource Management and Personal Data Privacy", "How to handle customers' personal data" and "Preparing Personal Information Collection Statement (PICS) and Privacy Policy Statement (PPS)". The workshops will be conducted in English and Cantonese and will provide members with a hands-on opportunity in understanding the interpretation and application of personal data privacy protection.

* In Hong Kong, every individual has the right to request another party, e.g. government department or a company, to confirm whether it holds his or her personal data and to request a copy of any such data. Such requests are called "data access requests".