Raymond Tang, Privacy Commissioner for Personal Data

One would only need to spend a few minutes with Mr Raymond Tang, to notice how comfortable he is with his new appointment as the Privacy Commissioner for Personal Data.

After all, accepting this challenging position has brought Mr Tang's career full-circle. Having spent many years in private practice as a lawyer, initially as a solicitor, and then a barrister, and including a period as chief counsel at the Securities and Futures Commission, Mr Tang, who has spent almost 35 years in the legal profession, feels it's the right time to give back to the community.

"I feel this position allows me to use what I have learned in my 30 odd years in the law, and in a small way, it allows me to contribute to society by helping build a norm for the respect of personal data privacy rights,'' he says, relaxing over a cup of tea. "It's not often one gets the opportunity to take on a pivotal and often controversial role. And I have had a very easy entry because of the wonderful and dedicated staff of the office, who have worked so hard to introduce this legislation to the people of Hong Kong and achieve the level of acceptance which it now enjoys."

Mr Tang wasted no time in jumping into the stream of things. A soft spoken, dapper man, he demonstrates not only a breadth of knowledge about the applications of the Personal Data (Privacy) Ordinance ("the Ordinance"). "Because of my background, it's been so much easier to pick up and stay on top of things." On the other hand, he has a wealth of ideas on how to enable it to better serve the people of Hong Kong. "The overall objective of the Commission is to enhance the protection of personal data," he says. "I take a great deal of comfort in that there is already very much an understanding and acceptance of it among institutions as a component of the business environment. Our surveys over the past years have amply demonstrated this. But in forging ahead, I will try to infuse the notion of privacy protection in the community in general."

That said, the past months have been extremely busy for our new Privacy Commissioner, who wasted no time in implementing measures of promoting data privacy protection through an educational process. And he is working from ground up.

This is an extremely sensitive issue because you are dealing with people's behavior, and it brings into focus that we are in a community, you need to have information flow - everyone needs to know a bit about someone else, which forms the basis of human interaction. The issue is how to define that information flow." he says. "Privacy protection is about two sides of the same coin. We should all respect other people's privacy before we can expect others to respect our own, and this Ordinance becomes relevant when that becomes a norm."

Admittedly, this is easier said than done. Having expressed his concerns, Mr Tang immediately identified certain issues of the Ordinance which need to be adjusted. For example, he is looking into proposed amendments to the code on consumer credit. Currently, the code allows for certain sharing of information regarding data on those who are unable to repay credit card debts, or number of credit card applications submitted by an individual. The PCPD has been asked to allow a longer period of retention of financial data within the database held by credit reference agencies. Situations such as these require Mr Tang to apply his knowledge of law with compassion. "Here is where a delicate balancing exercise comes into play: a balance between private right and community interests," he says.

He is putting his extensive experience in the practice of law to good use. "I intend to provide input in the drafting of codes of practice" he says. "To make them user-friendly for regulators and those governed by them."

But in a general sense Mr Tang feels it's important to apply legal and regulatory requirements in a consistent and sensible manner. He maintains the Ordinance isn't there simply to protect certain rights of individuals, or to prohibit certain practices which impact upon these rights - it's a piece of social legislation with a focus on community harmony, which takes time to understand and assimilate.

"Ultimately, we do come in when the law needs to be enforced," Mr Tang continues. "But in terms of legal history, the concept of data protection is novel and the Ordinance is relatively new. We are dealing with people's feelings and personal privacy, so in the process we must be cautious and patient."

This is why for the next five years, the Commissioner will spend considerable resource in education. "Subject to our resources, we would like to go out more, reach the younger members of society," Mr Tang says. "We cannot simply tell people what to do. We have to develop a culture where people respect other individuals' privacy. The application of the Ordinance is all about people." Prudence is also an important aspect. "Of course, in the process, we are resource conscious," he adds. "There are financial constraints, you have to be careful of how you spend because they are tax dollars, so we look at things very realistically."

A self- proclaimed workaholic, Mr Tang relishes in overcoming these obstacles. He reveals that he loves his work, and in the very rare opportunity of gaining some free time, plays a "horrible game of golf," and is "hopeless in horse betting."

In terms of Hong Kong society as a whole, he feels that the community has responded very well to the Ordinance. "When we started to look into the issue of data privacy protection there were very few comparable legislation around," he says. "In terms of application of the relevant principles we are very advance in embracing the concept and having a comprehensive law to give it legal effect. Hong Kong is highly regarded by many other jurisdictions."

Above all, this position allows Mr Tang to apply his philosophical beliefs. "I have always contemplated on what's the role of law in society," he quips. "It's part of life, it tells you how to go about living, apply it right, and we will all get something out of it."

Introduction

On 8 March 2002, the Privacy Commissioner issued a draft Code of Practice on Employee Monitoring and Personal Data Privacy at Work ("the Code") as a public consultation exercise. Organisations from both the public and private sector are invited to submit their comments on the provisions of the Code, as are members of the public. All submissions will be reviewed in detail and subsequent revisions made to the Code will undoubtedly benefit from the comments received. The outcome of the consultation process is to produce a final version of the Code that offers pragmatic guidelines that enjoy broad based support.

Background to the Code

The decision to commence work on the Code was a response to a number of factors that indicated it was timely to pursue this initiative.

• In August 1999 the Privacy Sub-Committee of the Law Reform Commission ("the LRC") made the recommendation, in a consultation paper entitled Civil Liability for Invasion of Privacy, that the PCPD issue a code of practice on all forms of workplace surveillance for the guidance of employers, employees and the general public.
  
  
• Technological devemlopments, and significantly reduced costs, havemade employee monitoring systems, and related software, affordable to virtually all employers. The natural consequence of this is that employee monitoring has become much more pervasive in Hong Kong and, some would argue, more invasive of the privacy of the individual at work.
  
  
• The 2001 Opinion Survey of Data Users, conducted on behalf of the PCPD by the Social Sciences Research Centre at the University of Hong Kong , produced some revealing results. The survey yielded the following findings.
  
  
  • 63.6% of all employers surveyed had installed at least one form of surveillance in the workplace.
    
    
  • 33% of all employers surveyed had installed two or more forms of surveillance in the workplace.
    
    
  • Only 22.1% of employers surveyed had a written policy on workplace surveillance.
    
    
  • When employers were asked if they would support PCPD efforts to develop a Code of Practice on Workplace Surveillance 77.6% were in agreement with this suggestio

These factors, coupled with trends in Hong Kong and other advanced societies, suggest that now is an appropriate time to promulgate a Code that applies the provisions of the Personal Data (Privacy) Ordinance to the practice of employee monitoring.

Key Features of the Code of Practice

After giving careful consideration to the recommendation put forward by the LRC, the PCPD decided, at least initially, that the Code should be restricted to the most common forms of employee monitoring found in Hong Kong. These involve the monitoring of telephone calls, E-mail, computer usage, including Internet access, and video/CCTV surveillance.

Two fundamental privacy principles have guided the formulation of the Code:

• The Principle of Proportionality.
• The Principle of Transparency.

The first of these principles is based upon the view that all employees are entitled to be treated with respect and dignity by their employer. That entitlement would include an expectation of respect for their personal privacy. As a consequence, any intrusion by an employer upon the privacy of an employee should be proportional to the benefits to be derived. In turn, those benefits should be related to the risks monitoring is intended to reduce. It is therefore incumbent upon the employer to strike a balance between the pervasiveness of monitoring and the magnitude of risk confronting the employer. In practice this means that employee monitoring should be proportional, targeted and applied on a limited duration basis.

The principle of transparency is concerned with openness. In this context it is the responsibility of the employer to be unequivocal about the employee monitoring systems deployed at work. The best way to convey the purpose, scope, and operational features of employee monitoring systems and related software is for the employer to draft an Employee Monitoring Policy. A number of large employers in Hong Kong have already implemented these policies which have become an integral part of their "house rules" or operational procedures handbook. The function of an Employee Monitoring Policy is to notify employees, and remove any ambiguity from the employment relationship. In conjunction this should reduce the potential for any unpleasant surprises.

The combined effect of these principles can be captured thus:

Let the employer be fair, let the employee be aware."

In promoting this concept the PCPD endeavours to ensure that the final version of the Code will be fair to employers and employees. The ultimate goal is to strike a balance between the legitimate right of the employer to manage the assets and resources of the business whilst at the same time acknowledging and respecting the personal data privacy rights of the employee.

From Conflicts to Compromise -
The Privacy Laws in the States and Europe

The original article was published in the "Hong Kong Economic Journal" on 21 November 2001.

In July 2000, the United States of America (the "States") and the European Union ("EU") signed a document entitled "The Safe Harbour Principles" (the "Principles") which then became effective in November the same year. The representatives of the States when coming to an agreement, pointed out that the document was a historic agreement promoting electronic commerce and at the same time bridging the divergence between the States and the European Union.

All along there have been great differences between the States and the European countries in the areas of policies and laws for the protection of privacy rights. Comparatively speaking, EU places more emphasis on privacy right protection. As a result, a great majority of the EU member countries have enacted privacy right protection legislation. In particular, the personal data protection laws of EU are more detailed than those of the States. This is probably due to the differences in culture and history of the two places. In Europe, personal data are viewed as part of the personal property and form part of the basic human rights. Therefore, most of the EU member countries have enacted personal data protection legislation. In 1981, the European Parliament passed the "Convention on the Automatic Processing of Personal Data" (the "Convention"). This document enshrines the basic principles for the protection of personal data including the prohibition of the transmission of personal data to countries where the adequacy of the protection of personal data is not established. These principles have become important principles for the EU personal data protection laws adopted later.

Though most EU Member States have enacted personal data protection laws on the basis of the above-mentioned Convention, their implementation is confronted with difficulties because of the difference in standard adopted by different Member States. For example, a Member State, under the pretext of "lack of adequacy of the protection of personal data", may prohibit the transmission of personal data to another Member State. This lead to conflicts among member states and may constitute an obstacle to the integration of the European markets. In order to promote the free flow of data among its Member States, EU passed the "Directive on Data Protection" (the "Directive") in 1995 which then came into effect on 24 October 1998. The Directive explicitly provides that EU Members States could only transfer personal data to those "third countries" outside the EU with "adequate protection measures". This ensures adequate legal protection when the personal data of the nationals of the EU Member States are transferred to places outside EU.

However, there exist great differences in the personal data protection policies and laws of the States and EU. In the States, the focus of protection of the personal data is on those held by the government departments. The private sector is largely left free to deal with personal data they collect without much government intervention. Such a policy may have something to do with the "little government, big corporation" tradition of the States.

After the implementation of the Directive by EU, differences in concepts of personal data protection between the States and EU immediately emerged. As many trans-national corporations in the States have branches in Europe, EU threatened to prohibit those US trans-national corporations in Europe from transferring the personal data of their employees back to the States on grounds that the States had no adequate protection measures for personal data. As the US trans-national corporations have some 9 million employees in Europe, such an "embargo" would undoubtedly affect the normal operation and management of those corporations. Therefore, the States initiated negotiations with EU and finally an agreement on the "Principles" was reached.

According to the "Principles", the US trans-national corporations have to formulate their company policies for personal data protection and transmit personal data in accordance with the standard conditions of EU. At the same time, those corporations have to undergo a "self-certification" process with the US Department of Commerce, including submitting such details as their personal data protection policy, its effective date, staff responsible for handling complaints etc.

The "Principles" also provide that the US trans-national corporation should comply with a series of provisions, including reasonable security measures and effective implementation mechanism etc. Also, all personal data collected would only be used for the specified purposes. In practice, these provisions are similar to those contained in the "Directive".

On the other hand, in order to ensure that the US trans-national corporations would implement their personal data protection policy, the "Principles" also stress the importance of remedies. As such, the "Principles" provide that in most cases, the persons affected could initiate legal proceedings either in the States or Europe. Besides, the "Principles" also list in detail the remedies that can be pursued under the laws of the States, including infringement of privacy rights under a common law tart claim etc.

In conclusion, the "Principles" represent a compromise in personal data protection laws and policies by the States and EU. More importantly, the "Principles" reflect the emerging conflicts in laws among different countries in the process of economic globalization".

Written by Professor Richard Wu
Associate Professor of the Faculty of Law of the University of Hong Kong

Amendments to the Code of Practice on Consumer Credit Data

The Commissioner briefed the media on the revised Code of Practice on Consumer Credit Data at a press conference on 8 February 2002.

The revised Code provides better protection for individuals' interests, and alleviates certain operational difficulties encountered by the consumer credit industry in relation to consumer credit data. In summary, the final amendments to the Code are as follows:

The revised Code was notified in the Gazette on 8 February 2002 and has taken effect from 1 March 2002.

For free copies of the revised Code, please visit the PCPD office. It can also be download from the PCPD web site at www.pcpd.org.hk.

New PCPD publications

The PCPD has produced a new information booklet titled "About the Office of the Privacy Commissioner for Personal Data" to outline PCPD's role, functions and work in general. Copies of the booklet are available at the PCPD Office. The booklet is also available at the PCPD web site.

Education & Careers Expo 2002

Privacy Forum

A new initiative, the Privacy Forum, was introduced at the 11 January DPOC meeting. The Forum serves as a platform for members to discuss current privacy issues with other members, the Privacy Commissioner, and key officials from relevant organisations in a relaxing atmosphere.

In the last forum, there were lively discussions surrounding the subject of "whether positive credit data should be shared by financial organisations for credit assessment purposes". The PCPD were honoured to have Mr Roger Luk, Managing Director & Deputy Chief Executive, Hang Seng Bank Limited, and Mr. Raymond Li, Executive Director (Banking Development), Hong Kong Monetary Authority to join us and expressed their valuable opinions.

Join the DATA PROTECTION OFFICERS' CLUB and keep up to date with key developments of privacy and data protection

Now it is your chance to sign up to an exclusive club guaranteed to help you keep your finger on the pulse of emerging trends and issues in the hotly topical area of privacy and data protection.

You are invited to join the Data Protection Officers' Club - your gateway to an expansive network of professionals tasked with the responsibility of implementing and coordinating measures to protect personal data privacy in Hong Kong.

The PCPD organises the Club to provide a channel for two-way communications between the PCPD and data protection officers across a broad range of organisations to exchange views and share experiences with others.

Membership of the club will not only assist you in implementing measures to comply with the Ordinance - it will give you access to a constructive Privacy Forum, where you can discuss or debate topical privacy issues in the territory with key representatives of relevant organisations.

The Club meets regularly to discuss relevant topical issues, PCPD activities, latest complaint cases, and case studies of the compliance experience of major organisations.

Data Protection workshops exclusive for members will also be organised and certificates and souvenir of recognition will also be awarded to participants upon successful completion of the course.

Joining fee for each membership is only HK$300 per year which entitles you to all of the above privileges plus receiving all relevant PCPD publications and enjoy discount on sales of PCPD training materials. Also, a complimentary copy of "Privacy.SAFE", a privacy compliance self-assessment kit (original price is HK$150), will be given to member upon joining the Club.

The next meeting of the Club will be held in April 2002. For further details, please call us on 2877 7171.

Do you want to share your experience, comments, queries or views about personal data privacy protection at this column? As a token of appreciation, those with letters published will receive a souvenir from us. Write to us now! Please send your article to Promotion Officer, Office of the Privacy Commissioner for Personal Data, Unit 2001, 20/F, Office Tower, Convention Plaza, 1 Harbour Road, Wanchai, Please provide us your name and day-time contract phone number for the collection of souvenir. Publication of the article is at the discretion of the PCPD.

The infomration provided will only be used for the purpose of handling your submission of article to "Privacy Chat Room". You have rights of access and correction with respect to your personal data held by us. If you wish to exercise these rights, please contact the Promotion Officer of the Office.