Privacy Commissioner's Overview

Raymond Tang Privacy Commissioner for Personal Data

The events of the year have resulted in a significant increase in the workload of the Privacy Commissioner's Office ("PCPD") and this has made considerable demands upon the resources of the organization. I attribute this development to the fact that Hong Kong citizens are better informed and more knowledgeable about their personal data privacy rights and, for that matter, more inclined to protect them. Greater demands have necessitated the re-allocation of resources and greater flexibility in work practices in order to sustain an acceptable level of service to the community. It is a measure of the motivation of all staff that I can report, with some confidence, that the PCPD has come through difficult times with credit. In my view the year has provided us with valuable learning, and that learning will need to be consolidated if we are to be resourceful in the immediate future: a future characterized by a good deal of uncertainty.

Over the course of the year the PCPD continued to work towards the conclusion of projects already in hand as well as embarking upon new initiatives aimed at strengthening its role in protecting personal data privacy rights and encouraging compliance. Internationally, the PCPD developed closer relations with other jurisdictions and forged new relationships in the region. One tangible example of the latter was a Memorandum of Understanding signed with South Korea in November 2002. Greater direct involvement in the affairs of the Asia Pacific Economic Cooperation ("APEC") forum provides yet another illustration of the PCPD's commitment to ensuring that Hong Kong's personal data privacy interests are well represented at the regional level. These initiatives mark a refinement in the strategy of the PCPD and are a response to evidence indicating that privacy issues have moved from being of local significance to being of regional, and in time global significance. It is important therefore that Hong Kong is represented at international forums that have taken up the privacy cause with the intent of ensuring a degree of compatibility towards privacy-related issues of common interest.

The Year at a Glance

Elsewhere this report details those activities undertaken by the five divisions comprising the PCPD: Operations, Administration, Legal, Corporate Communications and Policy. I will not elaborate on those activities in this overview but I would like to make reference to some of the projects, both on-going and new, that have been the focus of a good deal of attention in the year under review.

The Hong Kong Smart Identity Card

By the time this annual report is released the first batch of smart identity cards will have been issued. Over the year PCPD staff have been in close liaison with colleagues in the Immigration Department to ensure that the privacy issues associated with the smart card are fully understood and made transparent to the community. Given the smart card's capacity to store considerable amounts of personal data we feel that it is right and proper that the community is made aware of the importance of the concept of consent when collecting personal data for applications other than that deemed necessary for Immigration Department purposes. I am of the view that citizens should be informed of the potential privacy risks as well as the benefits to be derived from storing personal data on the card. Being transparent around the issues will generate public trust and confidence and assist individuals to making a choice as to whether there is added value to be derived from storing additional personal data on the card. This will be of particular relevance if the capacity of the smart ID card were to be utilized for other functions in the future, which, whilst beneficial to the individual, might also impact upon data privacy, such as health data, e-purse, etc.

The Broader Sharing of Consumer Credit Data

I drew attention in last year's report to the situation of consumer debt in Hong Kong and the call for a greater sharing of consumer credit data by the financial services sector. The argument put before the PCPD was that credit providers were hampered in their ability to make sound judgements regarding the true creditworthiness of individuals applying for new credit, or a rollover of existing credit facilities. This was because their access to borrowers' credit information was restricted principally to negative data. The request for greater sharing of consumer credit data would mean a relaxation of the current regulatory regime pertaining to consumer credit data sharing. For this to happen there would need to be amendments to the Code of Practice on Consumer Credit Data which first came into effect in November 1998. Naturally the PCPD needed to be convinced that any relaxation was justified and that, if conceded and from a consumer's perspective, credit providers should take it upon themselves to confer benefits upon those borrowers who were prudent in the management of their personal finances.

The final version of the amended Code took effect in June 2003. I believe the experience is a good example of the way in which the PCPD has brokered a solution that balances the respective interests of credit providers and borrowers. The balance between the public interest and personal data privacy rights is not always an easy one to strike but I am satisfied that the privacy safeguards that the financial services sector are required to comply with will allay the fears expressed in some quarters of the community. Having said that the PCPD is mindful of its obligation to ensure compliance and will be devoting resources to that aspect of the new consumer credit sharing regime.

The Draft Code of Practice on Monitoring and Personal Data Privacy Draft at Work

The development of the Draft Code of Practice on Monitoring and Personal Data Privacy at Work originated with a study commissioned in 2001. Fundamentally this was an attempt to give protection to employee privacy in the workplace rather than an attempt to constrain the employer's right to manage the assets and resources of the organization. Central to the draft Code are two guiding principles: that of transparency and proportionality. These were used, in conjunction with the data protection principles of the Personal Data (Privacy) Ordinance (Othe PD(P)OO) to produce a set of provisions that afford a degree of privacy in the workplace with specific guidance on the collection, notification and handling of monitoring records.

The draft Code was the subject of a consultation exercise that ended in June 2002. Most of the submissions received were very detailed and offered valuable insights to workplace monitoring practice. They are currently being analyzed and it is anticipated that a report on the consultation exercise will be released later in 2003.

Surveillance Cameras in Public Places

Towards the end of the last reporting year it will be recalled that the Hong Kong Police made a public announcement that they intended to install surveillance cameras in Lan Kwai Fong. This proposal generated a considerable amount of media interest and public debate. Much of the debate hinged upon security and privacy arguments and the use to which surveillance records might be put. However, subsequent to the announcement, and possibly in view of the privacy concerns expressed by the community, the proposal was postponed.

Coincidentally, at this time the PCPD were engaged in researching and drafting the Code of Practice on Monitoring and Personal Data Privacy at Work. It seemed logical therefore to broaden the definition of surveillance to include the use of surveillance cameras in public places. To better understand the phenomenon the PCPD commissioned a survey to give definition to the privacy issues and map perceptions of the community towards them. At the time the survey was conducted the PCPD were not aware of any large-scale enquiry into issues of public place surveillance or the variables that might impact upon the substance and parameters of public opinion. However, the crude 'evidence' to hand is that community opinions towards the use of surveillance cameras in public places are contingent upon the circumstances under which surveillance activities take place and the safeguards applied to monitoring records gathered during the course of surveillance.

APEC Privacy Initiatives

Over the course of the year it became evident that APEC was intent upon progressing an earlier decision to adopt privacy as an agenda item by establishing organizational arrangements that would facilitate experience sharing and debate among member economies. It is encouraging to see debate being elevated to a regional forum and I am certain that valuable work will come out of this APEC initiative. As trans-border data flows increase in volume it is only sensible to establish principles and frameworks that will be adopted by member economies in their consideration of privacy issues.

At present APEC is actively engaged in two major privacy projects. The first of these is a mapping exercise that seeks to establish the level of development of privacy, related legislation and the regulatory or compliance mechanisms in force in member economies. The second privacy project seeks to establish a common set of privacy principles that will inform and guide individual member economies in the handling of personal data/information. The intention here is to devise a rubric that is pragmatic and capable of winning broad-based support. I am optimistic that a practical set of privacy principles that encompass, and perhaps extend, the substance of our own data protection principles will do much to promote understanding in the APEC community and ensure broadly consistent standards between member economies. It should also facilitate multi-lateral trade by ensuring that a minimum acceptable level of protection is afforded to personal data collected in one jurisdiction and processed in another.

The Outlook

In terms of the immediate future what will the PCPD's priorities be? I think this question can be answered on two levels, the domestic and the regional. On the domestic front the PCPD will seek to enhance its understanding of privacy impact assessment and privacy compliance auditing. Resources are being allocated to enhance the skills of PCPD officers in these areas. Both competencies are necessary to ensure that complex projects with an important privacy component are, in the first instance, comprehensively mapped in terms of their privacy impact.

In the forthcoming year the PCPD will also commence work on a project designed to gain deeper insights into the issues posed by trans-border data flows, involving personal data collected in Hong Kong, being electronically sent to other jurisdictions for recording or processing purposes. Trans-border data flows raise important privacy issues and are dealt with under Section 33 of the PD(P)O. Although this section of the PD(P)O has not yet come into force it is important that the PCPD remains proactive towards emerging events. It is our intention therefore to conduct a baseline survey of the practices of those larger organizations that have already instituted systems that involve the transfer of personal data collected in Hong Kong e.g. customer billing data, to other branches of the organization located in other countries.

On the international front the PCPD will strengthen its relations with data protection commissions in other jurisdictions to ensure that there is mutual understanding and experience sharing regarding contemporary issues, and responses to those issues. In APEC the PCPD looks forward to the events of the forthcoming year and working closely with colleagues in this forum. Hong Kong has a relatively well established privacy regime vis-à-vis some jurisdictions and has the advantage of hindsight. I am keen to share our privacy experience with colleagues in the APEC community and to ensure that the PCPD makes a solid contribution to the privacy initiatives it sponsors.

In closing I feel that as a relatively small organization with limited resources, we have, over the year, indicated our willingness to tackle new issues and move in new directions. At the same time we have not lost sight of key measures of our efficiency and have been able to maintain a relatively high level of service to the community. While the future is uncertain the PCPD is pledged to confront the challenges that lie ahead with a level of commitment and professionalism befitting our role as a regulator of the community's personal data privacy rights.