Privacy Commissioner's Overview

Raymond Tang Privacy Commissioner for Personal Data

The Year at a Glance

I would like to begin this report by commenting on the work of our Operations Division which remains central to discharging the PCPD's statutory duties.

For the year in question the number of enquiries received declined marginally whereas the number of complaints increased marginally over the preceding year. Nonetheless, the gross figures in each category suggest a continuing interest in personal data privacy and a strong desire on the part of the community to protect the privacy rights afforded them under the provisions of the Personal Data (Privacy) Ordinance ("the PD(P)O"). In my view, this indicates t h a t our investment i n corporate communications has paid off in terms of the willingness demonstrated by the general public to exercise their rights. At one time we were largely in the business of engaging communications strategies to create awareness. Today we are more concerned with segmenting the community as an audience and addressing the needs of particular subsets whether they be in terms of demographics e.g. age, or in terms of a particular economic sector e.g. credit providers. This shift in emphasis has moved us beyond the awareness stage to one in which the community, or segments of it, have developed a more profound understanding of personal data privacy issues and attendant rights. Depth of understanding in the community does, I believe, translate into sophistication of understanding. In turn, this will reaffirm the need felt among members of the public to better protect their privacy, in the face of myriad challenges to it, and draw to the attention of the PCPD any violation of their personal data privacy rights. I feel this process is mutually beneficial in that it will ensure the continued relevance of our work by facilitating the development of more specific expertise in the areas of compliance and enforcement.

Let me now summarise some of the more significant projects that the PCPD has been involved in over the course of the year.

Revisions to the Code of Practice on Consumer Credit Data

A revised version of the Code of Practice on Consumer Credit Data, first published in February 1998, was issued in June 2003. It will be recalled that the revisions to the Code were designed to enable credit providers to share positive credit data. Sharing of such data, which is an established practice in developed jurisdictions such as the USA and UK, would better inform decisions associated both with new applications for credit and the renewal of existing credit facilities.

At the moment credit providers are contributing personal data to the credit reference agency but are not, as yet, permitted to make full use of the data except under certain circumstances e.g. the granting of new credit or the restructuring of existing credit arrangements. This is because the PCPD held to the view that there should be a twenty-four month transitional period before there could be full usage by those credit providers subscribing to the scheme. In effect therefore credit providers will only be able to make full use of the services provided by the credit reference agency in June 2005.

A precautionary measure taken by the PCPD was the requirement for the credit reference agency to submit its operational procedures and systems to an annual audit undertaken by an independent third party that possesses the requisite expertise. A copy of the audit report must be provided to the Privacy Commissioner for scrutiny and, where appropriate, his comment. The first independent audit has recently been completed for the sole credit reference agency currently operating in Hong Kong and the audit report submitted to the PCPD. This was subsequently reviewed and approved by the Privacy Commissioner in April 2004.

Draft Guidelines on Monitoring and Personal Data Privacy at Work

The report on the public consultation conducted in conjunction with the Draft Code of Practice on Monitoring and Personal Data Privacy at Work was published in December 2003. After extensive review and analysis of the submissions made the PCPD decided that, at this point in time, it would be preferable to issue good practice guidelines rather than a binding code. This decision was taken in the belief that guidelines would offer an optimal solution in terms of balancing the legitimate interests of employers and the personal data privacy rights of employees.

The PCPD has never disputed the right of employers to manage the resources and assets of the business as they see fit. However, by the same token we do not subscribe to the view that, upon entering the workplace, employees automatically forfeit all rights to personal data privacy. Our consistent view remains that, at a very minimum, the employer should adopt a transparent approach to employee monitoring by promulgating and disseminating a lucid employee monitoring policy.

The guidelines are currently being drafted by the PCPD.

Trans-border Data Flow Survey

The PCPD is aware of the fact that there has been a significant increase in trans-border outsourcing of business processes to third parties that are located outside Hong Kong. Frequently, this practice involves movement of personal data of customers, employees etc. across jurisdictional boundaries; a movement that has, of course, been made routine by advances in technology. All indications are that, with the growth of e-business, and the reliance placed upon it, this trend will increase significantly in coming years. Organizations engaged in trans-border data flow frequently cite the economic benefits to be derived from the practice resulting in leaner organizations and more cost effective business processes. Not surprisingly, this type of arrangement has rapidly diffused and is now an essential component of business models in diverse economic sectors in Hong Kong.

At present, the PCPD does not fully comprehend the pervasiveness of trans-border data flows, the processes involved in the transfer of personal data and the issues pertaining to its protection, that organizations may encounter when engaging in offshore outsourcing. In seeking to obtain a more thorough understanding of the picture on the ground the PCPD have decided to embark upon an exploratory survey to assess the prevalence of, and trends in, trans-border data flows. It is hoped that the findings of this research will result in an enhanced understanding of current practices in trans-border outsourcing and any difficulties that may arise in applying adequate safeguards to the personal data involved. With a deeper understanding the PCPD will be in a better position to provide appropriate guidance and assistance to data users in their endeavours to remain compliant. In the longer term, the PCPD also see benefits that would contribute to establishing greater consumer trust and confidence in those situations where personal data are transferred to, or processed in, other jurisdictions.

The design of this survey has been finalized and it is anticipated that fieldwork will commence in the second half of 2004.

APEC Privacy Principles and Implementation Framework

In early 2003 the PCPD became involved in an APEC initiative whose primary purpose was to develop a set of privacy principles that could be subscribed to by all twenty-one member economies. This exercise was principally driven by e-business considerations and the desire to reconcile the free flow of essential information needed for business transactions while at the same time protecting the personal data of the individual, notably in those situations where personal data are transferred across national boundaries.

After numerous rounds of discussions and revisions to the nine principles that form the bedrock of the project, it looks very much as if they will be submitted to senior officials for ratification later this year. If the principles are endorsed then a basis will have been laid that will enable member economies to harmonise their privacy regimes, without compromising national integrity insofar as constitutional and legal systems are concerned. Having said that, it is worth pointing out that there is a good deal of variation in the extent to which personal data/ information privacy has been institutionalized within member economies.

A complementary phase of this project is on-going and involves developing an implementation framework that will depict the methods that may be engaged to set this initiative in motion. The current expectation is that the project will be concluded in 2005. It will then be for member economies to take the principles and implementation framework and determine how to operationalise them. In the immediate short-term it is hoped that the outcome of this initiative will be to increase trust and confidence in e-business. In the longer term the outcome sought is to boost the volume and value of e-business activity within and between the member economies constituting APEC.

The Outlook

I would like to close by making mention of the work that is on the horizon for the PCPD over the forthcoming year and impart some understanding of our concerns for personal data privacy and the policy areas that we will likely invest resources in.

Let me just say that I think it is the duty of people in my position to provide some broad brush picture of the backdrop against which developments in privacy are taking place. Since the events of 11th September 2001 the world has changed irreversibly, most notably in terms of the measures introduced in many countries to minimize the threats from terrorism. National security is of course non-negotiable and there must be a resolute stand against terrorism by the international community. However, irrespective of the importance of this concern to governments around the world it should not, in my view, be prefaced on the belief that there should be a casual disregard for the value placed upon privacy in an enlightened society. That would turn the clock back and nullify the significant advances that have been made in securing and protecting privacy rights over the years. It is important therefore that the largely legal and technological steps taken to reinforce national security are proportional and give due consideration to their impact upon the privacy of the individual.

The phrase that has been coined to describe a rather extreme version of the future is the "surveillance society". This is exemplified by a society in which a great deal of human activity would be digitally recorded and stored in large databases that could contain massive amounts of personal information or bio-genetic profiles of entire populations. In a worst-case scenario, the surveillance society could result in members of the community being tracked twenty-four hours a day. Although that day has not yet dawned it is evident that both internal concerns, such as airport security, and the need to meet international obligations, such as the introduction of anti-terrorism legislation, will inevitably result in the more pervasive use of surveillance. In most instances this will be for wellintentioned purposes that are designed to ensure that the safety of people and property are not compromised. Nonetheless, it is important that the community is alert to the potential for surveillance to become a ubiquitous and highly privacy-intrusive technology. One does not want to be unduly dramatic about this but there is a potentially sinister dimension to surveillance that many people are uncomfortable with; myself included.

Other than signaling to the community the prospect of surveillance becoming more pervasive, if not invasive, of our daily lives I think that the PCPD can take a more proactive role by contributing towards security solutions that are, as far as possible, privacy-friendly. This means that privacy issues must feature as an integral part of the solution to a given problem rather than some adjunct to it once all the important decisions have been taken. I hope therefore to enlist the support of the private and public sectors in ensuring that projects that resort to one form of electronic surveillance or another have privacy concerns inbuilt at the outset as an integral part of the project. In an ideal world I would like to see privacy issues enumerated as a key performance indicator or explicit outcome of a project. I hope therefore in the year ahead that we will be able to deploy some of our communications resources in getting this message across.

This takes me to an aspect of our work that I hope will make a strong contribution to privacy compliance. Over the course of the next year we will embark upon a programme to educate the community, private and public sectors in particular, about Privacy Impact Assessment ("PIA"). PIA has been defined as "the identification of future consequences of a current or proposed action" and implies the adoption of a systematic process that evaluates any project proposal in terms of its impact upon privacy. The position taken by the PCPD is that PIA should become a constituent component of the project planning process.

PIA has the potential to become a major force in identifying and managing the "downstream" privacy impact of projects, especially those that make use of computerbased or surveillance technologies that capture and collect personal data. We will therefore make PIA a focus of our efforts over the year and, in the longer term, move on to consider the related aspect of privacy compliance or the auditing of projects that have been evaluated by PIA.

In conclusion, I remain confident that the PCPD will rise to the varied challenges that lie ahead: challenges that have the potential to threaten our personal data privacy in Hong Kong. We remain committed to maintaining a high level of service to the community and will be taking every opportunity to work with other organizations, both local and regional, to ensure the public remain informed of developments in personal data privacy and the steps that can be taken to minimize any adverse consequences arising from them. I see education, training and communications as an essential mix in achieving that objective and in the gradual modification of personal behaviours that will work towards a society in which there is a culture of respect for privacy in all its forms.