Approaches
to Privacy
~
The Hong Kong Experience
Raymond
Tang
Privacy
Commissioner for Personal Data
Hong
Kong SAR China
at
the
APEC
E-Commerce Steering Group Forum on Privacy
Hotel
Camino Real Mexico
Mexico
City, Mexico
Friday,
22 February 2002
Foreword
E-Commerce has
been promoted as the 'new way of doing business' for quite a few years.
But apart from the occasional few success stories, it has not surpassed,
let alone replaced, the 'old way of doing business'. The rapid demise
of some of the once high-flying e-business operators further dampened e-consumer
confidence.
The PCPD conducted
an opinion survey in 2001 on the order of importance of a range of factors
which might affect the making of a decision by a prospective e-consumer
to conduct a transaction on-line via the Internet. On a scale of
10, respondents ranked Privacy Protection as the most important
at 8.1, ahead of Quality of Service and Redress Mechanism (6.74),Range
of Choice (6.54) and Pricing (at a lowly 5.79). The results
were telling and clearly indicated an issue of priority in the context
of on-line transactions and development of e-commerce.
Other research
and studies also support the proposition that development of e-trust and
e-confidence is vital to the promotion and eventual success of E-commerce.
These indications were quickly noted and steps to address them taken on
board by the relevant industry.
The E-Commerce
Steering Group was established by APEC (Asia Pacific Economic Cooperation)
in 1999 with representation from various business sectors of the member
economies. Its mandate is to co-ordinate e-commerce related efforts
in pursuit of the Blueprint for Action endorsed by APEC Ministers in November
1998. At APEC 2002 Mexico, and for the first time, a Privacy Forum
was organized by ECSG to discuss privacy issues and facilitative measures
that would strengthen consumer trust and confidence in electronic transactions.
Member economies were invited to present their views and share their experience.
The Hong Kong
SAR is amongst a handful of jurisdictions which have established a comprehensive
statutory and regulatory regime to monitor and regulate the collection
and use of personal data in both public and private sectors. The
PCPD was invited to make a presentation on Hong Kong's approach to privacy.
A full paper describing the SAR's experience in promoting the concept of
personal data protection was submitted to the Forum. The presentation
and the paper were well received by the delegates.
Introduction
Over the past
decade or so there has been, in many societies, a burgeoning of interest
in personal privacy and privacy related issues. This has certainly been
the case in Hong Kong and yet, in a Chinese context, this appears to be
a little surprising. This is because in Chinese society the concept of
privacy in a modern sense is relatively new. In Chinese vocabulary, the
word for "privacy" connotes the notion of secrecy or that there is something
which an individual consciously wishes to hide. As a result, privacy relating
to personal data, which is the principal concern of the Office of the Privacy
Commissioner for Personal Data ("the PCPD"), is a novel concept. However,
this situation has changed significantly over the past five years, which
coincides with the date of the PCPD going operational.
It is clear
from research undertaken by the PCPD that members of the community have
come to regard the protection of personal privacy as both an essential
right and important area of social policy. This is encouraging because
five years ago there was some doubt as to whether that would be the case.
In 1994 when the idea of a privacy commissioner's office was being debated
the community seemed a little indifferent to the notion of privacy and,
in some instances, confused by it. At that time a primary stimulus for
establishing the PCPD came from the business sector which was anxious to
conform with the OECD's Data Protection Guidelines that addressed the matter
of transborder data flow. However, from this early expression of interest
the concept of privacy, and more specifically personal data privacy, has
become more diffused. Today the community is at least aware of, and in
some cases conversant with their rights under the Personal Data (Privacy)
Ordinance ("the PD(P)O") which is the piece of legislation regulated by
the PCPD. In a relatively short period of time therefore the collective
endeavours of the PCPD have enabled it to pass two important milestones
during the introductory phase of its existence. Firstly, the community
has a better understanding of personal data privacy. Secondly, the PCPD
has been successful in conveying to the citizens of Hong Kong that the
law affords them privacy rights and protection. Although constantly active
in the area of compliance there is the real prospect over the next five
years of making steady progress towards a very import social goal. That
social goal is the universal respect by citizens of another person's personal
data privacy. The ideal state would be one in which there were a culture
that would be conducive to extending that respect to a wider remit of the
concept of privacy i.e. beyond the boundaries of legal requirements and
limitations. Ultimately privacy would become something that is inherent
to the individual. An essential part of the composition and upbringing
of future generations as complete members of a modern civilised society.
The next five years will set the tone for achieving this ultimate objective.
This paper outlines
the approach taken by the PCPD towards personal data privacy and sets it
against the background of the macro-environment of Hong Kong. In so doing
the intention is not to convey a sense that the PCPD has divined some sort
of blueprint. Rather, it is an approach that has suited Hong Kong. At this
early juncture it is perhaps worth recording that not all quarters of our
society are strong supporters of our work and we have our critics. This
has accentuated the need for the PCPD to balance the competing interests
evident in our community. Reference will be made later on to our thinking
regarding the way in which we have managed to accommodate competing interests
and, in so doing, avoid alienating sections of society. Of course, we have
not managed to please all of the people all of the time but we strive at
least to understand their needs and address them.
Before going
into more detail regarding the principles that underpin the approach, and
modus operandi of the PCPD, it is desirable to at least attempt a definition
of the term privacy and, in particular, personal data privacy.
Privacy
and Personal Data Privacy
It was the French
philosopher and writer Voltaire who once said, "Define your terms and we
shall talk." This is easier said than done insofar as the concept
of privacy is concerned. In spite of the significant growth in interest
expressed in privacy by academics, lawyers, IT professionals and members
of the global privacy community, an all encompassing definition that has
broad based approval seems as elusive as ever. This is possibly the result
of privacy being a deeply personal concept lacking in readily definable
parameters. It is also something of a moving target. That is, privacy is
constantly being redefined by the application of new technologies and current
events. Even then, this takes no account of the expediency exercised by
the political authority of the day.
As a starting
point privacy may be classified into one of at least four general categories
although the borders of those categories are less than distinctive.
-
The interest of
the person in controlling the information held by others about him/her,
or "information privacy".
-
The interest in
controlling entry to the "personal place" of another, or "territorial
privacy".
-
The interest
in freedom from interference with one's person, or "personal privacy".
-
The interest
in freedom from interference with one's interaction with another e.g. from
surveillance and interception of one's communications, or "communications
and surveillance privacy".
The PD(P)O
is concerned primarily with information privacy or what in Hong Kong is
termed personal data privacy. In essence the provisions of the Ordinance
regulate the activities of data users i.e. collectors of personal data,
in terms of their use of the personal data of the individual i.e. the data
subject. In so doing the law endows the individual with personal data rights
which are derived from six Data Protection Principles ("the DPP") that
give legitimacy to those rights. The DPP will be reviewed in a little more
detail later on in this paper.
Personal Data
are those identifiable pieces of information such as: name, address, age,
identity card number, salary, marital status, phone number, E mail address,
personal image, financial status, opinions held by the data user of an
individual etc. By this definition personal data assumes a similarity with
the term information data used in other jurisdictions but is not identical
with it. More specifically personal data are defined in the PD(P)O as:
-
relating
directly or indirectly to a living individual;
-
from which
it is practical to ascertain the identity of the individual; and
-
in a form
in which access or processing is practicable.
What this means
is that there must be a tangible record of personal data whether that be
a database containing details of customers, or a CCTV tape held by an employer
that contains the image of individual employees. It is also worth noting
that, according to a recent Appeals Court ruling, personal data is only
regarded as personal data if the data user compiles the data with
the intention of identifying a particular individual.
Factors
Driving the Interest in Personal Data Privacy in Hong Kong
The interest
in Hong Kong in privacy is largely a response to three main drivers:
-
technological factors;
-
social factors;
and
-
global economic
factors.
Technological
Factors
Hong Kong exemplifies
a consumer marketplace in which new technology is rapidly diffused. For
example, the mobile phone market has reached saturation levels yet approximately
half of all cell phone owners change to an upgraded model each year. Another
indicator is offered by the pre-recorded video tape market. This format
has declined drastically largely because of the popularity of the DVD.
However, perhaps the greatest passion for technology has come with the
advent of the PC. According to a survey conducted by the Census and Statistics
Department in 2001 Hong Kong exhibits the following features:
-
approximately 1
in 3 people have access to and use the Internet;
-
the current
household penetration of domestic users of the Internet is 54%; and
-
there are
in excess of 30,000 registered websites (.hk).
In all probability
these figures under report the current ownership of PC's in domestic households,
and usage of the Internet. However, with the growth in ownership of PC's
and Internet usage there has been a concomitant development. Successive
surveys, and our own research, indicate that there are low levels of trust
and confidence in the integrity of personal data both in transmission and
in back-end systems. As a result the predicted boom in B2C E-Business just
has not materialized. Such anxieties explain why in Hong Kong consumer
expenditure online is only in the region of 1% of total consumer expenditure.
The infrastructure is there, and citizens have a high level of familiarity
with it, yet privacy concerns remain a major stumbling block to online
purchasing.
It is reasonable
to conclude that technological convergence, miniaturization, the advent
of the information age and the E-Business economy have, on the one hand,
brought considerable benefits. However, on the other hand it is equally
clear that the community in Hong Kong sees significant privacy risks in
terms of the management of personal data by online data users. As the PCPD
operates on the belief that what is unlawful off-line is unlawful online,
there is a duty on the part of the PCPD to ensure online compliance with
the Ordinance. This is a task to which we devote considerable time
and resources.
Social
Factors
Over the past
few years there has been a great deal of interest shown in privacy and
privacy related issues in Hong Kong. The debate has transcended all levels
of society from the government, to professional associations, to the man
in the street. Interest in privacy is reflected in local media where the
topic has become a relatively common item in newspaper articles and TV
programming. Indeed, privacy is now a constituent element of university
law studies.
This level of
interest, along with the work of the PCPD, has had a profound and sustained
effect upon citizens. The debate has moved on from being of primary interest
to privacy advocates, to becoming a phenomenon that virtually everybody
has come to regard as a right they wish to exercise. The raising of the
profile of the debate has produced four main results.
-
First of all there
has been an increase in the value attached by the individual in terms of
who uses their personal data and for what purpose(s).
-
Secondly, there
is now a firmly established need on the part of individuals to exercise
control over their personal data.
-
Thirdly,
the individual expects data users to inform them of any change of use of
their personal data which should be conditional upon the consent of the
data subject.
-
Finally,
privacy has established itself as a human right and this is recognised
under the Basic Law that governs the Hong Kong Special Administrative Region
of China.
Global
Economic Factors
The move towards
a global economy has largely eroded the classic protectionist mindset of
trading nations. The protectionist creed had, for decades, been used to
defend domestic industries, or entire economic sectors from the competition
of imports. As a consequence markets became inefficient, prices were held
at an artificially high level and generally a disservice was done to the
customer. However, this is a far cry from the liberalisation of trade and
dismantling of tariff barriers that has occurred over the past two decades.
Bi-lateral trade has given way to multi-lateral trade due mainly to the
impetus of powerful trading blocs such as the European Union and ASEAN.
More recently this trend has been taken to its logical conclusion, the
globalisation of trade, characterised by a vision of the world as one market.
The importance
of this global economic development is not lost upon those in the privacy
community. The most serious concern is in terms of the capacity of data
users to transfer vast quantities of personal data across international
borders. Without the appropriate controls in place this is a potentially
worrying development because the personal data of millions of individuals
could be used as the raw data input to marketing programmes that assume
global proportions.
The combined
effect of these factors has been to bring into sharp focus the fact that
the protection of privacy has now become a truly international activity.
It was the implicit recognition of this fact that resulted in the OECD
issuing its landmark set of Data Protection Guidelines in 1980. This initiative
has of course been taken one step further by the European Union which,
in 1995, issued a directive on the protection of individuals with regard
to the processing of personal data and the free movement of such data.
The purpose of issuing the directive was to ensure that, unless there were
adequate protection of personal data in countries outside the European
Union, transborder transfer of personal data could be interfered with,
if not suspended, between EU member states and third party countries. Given
that Hong Kong's economic success is in large part due to its competitiveness
in the international market place it became apparent to the Government
that the economy could not afford to be competitively disadvantaged by
not having a legal data protection regimen that met the requirements of
the EU directive.
Hong
Kong's Approach to the Protection of Personal Data Privacy
It was against
the background of these sorts of developments that the Government of the
HKSAR decided it was appropriate to commit to statutory protection of personal
data privacy. The rationale for this decision was based upon four main
arguments.
-
Prior to the enactment
of the PD(P)O it was felt that the OECD's data protection guidelines were
not comprehensively addressed by any existing legislation in Hong Kong.
-
The alternative
to the statutory regulation of personal data privacy was self regulation.
However, it was felt that this would result in a piecemeal 'solution' and
would fail to offer either adequate or comprehensive protection of privacy
rights at a time when there was some evidence of increased invasiveness.
-
The international
transfer of personal data, that is frequently a prerequisite of international
trade, necessitated reciprocal measures if the free flow of data to and
from Hong Kong were to be guaranteed.
-
International covenants
such as the International Covenant on Civil and Political Rights ("the
ICCPR")1 to which
the Hong Kong SAR is a signatory, and the Hong Kong Bill of Rights Ordinance
("the BOR") place statutory obligations upon the government to defend privacy
as a human right.
So it was that
in 1994 the Privacy Sub-Committee of the Law Reform Commission ("the LRC")
investigated and reported on the reform of the law relating to the protection
of personal data.
The LRC's review
of other jurisdictions indicated that there were three macro approaches
towards institutionalising the protection of privacy.
1Article
17 of the ICCPR states, "No one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or correspondence, nor to unlawful
attacks on his honour and reputation.
Option 1
-
Institute a statutory framework and regulatory body funded by the State.
Option 2
-
Create a statutory tort of invasion of privacy to permit civil proceedings1.
Option 3
-
Rely upon self regulation e.g. voluntary Codes of Conduct and professional/industry watch dogs.
The
LRC took the view that it was in Hong Kong's best interests
that internationally agreed data protection guidelines be given statutory
force both in the public and private sectors. In the preparation of this
report, independently commissioned research surveyed public attitudes to
privacy. The findings of that survey indicated that there was broad-based
support in the lay community for the statutory protection of privacy.
1 In a recent consultation paper issued by
the LRC two recommendations were made. Firstly, that there should be a
statutory tort of invasion of privacy against"... any person who intentionally
or recklessly intrudes, physically or otherwise, upon the seclusion and
solitude of another or into his private affairs or concerns."
The second recommendation proposed that "... any person who gives publicity
to a matter concerning the private life of another should be liable for
a statutory tort of invasion of privacy provided that the disclosure in
extent and context is of a kind that would be seriously offensive and objectionable
to a reasonable person of ordinary sensibilities and he knows, or ought
to know, that such disclosure is seriously offensive and objectionable
to such a person."
The
Personal Data (Privacy) Ordinance
In
response to the LRC's final report the (then) Hong Kong Government set
to work to draft the PD(P)O, the provisions of which were to be regulated
by an independent statutory body, namely the Office of the Privacy Commissioner
for Personal Data. In effect the PCPD is a manifestation of Option 1 although
it embraces elements of Options 2 and 3. The statutory framework afforded
by the PD(P)O ensures the independence of the PCPD as a regulatory body,
permits civil redress for any contravention of the provisions of the Ordinance,
and empowers the Commissioner to promote self-regulation through issuing
Codes of Conduct. To date the PCPD has issued three such codes: the Code
of Practice on the Identity Card Number and other Personal Identifiers;
the Code of Practice on Consumer Credit Data; and the Code of Practice
on Human Resource Management. A fourth code, the Code of Practice on Employee
Monitoring and Personal Data Privacy at Work, will be released for public
consultation in March.
The
PD(P)O came into effect in December 1996 and established the PCPD
to monitor, supervise and promote compliance with the Ordinance. The essential
features of the Ordinance can be summarised as follows:
-
application
directly, or indirectly, to a living individual;
-
coverage
that extends to the private and public sector; and
-
application
to automatic and manual data formats that result in the creation of a record.
Under
the Ordinance the Commissioner is empowered to investigate suspected breaches
of the PD(P)O and, where appropriate, enforce compliance by issuing an
enforcement notice. As a result, a primary function of the PCPD is to answer
enquiries (21,174 of which were received in 2001) and investigate complaint
cases (789 of which were received in 2001). Of necessity therefore the
PCPD has become an operations-driven organisation as expectations around
public sector service providers in Hong Kong are high. That aside, the
PCPD is expected to maintain publicised service pledges that are an important
measure of our productivity. The PCPD does not, at present, possess prosecutional
powers as do comparable bodies in Hong Kong e.g. the Equal Opportunities
Commission. However, that may change in the not-too-distant future. In
the meantime cases that appear to merit prosecution are referred to the
Department of Justice for their consideration.
The
functions and powers of the Commissioner as articulated in the PD(P)O cover
the following main areas.
-
Monitoring
compliance with the provisions of the Ordinance by data users. Complaints
that pass an initial prima facie screening process are investigated by
staff of the Operations Department. As a matter of principle the PCPD much
prefers to act as a mediator between the complainant and the party complained
against rather than resorting to the big stick, although we are not averse
to so doing when warranted. To date our experience indicates that approximately
70% of complaints are filed against private sector data users, notably
banks, real estate agents, telecommunications providers and life insurance
companies. A further 20% are filed against government departments and agencies,
and 10% are filed against individuals.
-
The
approval and issue of codes of practice, that offer practical guidance
for compliance with the provisions of the Ordinance, require the PCPD to
put out a draft code for public consultation. This is an extremely valuable
exercise and a practice that is strongly recommend. The difficulty with
drafting codes of practice is that, although PCPD staff may be experts in
the legal technicalities of the Ordinance, it is often very difficult to
envisage precisely how tenable a particular clause in a code will be when
applied to a specific sector, industry or activity within the community.
Secondly, public consultation allows us to 'test drive' some of our ideas
and obtain valuable feedback with which to refine those ideas.
-
The
PD(P)O provides for the Commissioner to specify classes of data users e.g.
public registers or list compilers, that may be required to file information
regarding their personal data practices for compilation as a data users
register, that would be accessible by the public.
-
The
inspection and approval of automated personal data matching procedures.
In considering any adverse effect upon the data subject as a consequence
of large scale automated processes, that match personal data contained
on two or more databases, the Commissioner must ensure that the proposed
procedures comply with a number of conditions. For example, whether such
matching is in the public interest and whether there are practical alternatives
to matching procedures.
-
Inspection
of the personal data systems of data users. Coverage here includes private
sector organisations as well as government departments and statutory corporations.
These systems are invariably computerised so the PCPD have recruited a number
of IT specialists to undertake compliance checks.
-
To
promote awareness and understanding of the Ordinance. We believe that promotion
and training have been, and continue to be, invaluable tools in disseminating
a rather complex message. To date promotional activities have ranged from
main media campaigns e.g. television and newspapers, to open training seminars,
to road shows in large shopping malls. Continued emphasis will be placed
upon this aspect of our work although the focus of future campaigns may
shift to educational institutions.
-
Liaison
with our counterparts in other jurisdictions. The PCPD's expertise is largely
restricted to personal data privacy in Hong Kong and, because we have limited
resources, it is very valuable to be able to draw upon the expertise of
our colleagues in other countries. There is little point in reinventing
the wheel in Hong Kong when others have amassed considerable experience
in a particular aspect of privacy. While approaches in other jurisdictions
may not be directly transferable to the Hong Kong context, studying developments
elsewhere both informs our decision-making and contributes to a reduction
in cycle times.
-
Monitoring
developments in the processing of personal data and IT that may have an
adverse effect upon the privacy of the individual. The PCPD is required
to study the development of new technologies, and the products derived
from them, that may be privacy invasive e.g. smart cards and biometrics.
This
is not a comprehensive listing of the functions and powers of the Commissioner
but it provides an indication of the areas and activities that comprise
the greater part of the PCPD's day-to-day operations. Nonetheless,
we are mindful of the massive strides made in IT and the need to balance
respective risks and benefits insofar as they affect personal data privacy.
A contemporary example of the balance to be struck between benefits and
risks occurred in 2001 when the Immigration Department put forward a proposal
to replace the existing Hong Kong Identity Card (which had been in existence
since 1949) with a smart card. One of the concerns was that the smart card
chip could be used to store personal data of government departments other
than that of the Immigration Department. A second concern related to the
prospect of the private sector making representations to extend the original
function of the smart card to commercial applications. In both instances
the PCPD were of the view that these concerns hinged upon what is termed
"function creep".?Simply, that the original purpose of the identity card
would come under pressure to deliver a host of supplementary applications.
These
concerns were conveyed to officials in the Immigration Department. The
PCPD also made the recommendation that the smart identity card project be
subject to a Privacy Impact Assessment ("PIA") which would investigate
the privacy issues, report on them, and make recommendations. This suggestion
was taken up and the substance of the consultant's PIA report has been
incorporated into subsequent phases of the project.
This
is merely one example of the new challenges confronting the privacy business;
challenges that demand the PCPD remain vigilant around the privacy impact
of new technology that is invariably sold on its benefits. It is our duty
to give voice to the associated risks so that the community can debate
the issues and come to an informed decision.
The
Data Protection Principles
The
judgements made by the PCPD in the course of performing its duties, are
anchored in a set of tenets that are referred to as the Data Protection
Principles ("DPP"). These principles reflect the essence of the Ordinance
and serve as the foundation for personal data privacy rights in Hong Kong.
Most
jurisdictions with privacy legislation have similar statements of principle
although they may deal with aspects of privacy that go beyond the definition
of personal data privacy. It may be instructive at this point to briefly
review the data protection principles.
DPP1
- The Purpose and Manner of Collection
This
provides that personal data should only be collected by means that are
lawful and fair for the purposes related to the functions or activities
of the data user. In addition the data collected should be adequate but
not excessive for the purpose(s).
DPP2
- Accuracy and Duration of Retention
All
practicable steps should be taken to ensure that personal data are accurate
having regard to the purpose(s). If the personal data are believed to be
inaccurate, the data should not be used until it has been corrected. Alternatively,
the data should be erased. In addition, personal data should not be retained
any longer than is necessary for the purpose(s).
DPP3
- The Use of Personal Data
This
principle provides that personal data should only be used for the purposes
for which they were collected, unless the data subject consents to a change
in purpose. Furthermore, the prescribed consent should be express and given
voluntarily.
DPP4
- The Security of Personal Data
All
practicable steps should be taken to ensure the protection of personal
data against unauthorized or accidental access, processing, erasure or
other use, where these could cause harm to the individual. The principle
also provides for the protection of secured storage, accessing and transmission
of data.
DPP5
- Information to be Generally Available
This
principle deals with transparency and provides for openness by data users
about both the kinds of personal data they hold, and the main purposes
for which personal data are used.
DPP6
- Access to Personal Data
DPP6
confers upon the data subject the right to ascertain whether a data user
holds his/her personal data and to request access and correction of that
data. Should the data user refuse to comply with the request then the data
subject is entitled to be given a reason for the refusal.
The
DPP draw heavily upon the substance of the OECD's Data Protection Guidelines
and have elements that are common to principles found in other jurisdictions.
Is
the PCPD's Approach to Personal Data Privacy Working?
The
answer to this question should be prefaced by saying that the PCPD has instituted
a computer based complaints handling system ("the CHS") which tracks the
progress of investigated complaints from day 1 to closure of the file.
The CHS is supplemented by an enquiries classification system such that
there are effective mechanisms for analysing core operational activities.
However, these systems largely address things from an internal viewpoint.
To ascertain the community's perceptions of the PCPD, its work, responsiveness,
and the major projects embarked upon, independent consultants are engaged
to undertake an annual survey of data users and data subjects.
It
has been said that time spent on reconnaissance is time seldom wasted;
a view that is subscribed to at the PCPD. We regard the annual opinion survey
as an important exercise. Firstly, it assists the PCPD to get a fix on its
position. Secondly, it enables us to track perceptions towards our work
on a year-to-year basis. Thirdly, it offers a means of testing new ideas
and recent initiatives. For example, the Code of Practice on Human Resource
Management was launched in April 2001. Some time later our consultants
asked data users whether this code had been helpful to employers and HR
professionals in terms of applying the provisions of the Ordinance to the
employer/employee context. We were gratified with the results obtained
from the survey which vindicated the time and money invested in the project.
The
above question can be answered more directly by pointing to some recent
survey findings regarding the PCPD's operational activities (Figure 1).
Figure
1- Increase in Complaints and Enquiries handled over
the
past three years
| |
1999 |
2000 |
2001 |
| Complaints |
+ 38% |
+ 28% |
+ 33% |
| Enquiries |
- 33% |
+ 27% |
+ 13% |
| |
|
|
|
At
the end of our first year of operation the PCPD had handled 2,423 enquiries
and 52 complaint cases. This compares with 21,174 enquiries received, and
789 complaint cases investigated in 2001. It is reasonable to conclude
that the PCPD is not short of business!
Our
annual survey1 is
revealing in terms of mapping the perceptions of data users and data subjects
towards the work of the PCPD, and in ensuring that sight is not lost of
matters of public concern. What follows is a review of some of the more
important findings that came out of the 2001 opinion survey.
1The data subjects survey was conducted in
March and April of 2001 and interviewed 1700 respondents by telephone.
The data users survey was conducted in August and September and sampled
230 respondent organisations in the private and public sectors. This survey
used a self-administered questionnaire.
Data
Subjects Findings
-
The Importance of Privacy in relation to other Social Policies
in Hong Kong (Figure 2)
[Image of Chart]
Privacy
comes behind unemployment and air pollution but consistently scores high
marks in terms of the value attached by respondents to this particular
social policy.
-
Awareness of Personal Data Privacy Rights (Figure 3)
Figure
3 - Are you aware that except when used for law enforcement or national security,
you always have the right to...
[Image of Chart]
Although
the community is better informed about their personal data privacy rights
it is only fair to say that they do not find these rights easy to articulate,
unless prompted. This is unsurprising because, with the exception of 'high
interest groups', it is to be expected that the citizens of Hong Kong do
not carry the DPP around in their head.
-
General Awareness of Data Privacy Issues (Figure 4)
Figure
4 - Has the PCPD Increased Community Awareness of Personal Data Privacy Issues?
[Image of Chart]
Some
comfort can be taken from the fact that the PCPD appears to be getting its
message across to the community through the combined efforts of promotion,
education and training activities. Nonetheless, we have detected that there
is still some way to go in informing certain sectors of our society, notably
the elderly and less well educated.
-
Public Concerns Remain ~ Principally in the E-Privacy Arena
(Figure 5)
Figure
5 - The Importance of Factors in Making Purchasing Decisions on the Internet
[Image of Chart]
The
research undertaken by the PCPD into privacy related issues and the Internet
indicates that there is a large measure of concern in the community regarding
the controls web users exercise over personal data divulged online. Unless,
and until, service providers address online privacy issues low levels of
trust and confidence will remain significant obstacles to realising the
potential of B2C business.
Data
Users Findings
-
Responses by Data Users Towards Compliance with the PD(P)O
(Figure
6)
Figure
6 - Have Data Users Formally Adopted Written Policies to comply with the
Ordinance?
[Image of Chart]
It
has always been our practice to encourage data users to commit their personal
data privacy policies to writing so that they are readily available to
employees, customers and other stakeholders. Progress has been made on
this front although the task has been more problematic among online businesses
than conventional 'bricks and mortar' businesses.
-
Informing Data Subjects of Compliance with the PD(P)O (Figure 7)
Figure 7 - Possessing a Privacy Policy Statement1
and Personal Information Collection
Statement2
[Image of Chart]
Over
the years the PCPD have sought to motivate data users to comply with the
provisions of the PD(P)O by formulating and disseminating a PPS and PICS.
There has been a steady increase in the percentage of data users issuing
such statements and this is invariably the case with medium and large scale
organisations. The challenge right now is to migrate that behaviour to
small organisations, notably small firms.
1A Privacy Policy Statement (PPS) is a general
statement of an organisation's policy and practices in relation to its
collection, holding and use of recorded information about individuals.
Under the PD(P)O data users are required to ensure that their policies
and practices in this regard can be ascertained by other persons.
2A Personal Information Collection Statement
(PICS) is a statement given in compliance with the requirements of the
PD(P)O to notify individuals of certain matters when collecting such information
from them. That is, it is a statement of a certain limited content given
in relation to specific collections of recorded information from individuals
about themselves.
-
Provision of Training by Data Users for their Staff (Figure 8)
Figure
8 - Data Users Training Provision for Staff Preparedness for the
PD(P)O
(Aggregated
Agree/Strongly Agree Responses)
[Image of Chart]
It
has been gratifying to learn from successive surveys that more and more
data users are allocating the responsibility for personal data privacy
to a designated person - a Data Protection Officer ("DPO"). One of the
duties of a DPO is to create awareness among staff of the implications
of the Ordinance. This is most effectively achieved through the provision
of training sessions and staff seminars. To support this organisational
commitment the PCPD's Data Protection Officers Club (which currently has
in excess of 250 members) provides a regular forum in which to offer refresher
training and debate current issues.
-
The Long Term Benefits from Compliance with the PD(P)O (Figure 9)
Figure
9 - Long-term Benefits to Data Users of Compliance with the PD(P)O
(Aggregated
Agree/Strongly Agree Responses)
[Image of Chart]
These
findings are important in that they enable the PCPD to cite evidence that
reflects the perceptions of data users towards compliance with the PD(P)O.
Clearly we do not wish to be regarded as a bureaucratic imposition upon
organisations, especially businesses. Fortunately, compliance is regarded
very positively in terms of the long-term benefits and goodwill it confers
upon the organisation. This would tend to suggest that compliance is regarded
less as a cost, although there are costs, and more of an investment in
the organisation's image, customer/employee relationships, and best practices
insofar as the management of personal data are concerned. The PCPD can argue,
with some justification, that compliance with the provisions of the PD(P)O
adds value to data user organisations. That added value is encapsulated
in the statement that good personal data privacy practices make for good
corporate governance and good corporate governance makes good business
sense.
The
most recent survey findings give rise to guarded optimism in terms of the
PCPD's efforts to build a culture in Hong Kong that respects personal data
privacy. There are no grounds for complacency because there is much to
be done in the area of educating children, young adults and small businesses.
This of course makes no reference to the emergent challenges to personal
data privacy posed by the diffusion of new technology, and the ramifications
of the unimaginable events of 11 September.
The
Thinking Behind the PCPD's Approach towards Personal Data Privacy - Putting
Principles into Practice
In
common with other jurisdictions Hong Kong faced difficulties in implementing
its data privacy law. Initially, personal data privacy did not register
as an issue of great social concern in the community. Secondly, privacy
was not high on the government's agenda as more pressing policy portfolios
such as housing, education and healthcare were given priority. Thirdly,
some elements of the private sector went on the defensive by articulating
the view that business would become less efficient, and consequently less
competitive, if it were obliged to absorb the costs of compliance with
the PD(P)O.
In
the beginning the signals received by the PCPD were rather mixed and had
an air of apprehension about them. This apprehension emanated from established
custom and practice around how we do business in Hong Kong i.e. a laissez
faire minimal interventionist economy. Note was taken of this apprehensiveness
because it is our belief, and remains so, that privacy law can only operate
effectively if it is understood and accepted by all sectors of society,
especially the business community. A priority task therefore was to build
a culture in which personal data privacy was understood and valued. At
the time the thinking was that this objective could only be achieved by
a cultural shift in the collective consciousness of the citizens of Hong
Kong. To make that shift the PCPD needed to ensure that the outcome of its
work did not alienate the broad range of interests that typify a pluralist
society. However, at one and the same time we were very much in the business
of promoting change, and the concomitant of change is resistance to change.
So, how did the approach taken address these challenges?
On
reflecting upon what has worked well in Hong Kong, and what has worked
less well, we have come to an intuitive understanding about those principles
that give definition to who we are, and what we do. In the early days there
was an element of trial and error in our approach as the whole business
of privacy was very new and there was no accumulated experience in Hong
Kong to guide the PCPD. However, as time passed, the PCPD managed to gauge
the mood of 'the market' reasonably well and this influenced subsequent
planning. Great faith has been invested in a number of fundamental principles
that may be of value to those involved in privacy start-up operations.
The intention, in outlining these principles, is not to advance some universal
set of rules that are a guarantee of 'success'. Privacy needs to
be considered in context and the context and culture of Hong Kong is idiosyncratic.
To that extent the approach of the PCPD may not readily transfer to other
jurisdictions.
What
then characterises the PCPD's thinking in terms of the way in which privacy
policy is executed in Hong Kong? There are four elements that underpin
most of the work performed by the PCPD.
-
In
formulating and implementing privacy policy the PCPD has frequently to walk
a fine line. I so doing we recognise that we cannot please all of the people
all of the time. However, equally so, we cannot afford to alienate sections
of society and have been mindful of the fact that effective privacy policy
must be anchored in community consensus. For example, when formulating
the Code of Practice on Human Resource Management we were dealing largely
with two groups of people, employees and employers. For the Code to work
effectively we needed to strike a balance between the different interests
of these parties and develop provisions that were reasonable, equitable
and defensible.
-
Mediation
and Conciliation
By
nature of what we do in the PCPD's operations division - investigate complaints
- it is inevitable that we are drawn into situations of conflict between
the complainant and the party complained against. Whilst the PD(P)O does
allow for enforcement measures, fines even, we have not generally resorted
to using these powers to resolve issues. Our greatest strength lies in
our ability to deploy mediation skills to effect a satisfactory settlement
between parties. Our view is that if we adopt an overly confrontational
approach then this, over time, may negatively influence public perceptions
e.g. the PCPD is biased, tends to favour one party over another, or is inclined
to over react to what are genuine mistakes or relatively minor infractions
of the law. In general we have avoided the 'big stick' by adopting a more
conciliatory approach.
Even
then, if the parties to an investigation do not accept the verdict delivered
by case officers, or if they feel there has been evidence of mal-administration,
they are entitled to take their case to either an Administrative Appeals
Board or the Ombudsman.
-
Elevating
the Profile of Privacy
Much
of what the PCPD does is not simply a matter of developing considered policy
positions. That is an important part of the picture but not the full picture.
The full picture includes evaluating the knock-on effects of policy in
terms of public image and goodwill. The PCPD endeavours, via the 'products'
it delivers to the community, to heighten public awareness, understanding
and empathy. In short, we aim to exploit the full publicity value of policy
in order to educate the public, and keep privacy issues alive.
-
Influencing
the Public Mindset
There
is little doubt that creating a culture that respects privacy is a massive
challenge. Nonetheless, this task is central to the long-term success of
the PCPD and a key measure of its future performance. This vision is factored
into everything the PCPD does which places it in a race without a finishing
line quite simply because the notion of a society in which there is absolute
respect for privacy is fanciful. If the PCPD were to achieve the unachievable
it would become a redundant entity. That seems a long way off and in the
meantime we have to address the reality of privacy, which is something
quite different. The reality is that developing a culture that respects
privacy is a painstaking and incremental process. There do not appear to
be any quick fixes. However, we seek in what we do, notably our strategies
and tactics, to create the value of respect for the privacy of others.
Conventional thinking regarding this superordinate goal dictates that the
PCPD alter public perceptions, attitudes and ultimately, behaviours. However,
the psychology of attitudinal and behavioural change involves complex processes
where the outcome is by no means guaranteed. Only by unravelling those
processes will we place ourselves in a position to build the culture we
seek to establish. This line of reasoning gives rise to a principled belief
that better research leads to better understanding, and the formulation
of superior strategies with which to tackle identified problems. We are
of the view that it is essential that our opinions and decisions are well
informed because only through a closer understanding of what makes citizens
'tick' will we be able to devise programmes that register with them, and
result in the changes in behaviour we wish to promote.
So
much for the principles that guide the PCPD. How do these translate in practice?
The words consultation, education, communication and mediation have become
something of an organisational mantra at the PCPD in that they greatly influence
the day-to-day practices of the office. Considerable value has been attached
to these core concepts, and their implications; an emphasis that is unlikely
to change in the foreseeable future. Good execution of these concepts will
greatly help in the process of consensus building around personal data
privacy in the community, which is a major outcome for the PCPD.
P.18
The
Road Ahead
The
primary purpose of this paper has been to summarise the approach taken
by the PCPD to personal data privacy in Hong Kong. However, this focus needs
to be supplemented by making brief mention about the road to be travelled
in the next five years or so. In one sense nothing will change because
the PCPD is duty bound to exercise good stewardship of its stock business.
However, the PCPD cannot move forward by standing still and to that extent
staff must seek to enhance the quality of service rendered to the community.
To achieve that goal it will be necessary to address any perceptual gaps
that may exist between the expectations of the community and the PCPD's
ability to deliver against those expectations. It must be said that certain
community expectations laid at the door of the PCPD are unrealistic either
because of funding limitations or because there is some confusion on the
part of the community regarding the PD(P)O and the limited jurisdiction
of the PCPD. The challenge is to narrow the expectations gap by more effectively
managing the perceptions of the public. Secondly, the PCPD must ensure that
it understands the dimensions attached to service by the public and the
hierarchy of those dimensions. For example, the most visible aspects of
our service involve responding positively and promptly to enquiries and
investigating complaint cases diligently and efficiently. However, what
constituted good service yesterday does not equate with good service tomorrow.
Keeping pace with escalating service expectations is by no means an easy
task in an economic climate in which additional resources will be hard
to come by. What this means is that we will have to work smarter and harder
if we are to move forward in realising the vision. Finally, being conscious
of the growing demands placed upon the PCPD has led to a commitment by senior
officers to regular planning reviews to see where, and how, resources might
be better utilised. These reviews are geared to dovetailing resources with
needs and delivering a level of service that is a benchmark among public
sector service providers in Hong Kong.
At
a recent review of operations it was agreed that the PCPD should seek to
play a leadership role in a regio-centric approach to privacy. Good models
of this perspective already exist in broadly comparable national organisations
that seek to promote trade, social causes or cultural exchange. It would
therefore seem logical to develop a coalition of privacy interests with
other commissions in the region, notably Australia and New Zealand. By
pooling some resources the PCPD, in collaboration with its counterparts,
should be able to more effectively deal with pan-regional privacy issues,
and those posed by technologies that may be privacy-invasive. Through joint
efforts we may also assist those jurisdictions in the Asia Pacific region
where privacy is of fledgling status.
The
strengthening of regional ties is but one strand to the PCPD's 'foreign
policy'. Another dimension is to cooperate and share experience with
our colleagues in Mainland China. It is only a matter of time before China
is obliged to respond to a broad range of privacy issues. This realisation
has come largely in the light of China's accession to the WTO. As a rule-bound
organisation it will be incumbent upon the WTO to ensure China's compliance
with the terms and conditions of entry. In addition, as China's trade with
powerful blocs such as the European Union ("the EU") begins to surge, there
will be corresponding demands from member states of the EU that China put
in place good privacy practices, most obviously those concerned with transborder
data flows. At some stage in the relatively near future this is bound to
become an imperative as the absence of legislation, or a national policy
towards privacy, could adversely affect China's relationships with those
countries that do attach significance to this aspect of international trade.
As
an organisation the PCPD has been obliged to mature quite rapidly and now
possesses the requisite skills to enable it to move in new directions.
With a solid foundation, and proven mechanisms in place, the PCPD should
be able to capitalise on its strengths and broaden its horizons. In consolidating
its position both locally and regionally it will be better placed to realise
the aspiration of becoming a major player in the global privacy movement.
Raymond
Tang
Privacy
Commissioner for Personal Data
Suite
2001, 20th Floor, Office Tower
Convention
Plaza
1
Harbour Road
Wanchai
Hong
Kong
Tel:
(852) 2827 2827
Fax:
(852) 2877 7026
E-mail:
pco@pcpd.org.hk
Internet:
http://www.pcpd.org.hk
|