Publications and Videos
Newsletter
|
PRIVATE
THOUGHTS (on-line version) The Privacy Commissioner's Message The protection of the privacy of the individual in relation to personal data should be a standard policy for every organization in Hong Kong. Not just because of the legal requirements of the Personal Data (Privacy) Ordinance ("the Ordinance" hereafter), but because it leads to benefits in terms of better customer and employment relations, improved data quality and efficiency of data processing. The PCPD strives to reinforce this message and provide guidance on good data protection practices to all organizations, large and small. It gives me great pleasure to inaugurate this first edition of our newsletter. Its title, "Private Thoughts", sums up the aim of our newsletter, which is to communicate our views on issues and news relevant to the privacy protection of personal information related to the individual. A quarterly publication, "Private Thoughts" will provide news of and views on latest issues, case studies, topical enquiries and technological developments in the privacy arena, as well as up-to-date information on PCPD's activities. The primary and ultimate objective of the newsletter is to assist organizations to understand and effectively comply with the requirements of the Ordinance through the implementation of good practices in the handling of personal data that they collect, retain and use. As always, for a new endeavour to be effective and successful, your views and feedback are essential. We welcome your suggestions and criticisms. Please convey your input by writing to us at the address given at the end of this newsletter.
[Image of Focus] More Care Required In Collecting ID Card Numbers It has been over one year since the effective date in June 1998 of the "Code of Practice on the Identity Card Number and other Personal Identifiers" issued by the PCPD, which provides for the protection of individuals' identity card (ID card) numbers, other personal identifiers and copies of identity cards. From June 1998 when the Code took effect to September this year, the PCPD received 120 complaints related to the ID card number and copies of the ID card. This was 64% more than the combined total of the number of complaints related to ID cards received by the PCPD before the Code took effect (i.e. from December 1996 to May 1998). This large jump is not surprising given the greater awareness that the Code has aroused among the general public on the protection of ID card numbers. The following are some of the more common complaints, in which the collection of ID card numbers or copies of ID cards were deemed excessive:
A question is also often raised on whether the security staff of a building can ask visitors to enter their ID card numbers in a visitors' log book at the entrance of a building. This really depends on whether the monitoring of the visitors' activities inside the building is feasible or not. If it is feasible, the security staff should not collect visitors' ID card numbers. If such monitoring is not feasible, they are allowed to collect visitors' ID card numbers. However, the security staff should take appropriate security measures to ensure that such entries in a visitors' log book are concealed from subsequent visitors who enter their details. In addition, before collecting visitors' ID card numbers, the security staff should also give visitors the option of choosing less privacy-intrusive alternatives other than providing their ID card numbers. Such alternatives may include identification by another identification document, e.g. a staff card issued by the visitor's company or identification by someone known to the security staff, e.g. by a resident in the case of a residential building. For those who would like to find out more about the Code, copies of the Code and other related publications are available from the PCPD office.
[Image of Complaint Cases] Sending abusive messages on the Internet The complainant complained that his ex-colleague, without his knowledge or consent, posted his name and mobile phone number in a message at an Internet newsgroup soliciting sexual service which resulted in numerous nuisance calls to him. Upon investigation by the PCPD, it was ascertained that his ex-colleague obtained his mobile phone number while they were employees of the same company. Although the sender of the message tried to hide his identity by using a fake account name, the PCPD secured evidence from the related Internet Service Provider that the account from which the message originated was that of the ex-colleague. An enforcement notice was served on the ex-colleague directing him to cease such action. This case illustrates that generally speaking,a data user should not, without an individual's consent, use that individual's personal data for a purpose other than the purposes stated at the time when the data were collected. In addition, newsgroups are public forum where posted messages are openly exposed to anyone having access to the Internet. Individuals should consider the privacy risks involved before posting any personal data at newsgroups.
Access request to employment-related personal data The complainant was a former primary school principal. The school terminated her employment summarily, paying her wages in lieu of notice in accordance with the requirements of the employment law. The complainant subsequently made a data access request to the primary school. The primary school failed to comply with her data access request within 40 days of receiving her request, as required by the Ordinance. In response to the complaint, the primary school relied on the exemption provisions of section 54 of the Ordinance in refusing to comply with her data access request. Section 54 is a transitional provision intended to avoid the possible disruption to the staff management relationship that may be caused by disclosing assessments provided in confidence at a time when there was no right of access to personal data, before our Ordinance took effect, i.e. before 20 December, 1996. This provision applies only so long as there is an ongoing employment relationship. Since the primary school was no longer the employer of the complainant at the time when the complainant made her data access request, section 54 would not apply. Upon warning, the school undertook to provide the data to the complainant and to revise its policy and procedures regarding the handling of data access requests.
[Image of Tech Talk] Biometrics and Privacy Biometrics is the process of collecting, processing and storing details of a person's physical characteristics for the purpose of identification and authentication. The most popular forms of biometric identifiers are retina scans, hand geometry, thumb scans, fingerprints, voice recognition, and digitised photographs. The technology has gained the interest of governments and companies because it has the capacity to identify the target subject much more accurately than other forms of identification such as identity cards or papers. Biometrics schemes are being implemented across the world. Spain has commenced a national fingerprint system for unemployment benefit and healthcare entitlement. Jamaicans are required to scan their thumbs into a database before qualifying to vote at elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. In the US, cash can be drawn from ATM machines which establish the identity of a customer through the scanning of facial features instead of the presentation of an ATM card. The most controversial form of biometrics - DNA identification - is benefiting from new scanning technology which can automatically match DNA samples against a large database in minutes. Police forces in several countries such as the United States, Germany and Canada are creating national databases of DNA. The Hong Kong Government is actively pursuing the establishment of a similar DNA database of persons who have been convicted of a serious crime. The PCPD recognises the considerable benefits to the community through the creative application of biometrics. At the same time, there are concerns with the potential risks of privacy intrusion through the use of such biometrics data for purposes that were not originally intended. Therefore applications of biometrics must have adequate safeguards for data privacy, including clear and transparent declarations of how the data collected are to be used, adequate security measures to prevent unauthorised access to data, and where relevant, regulatory measures to support complaints and redress mechanisms. In addition, in conjunction with biometrics, use should be made where appropriate of so-called privacy enhancing technology. The use of such technology minimises the collection of personally-identifying data without compromising the power of biometrics to authenticate an individual's claim as an authorised user of a system or service. (Reference is drawn from "Privacy & Human Rights", GILC)
[Image of Common Q & As] [Image of Q]
[Image of A]
[Image of Q] [Image of A] [Image of Q] [Image of A] More common Q & As can be found on the "Advice & Decisions" section of the PCPD web site at http://www.pcpd.org.hk.
[Image of PCPD Activities] PCPD hosted international privacy conference in Hong Kong The 21st International Conference on Privacy and Personal Data Protection was held in Hong Kong on 13 and 14 September in conjunction with the International Meeting of Data Protection Commissioners on 15 September. The Conference was hosted by the PCPD and attracted close to 400 delegates from 35 countries. The Conference is the most significant annual international conference in the global privacy arena and was held for the first time in Asia. The theme of this year's conference was "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium". A total of 65 speakers from 15 countries shared their insights on topics including the impact of current and future technologies on privacy and personal data, electronic commerce and personal data, the impact of the European Union's Data Protection Directive on global business and trade as well as privacy issues related to specific sectors such as Government, telecommunciations, news media, information technology and law enforcement. For those who have missed the Conference, the Conference proceedings can be purchased from the PCPD. Data access request form issued
In
PCPD's experience in handling complaints, misunderstanding has been found
among both the general public and organisations in relation to data access
requests under the Ordinance. To assist individuals in making data access
requests and remind data users of their obligations in handling such requests,
the PCPD has issued a Data Access Request Form. Data users are encouraged
to use the Form to handle individuals' data access requests. To allow time
for data users to revise their internal procedures in light of the Form,
the Form will have legal effect on 1 December, 1999. After this date, a
data user may refuse to comply with a data access request that is not made
with the Form. A pamphlet that explains to individuals how they can exercise
their data access rights and make use of the Form has also been issued.
The Form and the pamphlet are available from the PCPD and all district offices.
3rd
annual opinion survey results released
The
PCPD has released the results of the 1999 opinion survey on attitudes
towards and implementation of the Personal Data (Privacy) Ordinance. Some
1,600 individuals were interviewed and questionnaires received from 460
organisations in the survey. Privacy continued to be rated by individuals
as an important social policy issue, with a rating of 7.6 out of 10. The
survey also found in particular that there was a significant increase
in the percentage of organisations which considered that the Ordinance
would have long term benefits in areas such as customer and employee relations,
data accuracy and management and their organisations' public image. A
booklet containing the key results of the survey has been published and
is available from the PCPD at a nominal charge.
Public
consultation being conducted on a draft Code of Practice on Human Resources
Management
The
PCPD published at the end of September for public consultation a draft
Code of Practice on Human Resources Management (HRM) for the protection
of personal data privacy in relation to HRM practices. The draft Code
governs the collection, use, retention, security and other aspects of
handling of personal data by HRM practitioners. Views are in particular
invited on the recommendations in the draft Code on recruitment advertisements
and the retention periods for different types of employment-related personal
data. The public consultation period will last three months and interested
parties and the general public are invited to submit their views to the
PCPD by 31 December. The consultation paper is available from the PCPD
and all district offices. |
| Back to top |
End of Page
[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]
[About PCPD] [The
Ordinance] [PCPD Activities]
[Information Centre] [Privacy
Zone for Youngsters (Games)]
[Publications & Videos]
[Enquiries & Complaints]
[Case Notes] [Contact
Us] [Search] [Site
Directory] [Graphical Version]
[Chinese Version]
Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer