Publications and Videos
Newsletter
|
PRIVATE
THOUGHTS (on-line version) Privacy Must Be Protected with the New Smart ID Card The new ID Card, proposed by the Hong Kong SAR Government, will serve not only to identify the individual, but also to have value-added applications built into the Card. These applications are intended to enhance the efficiency and delivery of government services as well as to provide community benefits, such as convenience and access. The indications are that the Card will contain substantial amounts of personal data, e.g. personal particulars including biometric attributes which uniquely identify the individual, and other personal data required to support the various applications. The concentration of personal data, some deemed to be sensitive, on a single card raises potential problems of data privacy: Identity Theft: In the information age, with increasing automation and significantly less face-to-face contact for service application and delivery, identity theft using stolen or misplaced cards would increasingly be a major problem, as evidenced in the US where identity theft is on a steep increase with the advent of the Internet and electronic commerce. Data Concentration, Sensitivity and Access: The Card with its capabilities to support the various applications can be regarded as quite a comprehensive personal dossier. While portability of the Card can be an advantage to the holder, it also can make the embedded personal data accessible to many, thus diminishing protection of the individuals' data and privacy. Richness in data tends to lead to "function creep", where data would be used for additional purposes beyond those original ones of data collection. The "function creep" in government activities tends to be justified on the basis of public interest, e.g. crime detection, welfare cheats etc. If personal data were to be used subsequently for purposes beyond those original ones of data collection, such possibilities could constitute or be perceived as an invasion of personal data privacy. It is relevant to point out that, with the Government's announcement of this major initiative, the community has expressed considerable concerns on its potential privacy risks, including some public comments critical of this initiative as a move towards an increasingly surveillance-prone society. Given such concerns, the PCPD is of the view that, the planning, design and implementation of the new ID Card system should have the following considerations:
[Image of Complaint Cases] Complaint
against the disclosure of personal data to a newspaper The complainant was employed by an educational institute. After a suicide attempt by the complainant, the principal of the institute, in response to enquiries by newspaper reporters, disclosed certain information about the complainant relevant to the background of the case. This information was published in the newspapers. The complainant complained to the PCPD about the disclosure of his personal data. The
PCPD conducted an investigation of the case. It was found that part of
the information disclosed by the principal was based on his memory and
understanding and not on any written record. Hence, the disclosure of
that part of the information did not constitute disclosure of personal
data within the meaning of the Personal Data (Privacy) Ordinance ("the
Ordinance"). The remaining part of the information disclosed was based
on employment records. Accordingly, its disclosure constituted disclosure
of personal data of the complainant. Such information was related to a
previous suicide attempt of the complainant and his previous work injuries
as the result of which the complainant had claimed employees' compensation.
The principal claimed, however, that he had released such information
to the newspaper reporters to defend the institute against accusations
by the complainant's wife that the present suicide attempt by the complainant
had been caused by the institute's mishandling of the complainant's compensation
claims. The PCPD formed the view that the disclosure of personal data
by the institute to newspaper reporters in the case was exempted from
the restrictions on the use (including disclosure) of personal data provided
for in data protection principle 3 of the Ordinance. The relevant exemption
was that provided for in section 61 of the Ordinance in relation to the
disclosure of personal data to an organization undertaking news activities.
Accordingly, no enforcement notice was served on the institute. Transfer of seminar participant's personal data The complainant provided his personal data on an application form in order to participate in a seminar. It has not been stated on the form the purpose for which the data would be used (including transferred and disclosed) and the classes or persons to whom the data would be transferred. After the seminar, the complainant received a telephone call from an insurance agent marketing insurance products to him. The agent admitted that the complainant's personal details were provided by the seminar organizer. In its
reply to the PCPD, the organizer indicated that the insurance company
was one of its sponsors for the seminar and the personal details of the
participants of the seminar were sent to the company. The organizer advised
the PCPD that it was not its intention to disclose the complainant's data
to the insurance company and was unaware that the act would constitute
a transfer of personal data under the Ordinance. The organizer apologized
for its oversight in this case and assured that such incident would not
reoccur. In this regard, the PCPD was informed that immediate steps had
been taken to review its policy on the collection and use of personal
data and would ensure that all staff would abide by the policy. The case
was then closed by mediation.
[Image of Tech Talk] Privacy Elites Senior
Personal Data Officer - Mr Kenneth Leung It's just another day on the Internet. You open your email account, only to be flooded by a tide of unexpected junk mails. Companies with names unheard of are addressing you endearingly, trying to sell products you're not even slightly interested in. Sometimes they seem to know everything about you, your address, your job, your friends and even your pet. Yet for Kenneth Leung, the Senior Personal Data Officer, this is more than just an imagined scenario, but something he has to confront everyday. "Last year, we had checked 400 websites based in Hong Kong to see if they complied with the requirements of the Personal Data (Privacy) Ordinance. We looked at the kind of information they collected from users and checked if they had provided enough notifications. It was indeed a very complicated investigative process with many steps and finally took up a whole year to complete the lengthy task. In the end, enforcement notice had been issued to company which mishandle customers' information,'' Kenneth says. Yet it would not be a mission impossible for Kenneth because he is a veteran database specialist and has worked for years in overseas and local computer companies before joining the Office three years ago. Such rigorous efforts are indeed welcomed. With the number of Internet-related crimes in Hong Kong rapidly increasing in recent years, the future development of the SAR's E-commerce depends much on how consumer rights are protected on-line. "Nowadays we have a lot of cases involving the Internet," he says. "Later on, we will publish guidance materials to help companies on how to correctly handle personal data in e-commerce." Internet is just one of the many areas Kenneth and his sub-ordinates have to look at. Any mishandling of personal data, unwanted surveillance or infringement on individual privacy falls within the responsibility of the operations division. "Proactive investigation is just part of our job. Often, reactive investigation was spawned by notifications from the public or the media." "Our role is quite different from say, the ICAC or the police. We are more like a mediator rather than a strict enforcer, although under certain circumstances we do have the power to enforce regulations imposed by the Ordinance,'' Kenneth explains. In most of the cases, companies that break the rule will get a warning letter from the PCPD, advising them to rectify the malpractice within 45 days. About 90 per cent would respond positively to our warning but five per cent of them would still ignore the advice. "At this stage, we'll kick into full investigation mode. We can demand relevant information from them and they have to reply within our stipulated time frame." he says. "If they fail to co-operate or the contravention is likely to be repeated, we have the power to issue enforcement notice to direct them to take remedial action." "But what we really want is to educate people, to bring out the message for civilized change,'' he says. However, in the past, under certain circumstances the PCPD filed certain cases to the police for further follow-up actions. But the story is never simply black and white. Very often Kenneth and his staff find themselves facing the questions of whether the case really involves infringement of personal data privacy. "In many cases it is not easy to make a reasonable judgment. This very often happens when two parties are involved in some personal disputes. It is next to impossible to ascertain what constitutes the infringement of privacy under those situations since you may never know the true story,'' Kenneth says. New technology also makes their work increasingly difficult. Kenneth points out that the very nature of the Internet makes it hard to track down offenders, as they often remain anonymous under false identities. "Another thing about Internet is that the Ordinance generally can only govern activities inside Hong Kong. But many people with relevant computer or legal knowledge can easily exploit this situation, like publishing someone's personal information on a foreign site." Many Hong Kong people need to have a better grasp of the concept of personal data privacy and the Ordinance, according to Kenneth. Though it is almost an art in keeping the balance of the interests of all sides under a restrained framework of time, technology and space, yet Kenneth remains upbeat about his job. "We hope that we can bring out the message to the public so that they would realize the importance of personal data privacy. It is a gradual civilized change, which takes time,'' he says. Surprisingly though, what he finds hardest in his job is not to trace down Internet hackers or mediate estranged couples accusing one another of privacy infringement, but to overcome his own "low-profile" character. "I was used to dealing with computers, but now I have to come out and meet all kinds of people, from laymen on the street to CEOs of big companies. That presents a big challenge to a low-profile person like me," he says. Needless to say, you probably understand why the author fails to obtain a photo from this shy privacy cop by now.
Senior Personal Data Officer - Mr Vincent Li In an office adorned with certificates reminding visitors of his glorious past, Vincent Li, the Senior Personal Data Officer, muses over his reversed role. The former police senior inspector seems to have expected you to wonder about his career move. "It's strange, right? Police is often accused of invading people's privacy and now I'm trying to protect privacy," he says. Police is one of the largest data users in Hong Kong, Vincent reckons, having more than 30 types of personal data records, such as criminal records, fingerprints and identity card numbers. Yet, having 12 years' solid background in criminal investigation proves to be in his current role an invaluable asset for Vincent, who supervises a PCPD operation team responsible for handling complaints. "I had worked for six years in the Police's Commercial Crime Bureau and Criminal Intelligence Bureau. I've established strong working relations with the public sector like the ICAC, Immigration, Customs, various overseas police forces, as well as the private sector such as banks and credit card companies. Having a good grasp of how these organizations and the police function offers a useful alternative perspective to facilitate my present role," he says. The mode of investigation at the PCPD, however, differs quite significantly from the police's investigative approach, Vincent says. "For one thing, we rely heavily on written correspondences in investigations. Whereas the police would directly go to a company and search for evidence on the site, or invite people to go to the police station for a meeting, we seek information and co-operation from individuals by sending them letters," he says. This approach saves time and efforts, Vincent says. But would it in any way compromise the investigation? "The majority of our cases don't involve criminal offences. Most organizations would not take the risk to destroy evidence. "Besides, the Personal Data (Privacy) Ordinance ("the Ordinance") aims more at promoting awareness among data users of potential violation. Legal liability aside, an organization should also realize violating the Ordinance will adversely affect its image as people attach an increasing importance on privacy," he explains. What presents as a challenge for Vincent though, is having to be very hand-on involved in investigations again after years of being a commander - and of course, to do so without the perceived authoritative status as a police officer. "I used to instruct my subordinates to carry out investigations, but now I have to call the people, introduce myself and try to seek their co-operation," he says. "While people rarely challenge the police's authority, they are much more inclined to question our judgment and interpretation of the Ordinance. They would ask questions like, 'How can you say this doesn't infringe my privacy? Why should I take your advice to change my practice? Can I appeal?' " Vincent says. "But
I enjoy my present work; investigation is an art. You learn to improve
your temperament. The complainants come from all walks of life. Some people
are polite, some rude. Some are educated and polite, some are educated
but very rude. If they question our power, I have to explain to them the
scope of our jurisdiction and can't Currently, the PCPD lacks prosecution power over parties who have violated the ordinance and relies on the police to do the work. Hence, Vincent's investigation background and past connections come in handy in handling such cases. In fact, he brought about the PCPD's first prosecution case against a telecommunication company for breaching the Ordinance's provision on direct marketing approach. The case was taken to court in mid-October. "I happened to know the police officer in charge of the case but the eventual prosecution hinged on how well the groundwork of investigation was done," Vincent says. "Though the prosecution did not result in conviction after trial for a combination of factors, in particular some technicality issues, I am sure that the initiation of criminal prosecution has sent a clear message to the public that the requirements of the Ordinance are not to be taken lightly," he adds. As people become more aware of the Ordinance and report relevant incidents to the PCPD, he predicts there will be an increase in the number of prosecution cases in the future. The next logical step will be, he says, for the PCPD to be empowered the right to prosecute. "If we have the power of prosecution, we'd be more in control. Referring our cases to the police should only be an interim measure. It would be difficult for them who oversee so many ordinances to help us in the long-run," he says. Vincent says he is more than happy to take up extra responsibilities should the change happen. So what does he hope to achieve ultimately at his job? "A lot
of people asked me why I was willing to giving up a stable and well-paid
job to join the Office nine months ago," he says. "In this job, I can
be directly involved in many respects and put to use what I have learnt
in the past. I believe there is plenty of room for the PCPD to expand
its scope of work as people's awareness of privacy is raised. This is
the place where I think I can truly realize my aspirations."
[Image of PCPD Activities]
You are invited to join the Data Protection Officers' Club - your gateway to an expansive network of professionals tasked with the responsibility of implementing and co-ordinating measures to protect personal data privacy in Hong Kong. The PCPD organizes the Club to provide a channel for two-way communications between the PCPD and data protection officers across a broad range of organizations. Membership of the club will not only assist you in implementing measures to comply with the Ordinance - it will give you access to a constructive forum where data protection officers can exchange views and share experiences. The Club meets regularly to discuss relevant topical issues, PCPD activities, latest complaint cases, case studies of the compliance experience of major organizations, together with a networking Question and Answer session. Privacy workshops exclusive for members will also be organized and certificates will be awarded to participants upon completion of the course. Joining fee for each membership is only HK$300 per year which entitles you to all of the above privileges plus receiving all relevant PCPD publications. The next meeting of the Club will be held in early 2001 - secure your place now by completing and returning the membership application form. For
any further details please call us on 2877 7171. Extensive publicity activities on the Code of Practice on HRM The PCPD has issued and gazetted the Code of Practice on Human Resource Management on 22 September 2000. The PCPD has undertaken different means to promote the Code of Practice on Human Resource Management and raise awareness among members of the public. The PCPD has placed public notices in local newspapers to publicize the issuance of the Code. A 30-second Announcement of Public Interest (API) has also been produced for broadcasting on local televisions commencing November 2000. Copies of the Code and the "Compliance Guide for Employers and HRM Practitioners" are available from the PCPD or can be downloaded from the PCPD web site (www.pcpd.org.hk). Three public seminars were held in October and November, in which over 1,100 participants were provided with the opportunity to obtain in-depth information of the Code, its interpretation and application. The Office will continue to promote the Code through training seminars and publicity activities to ensure that privacy of employees' personal data will be protected. Joint Promotion Activities by the PCPD and the Hong Kong Baptist University Dramatics Club on the Personal Data (Privacy) Ordinance The PCPD and the Hong Kong Baptist University Dramatics Club have jointly produced a drama show to highlight issues related to privacy of personal data. Through sketches depicting familiar day-to-day routines, the public is sensitized to the importance of privacy of personal data, and how the Personal Data (Privacy) Ordinance ("the Ordinance") provides for the protection of privacy. Assisted by the PCPD, a lively and humorous script synthesizing the different aspects of the Ordinance has been written by the Hong Kong Baptist University Dramatics Club. The drama show will be staged at various community centres. There will be a Q & A session at the end of each show, and souvenirs will be distributed. Given that privacy is now a very topical issue in the everyday life of the general public, community and social services organizations which would like to host this drama show for its constituents are welcome to call us at 2877 7171 for details. Advance booking is generally required. Privacy News Around the World Digital Signature (UK) The use of digital signature has become legally admissible in court in the United Kingdom when the E-communications Act came into force in May. On personal level, the use of digital signature will be widespread in the UK. Later on the year, a software will be introduced in Britain which enables Internet users to create a digital signature and establish a digitally safe identity at one of the Post Office's 18,000 branches across the country. The software will provide privacy and security for e-business transactions and will also be made available for download from the Royal Mail's website. However, Internet experts have also warned that the use of digital signature may also lead to greater risks of privacy intrusion, such as surveillance and identity theft. Consumers may have fears about the dangers posed by computer hackers and the risks of using credit cards online or sending messages securely. Whether or not taking the risk for greater convenience is certainly your choice.
The privacy survey conducted in Canada in 1999 revealed a surprising finding that Canadians had great willingness to make privacy tradeoffs in return for tangible benefits. Forty-two per cent of respondents said that they would agree to having their grocery shopping habits monitored, allowing the store to develop a client profile, in return for a 10 per cent discount on their groceries. Slightly more than a third of Internet users (36 per cent) would agree to having their online habits monitored by a reputable company in return for a new computer and free Internet access. (The two questions assume that the people involved in such programs would be fully informed of the personal information being collected and how it is being used, which might not be the case in the real world.) |
| Back to top |
End of Page
[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]
[About PCPD] [The
Ordinance] [PCPD Activities]
[Information Centre] [Privacy
Zone for Youngsters (Games)]
[Publications & Videos]
[Enquiries & Complaints]
[Case Notes] [Contact
Us] [Search] [Site
Directory] [Graphical Version]
[Chinese Version]
Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer