|
[Image of image]
|
PCPD
Newsletter provides guidance on good data protection practices to
organizations. |
Subscribe
Now!!
PCPD
Newsletter (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data,
Hong Kong)
December 2003 Issue No.12
| [Image of PCPD NEWSLETTER] |
| |
|
Implementation
of Privacy Act in Victoria, Australia
In
Australia, roughly one-quarter of the population lives in the state
of Victoria. That equals to about 5 million people, 70 per cent
of who are residents of Melbourne, the capital city.
Beginning
September 1, 2002, Victorians have been able to make privacy complaints
under the Information Privacy Act. Since then, the Office of the
Victorian Privacy Commissioner, based in Melbourne, has received
an average of about 280 enquiries a month.
|
|
| Mr.
David Taylor (right) and Privacy Commissioner Mr. Raymond Tang
at PCPD. |
"Australia
and Hong Kong have much in common. But chief among them is the growing
public awareness of individual privacy rights," David Taylor,
the director of privacy awareness of the Office, known as Privacy
Victoria, said.
According
to Taylor, the development of privacy rights among Australians started
with the Federal Privacy Act, which covered the civil service, such
as the tax office, national-health service, social welfare and foreign
affairs, since 1988. After December 21, 2001, the legislation was
extended to private companies with annual turnover of over A$3 million.
A year later, those companies with turnover of less than A$3 million
a year that used personal information for their business were required
to comply with the Act as well.
Taylor,
who has been with Privacy Victoria for 18 months, said that, while
the legislation has led to an increase in the number of complaints,
a number of important developments also contributed to the boost
in public awareness. In Australia, for example, a number of private
companies operate tenancy databases. They collect information about
"bad tenants"-people who have defaulted on rent payments
or left a property in bad condition. Real estate agents and landlords
check these databases first to find out whether prospective tenants
are amongst those included in the database.
"Of
course, there is pressure to get off the database because it can
be difficult to find a place to rent if your name is on it. Some
renters complain there is not much of an effort to ensure the accuracy
of information," he said.
Another
privacy development was the installation of cameras in taxis. The
aim was to protect taxi drivers against theft as well as to prevent
cases of assault on female passengers. Privacy Victoria has consulted
with the government to ensure that only authorized people could
access the data collected by the cameras and they should be destroyed
when no longer required.
One
of the more controversial privacy issues was the ongoing debate
over a national identity card, known as the Australia Card. "In
the mid-1980s, we were thinking about an Australia Card but people
did not want it. After the events of September 11, there were voices
calling for an identity card but it was politically difficult for
the government. Hong Kong's Smart ID card is different because the
culture is different," he said.
Taylor
also commended Hong Kong for the implementation of the Code of Practice
on Consumer Credit Data, which, he pointed out, "is a good
mechanism for protecting privacy. It offers banks as well as the
government a benchmark for compliance".
As
for his own work in promoting privacy awareness in Australia, Taylor
said that Privacy Victoria set up a Privacy Victoria Network having
learned of the success of the Data Protection Officers' Club in
Hong Kong. The network now has about 150 privacy officers and meets
three times a year.
Privacy
Victoria has been particularly active in sponsorships. Two high
profile events held last year, although somewhat unusual sponsorships
were Melbourne Spring Fashion Week and the Big Day Out music festival.
Privacy Victoria sponsored a swimwear show during the fashion week
to highlight the kinds of personal information that were gathered
when people shopped. The event promoted greater awareness of the
need to keep this information private, Taylor explained.
| [Image of image] |
| Platypus
- a shy and discrete creature. It's a natural symbol for the
idea of privacy in Australia |
The
annual Big Day Out music festival attracts some 45,000 young people
to Melbourne. This year, Privacy Victoria sponsored the portable
toilets featuring message about privacy.
Other
sponsored events included the partnership with Tennis Victoria.
Privacy Victoria gave its support to tennis carnivals throughout
the state and participated in a Play Tennis Day. There were also
sponsorship agreements with both the Men and Women Lawn Bowls Associations
to provide them with about 500,000 scorecards and additional publicity
about privacy.
Australia's
most unique animal, the platypus, has also come under Privacy Victoria's
sponsorship. At the Royal Melbourne Zoo, information signs were
placed at the platypus house and the image of the animal is also
used in materials for publicizing privacy awareness to children.
Privacy
Victoria is currently conducting a survey amongst secondary school
students to gauge their understanding of privacy issues and will
compare the results with those of the youth privacy survey conducted
by the Hong Kong Federation of Youth Groups and the Office of the
Privacy Commissioner for Personal Data in 2002.
|
| |
| [Image of PCPDNEWSLETTER] |
| |
|
E-Learning
Module and Online Assessment by Cathay Pacific Airways Limited
It
is easy to forget about the importance of protecting personal information
when you are flying at 30,000 feet above the ground. But airlines
constantly generate detailed passenger lists and flight information
that contains a lot of personal data. Simply throwing them away
in the trash is not enough to ensure that the information is protected
and not misused. In fact, the proper way to dispose of these lists
is to put them in an envelope and send them back to the head office
where they are destroyed properly and safely.
At
Cathay Pacific Airways Limited, getting this message across to its
roughly 11,000 employees could be a mammoth undertaking. But, thanks
to a little ingenuity, Hong Kong's flagship carrier has made learning
about the practical applications of the Personal Data (Privacy)
Ordinance in the workplace both fun and interactive.
According
to Jenny Got, a business trainee at Cathay's personnel department,
an e-learning module was launched in March to facilitate the online
training and testing of all staff in their understanding of the
requirements of data protection.
The
launch was kicked off with a month-long privacy campaign featuring
three roadshows at the airport in Chek Lap Kok. Posters, publicity
material and informative pamphlets were put on display and souvenirs
were distributed for staff to learn more about the Ordinance and
a lucky draw was held to boost staff awareness of the need to protect
personal data. By the end of June, about 10,000 staff had already
passed the testing of the module but the original deadline of mid-July
has been extended to accommodate those who were on leave.
"Cathay
came up with the idea for the e-learning module based on its own
internal privacy policies and manuals but we did refer to the Ordinance,"
Got said.
Staff
visiting the web site can choose from four different interactive
learning modules depending on the kind of access they have to people's
personal information. One module is designed for cockpit and cabin
crew, another for employees with access to customer data, one for
those with access to employment-related data and another one for
managers/supervisors who can access both customer and employment-related
data.
"Cathay
has designed personal information learning modules with different
questions depending on the area of work of the staff. This is a
cost-effective method as it differentiates among different types
of employees. Staff only need to take it once but, in future, there
may be regular updates to accommodate changes in legal requirements
or Cathay's practices," she said.
|
|
| Miss
Jenny Got and Privacy Commissioner Mr. Raymond Tang at PCPD's
Data Protection Officers' Club plenary meeting in July. |
As
not all employees will encounter the same situations, devising an
online learning module that differentiates among them helps target
staff training. It is also flexible enough to allow learning and
testing at anytime, Got added. In future, new recruits will be required
to pass the assessment as well. In the meantime, employees can engage
in such interactive learning at their own pace when they want to
learn more about the protection of personal data privacy.
The
growing success of Cathay's online learning module has not escaped
the attention of companies unsure of how to educate their staff
on the Personal Data (Privacy) Ordinance. According to Got, the
module can easily be adapted by any company to suit its own internal
customer and employment guidelines as Cathay has already developed
the basis of the system. For interested companies, not necessarily
from the airline industry, customizing the module is relatively
simple and is far less expensive and time-consuming than developing
one themselves.
"It's
more suitable for those companies with large numbers of staff as
the cost incurred is minimal. Having said that, Cathay Pacific would
endeavour to collaborate with any organizations on the implementation
of such interactive training to equip their staff with sufficient
knowledge of the applicable data privacy requirements," Got
said.
|
| |
| [Image of PCPDNEWSLETTER] |
| [Image of PCPD News] |
|
Hilarious
Drama Educates Public on Privacy Protection
During
the summer months, the PCPD joined hands with the Artiste Training
Alumni Association (ATAA) to disseminate the message of personal
data privacy through a lively on-stage drama entitled "Private
Affairs". The hilarious drama was about a man, who appeared
to be deeply in love with his wife, only to be discovered as a big
liar by his good friend accidentally.
The
play explored a number of privacy issues encountered in daily life
and the audiences were taught ways to protect their own personal
data in a pragmatic manner.
[Image of image]The
drama shows were performed at the Leighton Hill Community Hall (7
August), Sai Ying Pun Community Complex Community Hall (14 August),
Henry G. Leong Yaumatei Community Centre (4 September) and Sha Tin
Town Hall (15 September).
The
PCPD is pleased that the drama shows were well received by over
one thousand audiences. Feedback was overwhelmingly positive. Driven
by the success of this project, the PCPD will explore similar entertaining
channels to further promote the message of personal data privacy
in order to build a harmonious society where everyone respects each
other's privacy.
Private
and confidential
| [Image of image] |
| Guests
of honour Ms. Shelley Lee, JP, Permanent Secretary for Home
Affairs (middle of the top Photo) and Mr. Yang Ti-liang, GBM,
JP,Former Chief Justice and Executive Councillor (right of the
bottom photo) presented prizes to winning teams. |
A
woman yelling at her husband, a girl shouting at her brother, another
girl banging on the door and an old man holding a peeled banana
- these are scenes from Privacy?, one of the winning
entries in the "Privacy Protection in Action: TV Advertisement
Competition".
Jointly
organized by the Office of the Privacy Commissioner for Personal
Data and the Hong Kong Federation of Youth Groups, the competition
required participants to produce a one-minute TV advertisement that
aims to raise awareness of privacy among young people.
Winners
of the secondary school category and the open category displayed
creativity and a great sense of humour in spreading the message
about privacy protection.
Three
sixth formers from Buddhist Wong Wan Tin College won the secondary
school category with their advert Privacy?, while
four Year 2 journalism students from the Chinese University of Hong
Kong won the open category.
Each
winning team was awarded a notebook computer, a $5,000 scholarship
and a certificate.
"
My first impression is that the entries in the secondary school
category are as good as those in the open category," said one
of the judges, Dr Francis Cheung Wing-ming, registrar of the Hong
Kong Institute of Education.
"All
final entries reflect the creativity of the new Hong Kong generation
and a good understanding of the concept of privacy protection."
Privacy?
shows how people violate others' privacy in daily life. The peeled
banana symbolizes invasion of privacy. "I happened to be eating
a banana when I was thinking about the ad," said Cindy Cheong
Ho-yan, one of the team members. "We talked about it and thought
that if someone invades our privacy, we will be left naked, like
a peeled banana."
The
winning advert in the open category expresses invasion of privacy
in a more abstract way. Two people are playing Jenga, and the blocks
collapse in the end.
"Jenga
represents the structure of society and the stacking of the wooden
blocks represents invasion of privacy. Continuous invasion of privacy
results in the collapse of society," explained Hengky Li Wai-shing,
one of the team members.
The
competition attracted a total of 57 entries. After initial screening,
30 teams were selected to attend seminars and workshops on privacy
protection and film-making techniques.
Both
winning teams said they gained a better understanding of privacy
protection after taking part in the competition.
[Image of image]"Most
of us are used to listening to phone conversations of family members
at home. But now I close my room door when someone is on the phone
to give them some privacy," said Livia Li Wai-nga, a member
of the winning secondary school team.
To
see the winning TV commercials, go to www.pcpd.org.hk.
(Source: 7 July, 2003 South China Morning Post)
[Image of image]
|
| |
| [Image of PCPD NEWSLETTER] |
| [Image of Privacy News Around the World] |
|
Increase
in Identity Theft in the U.S.
[Image of image]A
survey commissioned by the US Federal Trade Commission ("FTC")
in March and April showed that 27.3 million Americans have been
victims of identity theft in the last five years, including 9.9
million people in the last year alone. According to the survey,
last year's identity theft losses to businesses and financial institutions
totaled nearly US$48 billion and consumer victims reported US$5
billion in out-of-pocket expenses.
The
FTC is the US consumer protection agency. Since 1998, the FTC has
had an Identity Theft Program to assist identity theft victims and
provide guidance on how to resolve the problems, provide law enforcement
training, maintain a nationwide database of ID theft complaints
available to law enforcement and refer complaints to criminal law
enforcement agencies, and provide business and consumer education.
The
survey found in the past 12 months that 3.23 million consumers discovered
that new accounts had been opened, and other frauds such as renting
an apartment or home, obtaining medical care or employment, had
been committed in their name. In those cases, the loss to businesses
and financial institutions was US$10,200 per victim. Individual
victims lost an average of US$1,180. Where the thieves solely used
a victim's established accounts, the loss to businesses was US$2,100
per victim. For all forms of identity theft, the loss to business
was US$4,800 and the loss to consumers was US$500, on average.
[Image of image]According
to the survey results, approximately 5 million victims in the last
year, discovered that they were victims of identity theft by monitoring
their accounts. Approximately 2.5 million people reported that they
were alerted to suspicious account activity by companies such as
credit card issuers or banks. Others reported that they first learned
when they applied for credit and were turned down.
While
most identity thieves use consumer personal data to make purchases,
the survey reports that almost 1.5 million people in the last year
reported that their personal data was misused in nonfinancial ways,
such as to obtain government documents.
(Source:
www.ftc.gov)
|
| |
| [Image of PCPD NEWSLETTER] |
| |
|
Want
to know more about the Code on Consumer Credit Data ?
[Image of image]The
second revision of the Code of Practice on Consumer Credit Data
("The Code") came into effect on 2 June 2003. From then
to November, the PCPD has received over 400 public enquiries, 82%
from individuals and 18% from the financial industry, on various
aspects of the Code. 30% of the questions put forward by individuals
are in relation to credit reports. It indicates that members of
the public are very concerned about their credit report, which is
natural because it may impact upon their credit applications. On
the other hand, over 30% of the enquiries raised by the financial
industry are about the scope of the Code as well as privacy compliance
measures and notification to customers. To ensure that the community
is made aware of the new provisions of the Code, we have abstracted
some of the most frequently asked questions as below and hope that
it would further enhance your understanding of the Code.
| Q1: |
How
can I contact the credit reference agency (CRA) to obtain my
own credit report? |
| A: |
You
may check contact details of the CRA from your credit provider
and then approach it directly to obtain a copy of your own credit
report. Under normal circumstances, a service charge will be
incurred for using this service. Under the Code, a credit provider
has the right to choose any CRA at its own discretion. However,
the major CRA operating in Hong Kong is called "TransUnion
Information Services Ltd" (www.transunion-hk.com). |
| |
|
| Q2: |
I
am aware that residential mortgage loan data are not reportable
to a CRA unless currently an outstanding material default occurs.
However, can a credit provider access the CRA database when
it considers residential mortgage loan application? |
| A: |
The
revised Code allows credit providers to access to the CRA database
for both positive and negative data when they consider a new
grant of credit. Under the Code, mortgage loan application falls
within the term of 'new grant of credit', which means that a
credit provider will be able to access the CRA database to obtain
a credit report relating to the person who apply for a mortgage
loan. |
| |
|
| Q3: |
:I
am applying for a personal loan with Bank A which I have
obtained a credit card facility. Can Bank A
(1) access the CRA database to obtain my full credit report
?
(2) make use of the information in my credit report to
review my credit card facility, such as, increase my credit
limit, during the 24-month transitional period? |
[Image of image] |
| A |
(1)
Yes. Bank A can obtain your credit report from the grant
of your personal loan application. This is the purpose
for which the data are to be used.
(2) During the transitional period, the credit report
obtained from (1) above will show positive and negative
data about the accounts you hold. Such data so obtained
should not be used to assess your credit card facility
for an increase in credit limit. Restriction is placed
on the use of positive data for increase in credit limit
during the transitional period. The proper way for Bank
A is to make a "review" access to obtain a credit
report which contains negative data only. |
|
| |
|
| Q4: |
If
I act as a guarantor to my friend's loan from a bank, will the
bank disclose my role as a guarantor
to the CRA? |
| A: |
Yes,
the bank may report to a CRA the information about you when
you act as a guarantor in a loan. A credit provider may provide
credit data collected from the borrower, including account general
data, to a CRA. As stated in Schedule 2 of the Code, account
general data comprise "capacity of the individual (whether
as a borrower or guarantor)". |
| |
|
| Q5: |
Does
the Code cover the scenario of an individual being the guarantor
for a corporate loan? |
| A: |
Yes.
The definition of "consumer credit" does not restrict
the purpose of the credit facility, but makes reference to the
user of the facility only, i.e. whether it is granted to and
for the use of an individual, or to and for the use of another
person for whom an individual acts as a guarantor. As the meaning
of the word "person" includes not only a natural person
but also a legal person (e.g. a limited company), a corporate
loan guaranteed by an individual will thus fall within the definition
of "consumer credit" under the Code. |
For
further details of the Code on consumer credit data, please visit
the PCPD website at www.pcpd.org.hk.
|
| |
| [Image of PCPDNEWSLETTER] |
| [Image of DPOC News] |
|
First
Plenary Meeting
The
Club's first meeting was held on 2 July 2003 at the Hong Kong Convention
and Exhibition Centre.
Two
special guests were invited to speak on two distinctive aspects
of personal data privacy on promotion and training.
For
the very first time, the Club invited an overseas speaker to share
with our members the work of privacy protection in a different jurisdiction.
Mr. David Taylor, Director, Privacy Awareness from the Office of
the Victorian Privacy Commissioner, took the opportunity to introduce
the Australian privacy legislation, highlighting the work on increasing
public awareness on privacy protection.
Despite
the cultural differences, it was interesting to find that both Australia
and Hong Kong have set the same objectives - that instilling the
culture of respecting each other's privacy among the younger generation
is of paramount importance.
The
PCPD also had the pleasure of Miss Jenny Got, Business Trainee of
the Cathay Pacific Airways, to demonstrate its new e-Learning Module
and Online Assessment programme. This is a new initiative designed
for enhancing employees' knowledge about personal data privacy in
a cost-effective way via the Internet at anytime and anyplace.
Data
Protection Workshops
Two
series of privacy workshops entitled "Protection of Employees'
Personal Data" and "A New Approach to the Consumer Credit
Data Code" were carried out exclusively for members in October
and November.
[Image of image]
|
| |
|
|
| |
| Back
to top |
|