|
[Image of cover]
|
PCPD
News provides guidance on good data protection practices to organizations.
|
Subscribe
Now!!
PCPD
News (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data,
Hong Kong)
November 2006 Issue No.17
|
[Image of image]
|
A
Note from the Commissioner |
|
|
|
[Image of Image] |
|
Roderick
Woo,
Privacy
Commissioner for Personal Data
23
September 2006
|
|
|
|
My dearest
mother,
I did
not realize that you, in a faraway place, would be aware of
what is happening here. As you know, I have handled many privacy
issues since assuming office a year ago. However, you might
wonder why I had not participated in the recent discussions
about the privacy of artists. In fact, the current privacy
law in Hong Kong mainly regulates the collection and use of
personal data. Journalistic activities enjoy considerable
exemptions. A decade ago, the Personal Data (Privacy) Ordinance
("the Ordinance") was passed in the Legislative
Council to safeguard the privacy of individuals in relation
to personal data, and to cope with the development of e-business
by allowing free flow of personal data in countries which
have implemented data protection law. Based on the data protection
principles that are internationally recognized, the Ordinance
meets the general standard of the European Union. As information
technology and electronic data transmission were in their
early stages of development at that time, the Ordinance put
emphasis on the "persuasive" aspect instead of imposing
heavy penalty on those who contravened the Ordinance, so as
not to affect the development of business. Today, the social
condition is different. Leakage of personal data may lead
to serious problems of identity theft. It is therefore natural
that more and more people begin to voice different opinions.
Some think that the penalties provided by the Ordinance are
too mild; some even believe that contravention of the Ordinance
should be considered a criminal offence. Nevertheless, no
consensus is reached in the meantime. I agree that there is
still room for improvement in the Ordinance. In this connection,
I have submitted a proposal to the Home Affairs Bureau and
hope that it will be discussed in the Legislative Council
as soon as possible.
In the
past few months, several incidents about leakage of personal
data happened one after another, evoking great responses in
society. Why did they happen? To my mind, as personal data
can be transmitted in large quantities on the Internet in
a flash, slight carelessness will easily bring about serious
privacy problems. For example, in the IPCC Incident, personal
data of 20,000 people were disclosed in an instant. To investigate
the case, my colleagues and I spent a lot of time interviewing
the parties concerned. At the conclusion of our investigation,
a detailed report was written and will be published in accordance
with the provisions of the Ordinance.
My concern
is that similar incident should not happen again. To attain
this end, I have worked with IT professionals to formulate
a set of guidelines for IT practitioners to follow. Seminars
aimed at improving the handling of personal data are being
organized.
Furthermore,
I have handled two cases relating to fingerprint identification
technology. One of them involved a primary school, which required
its students to record their attendance and purchase of snacks
by a fingerprint sensor, while the other related to an office
employing a fingerprint sensor to enhance the security of
valuable items. Though fingerprint sensors were used in both
cases, my decisions were different. Many people think that
a person's fingerprint will only be taken when he has committed
an offence. After all, fingerprints are highly sensitive personal
data. Unless there are good reasons, e.g. to safeguard valuable
belongings, fingerprints should not be rashly collected.
Some organizations
neglect the importance of safeguarding personal data. They
refuse to face the issue squarely using excuses such as "we
have no resources" or "we shall deal with this later".
Apart from carrying out investigations on receipt of complaints,
I am duly bound to promote and educate the public on personal
data privacy issues. Recently, in a promotion campaign for
the hotel industry, message about the protection of customers'
personal data privacy was conveyed to over 20,000 hotel practitioners.
I am very glad that the majority of the large hotels have
participated in the event.
In this
age of advanced technology, it is not easy to safeguard personal
data privacy. In an ideal world, there is no misuse or leakage
of personal data. How can that be achived? One of the ways
is to intensify our compliance checks. Every day, my colleagues
take note of all news concerning suspected contravention of
the Ordinance. We will discuss whether or not to make enquiries
or carry out investigation on our own initiative. Quite apart
from that, I am planning to establish a register of data users
under the Ordinance in order to monitor the situation of collection
or use of data by organizations. Today, with the flow of large
quantity of personal data, I believe it is time to implement
this system to help safeguard our citizens' personal data
more effectively.
Internationally,
privacy protection as a topic of human rights has become increasingly
important in developed countries. In November, I am going
to host the 26th Asia Pacific Privacy Authorities Forum. Privacy
Commissioners from different states of Australia and New Zealand,
as well as representatives of South Korea will attend the
Forum. Representatives of Thailand, Macau and Canada are also
invited. I shall be very busy by then. However, I really enjoy
the work I am doing and do not consider stressful. As a matter
of fact, I constantly maintain a sense of gratitude.
Your son
|
|
|
|
[Image of image]
|
Pesonal
Profile |
|
| |
|
Deputy
Privacy Commissioner for Personal Data, Mrs. Bonnie Smith
When meeting
Mrs. Bonnie Smith for the first time, one can immediately
sense that she is quick to the point. Articulate, precise
and frank, Mrs. Smith, who recently became the Deputy Privacy
Commissioner for Personal Data after a long and distinguished
career with the Hong Kong Police, is a woman of principle.
"When I was in the Police, our mission was to serve the
public. Although we have wide powers, it's the way we exercise
our power that counts. To be fair and impartial is very important,"
she says.
Having
risen from the rank of Inspector to Assistant Commissioner,
Mrs. Smith achieved the highest rank among female officers
in the force. She was recently honoured by the SAR government
with a Distinguished Service Medal for Disciplined Services
to acknowledge her outstanding performance in her 33-year
career. Mrs. Smith's formula for success is more than just
hard work and perseverance. "As one ascends the management
ladder, one must learn to change tag and adopt a different
management style at different levels. Apart from relying on
hard facts and statistics, one must learn to develop and trust
one's intuition," she says. "I don't believe in
micro management; I believe in creating a path for the people
I work with and let them run their own course."
It's the
ability to change tag that made her decide to work for the
Office of the Privacy Commissioner for Personal Data (the
"PCPD"). It shares the common mission of serving
the public. Therefore, when she retired from the police earlier
this year, it is quite a natural decision that she applied
for a position here in the PCPD.
Having
joined the PCPD for a few months, Mrs. Smith is impressed
by the dedication of her colleagues. "I am motivated
by my colleagues' noble ambition and their commitment despite
adverse situations and sometimes difficult clients."
[Image of Image]
Mrs.
Bonnie Smith (centre), Mr. Roderick Woo, the Privacy Commissioner
(right 3) and staff of the PCPD in a staff party.
|
The efficiency
in the PCPD is also noteworthy. "In the 10 years since
its establishment, the PCPD has made marked progress in successfully
raising community awareness on personal data privacy protection
as well as the provisions of the Personal Data (Privacy) Ordinance
(the "Ordinance"). I've learned that the number
of complaints has been on a gradual rise, but the number of
enquiry calls has dropped. I can only surmise that the public
value their personal data privacy and are getting more and
more aware of their rights. In the meantime, they are getting
more familiar with the provisions of the law; hence, the drop
in the number of enquiries."
"Personal
data is a relatively new subject and the enforcement of the
Ordinance is very complicated because different circumstances
of the cases may give rise to different conclusions. In many
cases, we have to find an equilibrium and strike a balance
between privacy rights and public interests," she says.
In the
short term, Mrs. Smith would continue to work on sustaining
a harmonious working environment in the PCPD. "I would
like to quote a Chinese slogan of making sure that the staff
joyfully come to work and safely return home."
[Image of Image]
The
Chief Executive, Mr. Donald Tsang awarded Distinguished
Service Medal for Disciplined Services to Mrs. Bonnie
Smith. |
In the
intermediate term, she would like to see the PCPD take a more
proactive approach. "Right now we react to complaints
but I'd like to approach organizations in Hong Kong and to
work more closely with them in complying with the provisions
of the Ordinance before any contravention occurs," Mrs.
Smith says. One of her current projects is the setting up
of an internal knowledge management database. Under various
categories, she is working closely with department heads and
staff in creating an internal system that will enable the
editing, compiling and retention of case information. "It's
like setting a template for archiving data, so that next time,
our search for information becomes easier and we can achieve
more consistency," Mrs. Smith says.
By international
standards, the provisions and enforcement of the Ordinance
in Hong Kong are on par with other first world nations, according
to Mrs. Smith. In the long term, she would like to join the
rest of the privacy community in fostering privacy rights.
"Our work in this area stands firm against the risk of
being marginalized."
On a personal
basis, Mrs. Smith says she tries hard to maintain her exercise
regime of swimming and qi gong. "I think from my police
background I've developed a love for exercising," she
says. She's also an avid traveller, but admits that family
obligations have taken a lot of her time.
In the
meantime, she is settling well into the new career challenge.
"I always try to apply one yardstick and to walk the
talk."
|
| |
|
[Image of image]
|
Complaint
Case |
|
| |
|
Successful
Conviction Case
[Image of Image]On
15 September 2006, a telecommunications company ("the
Company") was convicted of breaching section 34 of the
Personal Data (Privacy) Ordinance (the Ordinance) and was
fined $4,000 in the Kowloon City Magistrates' Court.
In October
2005, the complainant received a telephone call from the Company
promoting its IDD service. He made an "opt-out"
request explicitly over the phone, i.e. asked the Company
not to contact him in the future for direct marketing purposes.
The Company agreed to process the complainant's request by
putting his name on the "opt-out" list. In December
2005, the complainant received another call from the Company
promoting its broadband service. The complainant therefore
lodged a complaint with the PCPD. After investigation, the
Company was charged with an offence under section 34 of the
Ordinance, which requires data users to cease further contact
with the individual if the individual chooses to opt-out.
Contravention of section 34 of the Ordinance is an offence
under section 64(10) of the Ordinance.
As there
are growing concerns among the public about the use of personal
data in direct marketing which disrupts people's daily lives,
the PCPD hopes the conviction in this case will serve to warn
organizations against malpractice in handling personal data
when carrying out direct marketing activities.
The last conviction of a similar offence was against a financial
institution in December 2005.
|
| |
|
[Image of image]
|
News
from the Commissioner's Office |
|
| |
|
Hotel
Privacy Campaign
The Office
of the Privacy Commissioner for Personal Data (PCPD) has jointly
held a campaign, "Pursuing Excellence - Protecting Personal
Data", with the Hong Kong Hotels Association, aiming
to raise hotel practitioners' awareness of the protection
of customers and employees' personal data privacy in their
everyday work.
The inauguration
ceremony was officiated by the Privacy Commissioner for Personal
Data, Mr. Roderick Woo, Executive Director of the Hong Kong
Hotels Association, Mr. James Lu, and famous artist, Miss
Sheren Tang, on 27 June 2006. Management personnel from various
hotels also attended the ceremony.
From July
to October 2006, staff of the PCPD carry out promotional activities
in individual hotels, including seminars, display panels,
games and on-the-spot explanation of personal data privacy
issues to hotel staff. In order to cater for the training
needs of the hotel industry, i.e. to cope with their irregular
working hours and diversified work nature, the PCPD has specially
developed an on-line self-training module (www.privacyelearning.org)
for them to learn the requirements of the Personal Data (Privacy)
Ordinance (the Ordinance) at their convenience and at their
own pace. Moreover, hotel personnel may take part in a writing
competition to express their feelings about and experiences
of the protection of personal data.
The campaign
has received overwhelming support from the hotel industry.
With participation of 44 hotels in the campaign, about 20,000
hotel practitioners have learnt about compliance with the
Ordinance.
| [Image of Image] |
[Image of Image] |
| [Image of Image] |
|
| [Image of Image] |
|
The
Privacy Commissioner for Personal Data, Mr. Roderick
Woo (middle), the Executive Director of the Hong Kong
Hotels Association, Mr. James Lu (right), and famous
artist, Miss Sheren Tang officiated at the inauguration
ceremony of the "Hotel Privacy Campaign".
|
|
|
|
| [Image of Image] |
|
Mr.
Roderick Woo made a welcome speech at the inauguration
ceremony of the "Hotel Privacy Campaign".
|
|
| |
|
Privacy
Commissioner releases the IPCC investigation report
| [Image of Image] |
| The
Privacy Commissioner for Personal Data, Mr. Roderick Woo
(middle) held a press conference with Chief Legal Counsel
of PCPD, Miss Brenda Kwok (left) and Chief Personal Data
Officer of PCPD, Mr. K.T. Chan (right) on 16 October 2006
to announce a report on the result of an investigation
of the leakage on the Internet of personal data relating
to complaints made against the Police by the public. |
|
| [Image of Image] |
| On
the same day, Mr. Roderick Woo, Dr. K.P. Chow, Committee
Member, IT Division, Hong Kong Institute of Engineers
(the first on the right), Ms Susanna Chiu, Immediate Past
President, Information Systems Audit and Control Association
(Hong Kong Chapter) (the first on the left), and Dr. Elizabeth
Quat, President & Co-founder, Internet Professional Association
(the second on the left) officiated at the inauguration
ceremony of the "Information Security Enhancement Campaign". |
On 26
October 2006, the Privacy Commissioner for Personal Data (the
Commissioner) Mr. Roderick B. Woo published a report (the
Report) on the result of an investigation of the leakage on
the Internet of personal data relating to complaints made
against the Police by the public.
The incident
was first reported in a local newspaper on 10 March 2006.
Personal data of about 20,000 people who had made complaints
to the Police held by the Independent Police Complaints Council
(IPCC) were posted on the Internet and became accessible by
the public. The Commissioner immediately carried out a self-initiated
investigation on 15 March 2006.
In the
Report, the Commissioner found that the IPCC had contravened
the requirements of Data Protection Principle (DPP) 4 of Schedule
1 to the Personal Data (Privacy) Ordinance (the Ordinance).
DPP4 provides that a data user shall take all reasonably practicable
steps to ensure that personal data held by it are protected
against unauthorized or accidental access, processing, erasure
or other use. It requires a data user to implement security
safeguards and precautions in relation to the personal data
in its possession, the level of which should reflect the sensitivity
of the data and the seriousness of the potential harm that
may result from a security breach.
The basis
of the Commissioner's findings was that the IPCC had failed
to take: (i) any steps to prevent the data from being released
to the outsourced IT contractor without due consideration
of the necessity of doing so; (ii) any precautionary measures
to safeguard the data that had been released to the outsourced
contractor; and (iii) any practicable steps to ensure the
integrity, prudence and competence of persons having access
to the data, resulting in the leakage of the data on the Internet.
In the
exercise of his power under section 50 of the Ordinance, the
Commissioner issued an Enforcement Notice to the IPCC on 18
September 2006 directing it to do the following by 16 October
2006: 1. Devise the necessary policy and practical guidelines
for the proper handling and protection of the complaint data
when dealing with an outsourced contractor or agent; 2. Implement
effective measures to ensure compliance by its staff with
those policy and guidelines; and 3. Review the existing outsourcing
contracts and endeavor to incorporate into those contract
terms in respect of measures required to be taken by the contractors
to protect the complaint data handed to them by the IPCC.
On 16
October 2006, the IPCC has complied fully with the Enforcement
Notice.
Learning
from this unfortunate incident, data users should be highly
alert in handling sensitive or large quantity of personal
data, particularly if they are in electronic form. In the
event that they are asked to release database containing personal
data to an outsourced contractor or agent, precautionary measures
should be taken to prevent data leakage.
In an
effort to prevent recurrence of similar incidents, the Commissioner
has launched an informational campaign titled "Information
Security Enhancement Campaign" jointly with three major
IT professional bodies, namely Information Systems Audit and
Control Association (Hong Kong Chapter), Internet Professional
Association and Hong Kong Institute of Engineers, to raise
the awareness of personal data privacy protection among IT
professionals. As part of the Campaign, an information booklet,
titled "Recommended Procedures for IT Practitioners on
Personal Data Handling", is published providing guidance
for IT professionals across all sectors.
Copies
of the Investigation Report and the Booklet are available
from the PCPD at 12/F., 248 Queen's Road East, Wan Chai, Hong
Kong. They are also available for download from thewebsiteofthePCPD
(http://www.pcpd.org.hk).
|
"Introduction
to the Personal Data (Privacy) Ordinance" Seminar
|
|
In
order to raise public's awareness and understanding
of the Personal Data (Privacy) Ordinance, the PCPD will
organize free seminars in the following dates:
|
12
January 2007
|
Friday
|
|
9
February 2007
|
Friday
|
|
9
March 2007
|
Friday
|
|
13
April 2007
|
Friday
|
|
11
May 2007
|
Friday
|
|
8
June 2007
|
Friday
|
|
13
July 2007
|
Friday
|
|
10
August 2007
|
Friday
|
|
7
September 2007
|
Friday
|
|
12
October 2007
|
Friday
|
|
9
November 2007
|
Friday
|
|
7
November 2007
|
Friday
|
Please
visit our website (www.pcpd.org.hk) for further information,
or contact 2877 7159 (Mr. Cheung) or 2877 7152 (Ms Chan)
to reserve a seat.
|
|
| |
|
[Image of Image]New
Book: "Data Protection Principles in the Personal Data
(Privacy) Ordinance - from the Privacy Commissioner's perspective"
The PCPD
has recently released a book titled "Data Protection
Principles in the Personal Data (Privacy) Ordinance - from
the Privacy Commissioner's perspective".
For nearly
a decade, personal data privacy right has been statutorily
recognized and protected as an independent right of individuals
under the Personal Data (Privacy) Ordinance ("the Ordinance").
This book explains, in a systematic and in-depth manner, the
ways in which the major provisions of the Ordinance have been
generally applied by the Privacy Commissioner for Personal
Data.
The book,
being the first of its kind published by this Office, contains
topics that are selected primarily on the basis of their practical
importance to data users in handling personal data and to
data subjects in understanding their rights. Where appropriate,
references were made to the relevant case laws, Administrative
Appeals Board's decisions and views taken by the Privacy Commissioner
in the handling of complaints and enquiry cases in discharge
of his regulatory functions and powers.
Given
the implication that the Ordinance will have on public and
private sectors alike, this book will be of special value
to data users, legal practitioners, and individuals who are
interested to acquire a better understanding of the Ordinance,
especially from the compliance point of view.
This book
provides English version only at this moment. Interested parties
please fill in the Order Form and return it with the appropriate
payment to the PCPD.
[Image of Image]
|
| |
| |
|
[Image of Image]e-Inclusion
Campaign 2006
The PCPD
official website (www.pcpd.org.hk) has won the gold prize
of e-Inclusion Campaign 2006, organized by the Internet Professional
Association. The objectives of the campaign is to bridge digital
divide in society so that everyone will have equal opportunities
in sharing the benefits brought about by advanced information
technology.
|
| |
|
[Image of image]
|
Privacy
Officer's Journal |
|
[Image of Image]
A
self-portriat of "Ah Lo" |
My
parents are very strict. My mother has been highly interfering
in my brother and my private affairs. Apart from "excessive"
concerns in our academic achievements and social lives, acts
of "unfair collection", such as intentional and
unintentional telephone conversation monitoring, searches
of my elder brother's room for his girl friend's love letters
and inspection of rubbish bin for my monthly bank statements
are usually found at home. I even doubt that my credit records
held by my mother are more comprehensive than those held by
credit reference agencies! (Fortunately, a powerful shredder
has been installed recently)
No more
about my mother. Let me talk about the challenges in my new
job. As I am a person without much patience and do not like
to talk too much, it is strange to my friends and relatives
that I have been a teacher for eight years. Now, in the PCPD,
in addition to complaint handling, my patience in hotline
answering worries my family members most. Luckily, nothing
goes wrong so far. In fact, listening to others' stories,
speaking comfort to them, and offering some explanations and
guidance are just the regular "OT" work I used to
do at night when I was a teacher. The patience in listening
to hotline enquiries, the ability of empathizing with others,
and the skill needed to explain the Ordinance is exactly what
I have benefited from teaching. Though the two jobs seem to
be totally unrelated, the skills needed are somehow similar.
Apart
from changes in my job, there are also some interesting changes
in my private life. For example, my old student who had only
called me for computing solutions asked me earlier whether
it was reasonable if a principal requested her to provide
her medical records during application for admission. In a
gathering of my old students, the one who works in the personnel
field asked me a series of job-related questions. It so happened
that I, for the sake of fun, brought a copy of the "Code
of Practice on Human Resource Management" as souvenir
on that day. My old classmates in the field of property management
and my ex-colleagues working in hotels have also asked me
different kinds of questions relating to the Privacy Ordinance.
Even the photo website that I often visit has asked me how
to write the "Personal Information Collection Statement".
I finally realize that the work in the PCPD is the same as
teaching, i.e., we help people unwittingly and change the
society gradually.
Let me
go back to my "detective" mother. Since joining
the PCPD, we have chit-chatted more about privacy protection.
To my surprise, my mother has recently learnt to refrain herself
from being too curious. It appears that imperceptible influence
is more effective than shouting slogans in encouraging people
to face the issue of respect for privacy squarely. I believe
that "privacy protection" is quite similar to "environmental
protection". Both require the nurture of protection awareness
before mass participation can be resulted. As small achievement
in the cultivation of "environmental protection awareness"
can only be attained after more than a decade's hard work,
we may not be able to change the views of our elders on privacy
protection all at once. However, through promotion and education,
not only can we change the mind of the current generation,
but also nurture a younger generation with "privacy protection
awareness".
Lastly,
I would like to mention one more thing. Since I did not have
an English name, I was labeled "Ah Lo" without a
choice when I first joined the PCPD. Actually, you may call
me "Lo Fan" if you like. In future, if you find
my service satisfactory, you may simply say, "Thank you,
Lo Fan!"
(Author:
Mr. D.F. Lo, Assistant Personal Data Officer.)
|
| |
|
[Image of image]
|
DPOC
News |
|
| |
|
Experience
Sharing Meeting
The Data
Protection Officers' Club has been striving to arrange different
activities for its members to share their views on data protection.
Learning that Sony Corporation of Hong Kong Limited has been
remarkably successful in promoting the protection of personal
data privacy to its staff, the PCPD invited it to attend the
first experience sharing meeting of the Club.
In the
meeting held at the headquarters of the corporation on 26
May 2006, Ms Candy Wong, Senior Manager of Sony's Legal Division,
told members how effective and interesting methods were used
to promote the awareness of personal data protection amongst
employees. A short video on the protection of customers' data,
written, directed and played by the staff of Sony, was also
shown in the meeting. Members agreed that they had gained
valuable experience in this brand-new sharing session.
|
| |
| |
| |
|
Statistics
on Complaints & Enquiries
| [Image of Image] |
| [Image of Image] |
|
| |
| |
|
|
| |
| Back
to top |
|