| A
Note from the Commissioner |
|
Privacy
Protection rom an International Perspective
Privacy
has never been a private matter. Having taken up the Office for
two years, I am glad I don't work alone in protecting personal data
privacy.
My
Office plays a vital role in protecting personal data privacy, which
is a human rights issue of significance to people who live in developed
economies. We also strive to ensure that our privacy laws are compatible
with the requirements of our international business partners-especially
in e-commerce so that Hong Kong can thrive as an international business
hub.
Locally,
our efforts in dealing with social issues that impact on individuals'
personal data privacy have won widespread support from different
sectors of the community. Internationally, I have been exchanging
and sharing information on topical privacy issues with my counterparts
in other jurisdictions. It is one of my statutory duties to liaise
and co-operate with overseas privacy authorities on matters of mutual
interest concerning personal data privacy.
My
Office has built a sustainable network with privacy officials in
other jurisdictions. From 1992, we started partnerships with Australia
and New Zealand to exchange ideas about privacy regulation, new
technologies and the management of privacy enquiries and complaints.
In 2005, the partnerships were officially re-named Asia Pacific
Privacy Authorities, comprising of privacy authorities from Australia
(including federal and state offices), New Zealand, South Korea
and Hong Kong. Our most recent meeting was held in Hong Kong for
the first time and members agreed to achieve our common objectives
through a regional promotional programme, Privacy Awareness Week,
from 26 August to 1 September, 2007. A series of exciting activities
will take place to raise privacy awareness in the Asia Pacific region.
At
the inter-government level, my Office has been actively involved
in the Data Privacy Subgroup (DPS) of the Electronic Commerce Steering
Group (ECSG) under the Asia Pacific Economic Cooperation (APEC).
In 2004, the DPS developed a Privacy Framework, which was endorsed
by APEC ministers. Currently, the DPS is working to implement the
Privacy Framework in relation to cross-border transfers of personal
information. I have joined the Cross Border Privacy Rules Study
Group which aims at developing a set of Cross Border Privacy Rules
(CBPR). These rules comply with and implement the APEC Privacy Principles
that govern cross-bordertransfers of or access to personal information
of individuals by private organizations. The efforts are particularly
beneficial in establishing a foundation of trust in the digital
age among member economies.
Earlier
this year, government privacy experts, data protection authorities,
academics, as well as business and consumer representatives discussed
the development and use of CBPR by the business community at the
First Technical Assistance Seminar on International Implementation
of the APEC Privacy Framework. Since member economies are at varying
stages of implementing the APEC Privacy Framework, a highly flexible
"Choice of Approach" implementation model has been adopted.
In June, members will meet for the Second Seminar and decide what
steps to take in the implementation of these cross-border cooperation
mechanisms.
All
of the above approaches, to the extent that they are relevant to
Hong Kong, can provide us with valuable insight. By looking at privacy
matters from an international perspective, we gain a balanced outlook
on the development of data privacy rights.
Roderick
Woo
Privacy Commissioner for Personal Data
June 2007
|
| Feature |
|
|
|
[Image of image]As
recently as 10 years ago, few people could have imagined just how
popular or prevalent the practice of uploading videos or personal
files on the Internet would be. Even fewer people could have anticipated
how this would affect personal privacy.
Today,
the seemingly simple and innocent method of posting home videos
or personal pictures online might result in a less-than favourable
response. Suppose you attended a friend's birthday party one weekend
but found out later that an embarrassing moment you were in was
captured on camera using a mobile phone and posted online for everyone
to see. When your personal information is made publicly available
online, there is no control over who will have access to it or what
the consequences will be.
These
days, social networking websites or personal web pages are increasingly
common, especially among the younger generation. Websites such as
YouTube, My Space and Facebook feature lots of personal information,
including photos and journals, and are the preferred medium by which
people communicate with friends and family or meet other people.
Last
November, the Hong Kong Christian Service conducted a survey1
of primary school students from Year 4 to 6 to gauge their online
communication activities. The results showed that 19.9% of the respondents
communicated with friends by blogging. Some 23.4% of girls and 16.6%
of boys wrote about their personal life. The majority of blog writers
targeted friends (78.9%), followed by on-line friends (32.6%). Similarly,
Breakthrough conducted a survey2 in 2005 of people aged
10 to 29 about their online diary habits. It indicated that 99.7%
of the respondents had read online diaries while 75.5% had written
them.
Topics included the littlethings in life, at 72.8%; social life,
70.8%; and academic or career issues, 62.4%. The diary contents
covered emotions, 88%; the little things in life, 85.1%; and happenings,
75.4%. The survey found that young people allow others to read their
diary - 88.5% of them let people read all or most of the contents
while 66.2% let web surfers read their diaries.
Both
surveys showed that young people perceive blogging as a communication
tool to express their feelings, thoughts and everyday events. "Privacy
is about how you respect other people's information. It is a good
thing to see how young people open their hearts and communicate
with the outside world. However, disclosing sensitive personal information
should be handled with great care," Privacy Commissioner Mr.
Roderick Woo said.
There
has been an upward trend in the number of complaints in relation
to improper disclosure of personal information via electronic means,
from 22 cases in 2005 to 37 cases in 2006. In the first quarter
of this year, 26 cases have been received. In terms of the nature
of the cases, most of them (52 cases) are against individuals, whilst
the rest (18 cases) against companies. In one case, the complainant
quarreled with someone in a shop only to discover later that a video
of the incident has been uploaded on a public website. In some cases,
the complainants were unhappy to find their personal information
posted on websites without their consent and therefore lodged complaints
with the Commissioner's Office against the website administrators.
The Australian Law Reform Commission (ALRC) has been consulting
with young people in Australia as part of a current review of privacy
laws, and has found varying views about posting photos online. Based
on their experiences, some young people have suggested that by posing
for a photo you more or less consent to it being posted online3.
This
is a controversial issue. The traditional way of sharing photos
tends to be confined to close friends and family members. You would
never go out on the street and show total strangers your wedding
photos, for example. It would also be absurd to seek your friend's
consent to share the photos before taking them.
The
Internet has fundamentally transformed the mode of sharing photos.
You may argue that it is my right to post my photos on my web page.
But do your friends have the right to stop you from revealing their
personal information on the Internet?
To
encourage young people to respect people's privacy, the PCPD is
joining hands with Australia, New Zealand and South Korea to organize
Privacy Awareness Week 2007 this summer. One of the activities is
a Writing Competition about young people's perception about privacy.
Young people are encouraged to express their feelings about personal
data privacy, especially online privacy. What would you feel if
someone posts your personal information online? Do you expect people
seeking your consent before posting your information online? If
privacy rules are set for blogs, what should they be for disclosing
information online? These are questions that worth young people's
deep thoughts.
1The
full survey report is accessible from the Hong Kong Christian Service
website at www.hkcs.org/news/press/2007press/press20070420.htm.
2The
full survey report is accessible from the Breakthrough website at
www.breakthrough.org.hk/ir/researchlog.htm.
3More
information can be found from ALRC website at
www.alrc.gov.au/inquiries/current/privacy/talk/youngpeople1.htm.
|
| Complaint
Cases |
| Successful
Conviction Cases |
|
First
Case
A
debt collection agent (the Agent) was convicted of an offence under
section 64(7) of the Personal Data (Privacy) Ordinance (the Ordinance)
for contravening an enforcement notice (EN) issued by the Privacy
Commissioner for Personal Data. The case was heard in Tsuen Wan
Magistrates' Courts on 27 December 2006. The Agent pleaded guilty
to the charge and was fined HK$5,000.
The
complainant was the referee named by a debtor who had borrowed money
from a financial institution which appointed the Agent to recover
the debt. In pursuing debts of the borrower, the Agent posted notices
containing the complainant's name in public places.
The
Privacy Commissioner was of the view that the Agent had contravened
Data Protection Principle 3 (DPP3) by displaying the complainant's
personal data publicly. DPP3 of the Ordinance stipulates that personal
data shall not be used for a purpose other than its original purpose
of collection or a directly related purpose unless it is done with
the prescribed consent of the data subject.
After
investigating, the Privacy Commissioner served the EN to the Agent
in June 2006. The Agent did not respond to the EN. As a result,
he contravened section 64(7) of the Ordinance. In July 2006, the
Privacy Commissioner referred the case to the police.
In
accordance with DPP3, a debt collector should only use the personal
data of the referee in contacting or seeking information concerning
the whereabouts of the debtor rather than exerting pressure on the
referee to repay the debt. The PCPD hopes this conviction will deter
misuse of personal data for debt collection.
|
|
Second Case
The
complainant protested against a telecommunications company ("the
Company") for repeatedly making direct marketing calls to his
office telephone, even after verbal and written opt-out requests
have been made.
The
Company began contacting the complainant by phone to promote its
IDD services in July 2005. The complainant requested the Company
several times to stop the calls. However, the Company continued
to call him on a number of occasions for direct marketing purposes
despite his opt-out requests. In February 2006, the complainant
lodged a complaint with the PCPD.
In July 2006, the PCPD issued a written warning to the Company requiring
it to stop making direct marketing calls to the complainant. In
August 2006, the complainant received at least four marketing calls
from the Company. The Privacy Commissioner concluded that this was
contrary to section 34(1) (ii) of the Ordinance and referred the
case to the police for prosecution.
Four
summonses were issued against the Company for contravening section
34 of the Ordinance. The magistrate convicted the Company of the
four summonses in the Kwun Tong Magistrates' Courts on 17 January
2007. In mitigation, the Company stated that the marketing calls
were made by employees of its Shenzhen sub-contractor, who failed
to check the opt-out list before making the calls. The magistrate
remarked that the marketing calls were "disgusting and annoying"
and imposed a total fine of HK$14,000.
|
| Activities |
|
[Image of "Privacy is Your Business" Writing Competition]"Privacy
is Your Business" Writing Competition
People
are increasingly concerned about "privacy". In fact, everybody
has different views about privacy. But what about the younger generation?
What are their views?
In
an effort to raise awareness of privacy issues among young people,
the Office of the Privacy Commissioner for Personal Data, Hong Kong,
will jointly organize a regional writing competition with members
of Asia Pacific Privacy Authorities (APPA), including the Australian
and New Zealand Privacy Commissioner's Offices. The writing competition
is one of the joint activities of "Privacy Awareness Week"
from 26 August to 1 September 2007.
The
topic of the writing competition is "Privacy is Your Business
". It is open to all secondary school students. Entries can
be in any form of writing, including poetry, prose or an internet
blog, in English or Chinese. Prizes for winners include laptop computers,
gift vouchers and prize certificates.
The
deadline is 3 August 2007. For details, please call the PCPD hotline
on 2827 2827 or visit the PCPD website (www.pcpd.org.hk).
|
|
Privacy
Commissioner Issues Consultation Paper on Proposed Amendments to
the Consumer Credit Data Code
[Image of Privacy Commissioner Issues Consultation Paper on Proposed Amendments to the Consumer Credit Data Code]The
Privacy Commissioner for Personal Data, Mr. Roderick Woo issued
a consultation paper on 22 May 2007 to seek the public's views on
his proposal to amend the Code of Practice on Consumer Credit Data
("the Code").
The
proposed amendments to the Code can be divided into (a) amendments
relating to the retention of data in relation to write-off accounts
due to a bankruptcy order being made; and (b) minor technical amendments.
Interested parties are invited to send their comments in writing
to the PCPD by 29 June 2007. Copies of the consultation paper are
available at the PCPD at 12/F, 248 Queen's Road East, Wanchai, Hong
Kong; or from PCPD's website at www.pcpd.org.hk.
|
| New
Publication |
|
Guidance
Note on Property Management Practices
The
PCPD has published a new guidance note, titled "Personal Data
Privacy: Guidance on Property Management Practices".
In
response to enquiries and complaints in relation to property management
activities, the PCPD finds it necessary to provide a clear set of
good practices to assist property management bodies in better understanding
the application of the Personal Data (Privacy) Ordinance ("the
Ordinance") to specific situations commonly encountered by
them.
In
the course of property management, personal data of flat owners,
residents and other individuals are often collected and used by
property management bodies like owners' corporations, owners' committees,
mutual aid committees or property management agents. These activities
are subject to the requirements of the Ordinance. The guidance note
covers major property management activities, namely the application
of building entry pass or smart card, recording of names and identity
card numbers of visitors, recording of personal data of car park
users, proxy form for owners' meeting, minutes of meeting or notices
to residents relating to building management affairs, and handling
of complaints from owners or other individuals.
The
guidance note is available for downloading from the website of the
Commissioner's Office (www.pcpd.org.hk).
Copies are also available from the PCPD at 12/F., 248 Queen's Road
East, Wan Chai, Hong Kong.
|
| Activities |
|
The
26th Asia Pacific Privacy Authorities Forum
| [Image of Attendees of the 26th APPA Forum.] |
| Attendees
of the 26th APPA Forum. |
From
8th to 10th November 2006, the PCPD hosted the 26th Asia Pacific
Privacy Authorities (APPA) Forum in Hong Kong. The APPA was established
in 1992 (formerly known as PANZA) as a platform for regional privacy
authorities to form partnerships and exchange ideas about privacy
regulation, new technologies and the management of privacy enquiries
and complaints. APPA convenes twice a year and members take turns
to host the Forum. This was the first time it was held in Hong Kong.
In hosting the Forum, the PCPD showed its commitment to the protection
of personal data privacy.
|
|
Hotel
Privacy Campaign Prize Presentation Ceremony
[Image of Hotel Privacy Campaign Prize Presentation Ceremony]Organized
for the hotel industry, a campaign entitled "Pursuing Excellence
- Protecting Personal Data" was successfully implemented in
November 2006. A prize presentation ceremony was held on 14 December
2006. Mr. Roderick Woo, Privacy Commissioner (second from right,
first row), Mr. James Lu, the Executive Director of the Hong Kong
Hotels Association (middle, first row) and winners took group photos
at the prize presentation ceremony.
|
| Privacy
Officer's Journal |
|
|
One
of my duties involves giving legal advice on the application of
the provisions of the Personal Data (Privacy) Ordinance ("the
Ordinance"). The challenge is how the word and spirit of the
Ordinance are meaningfully interpreted and applied.
Prevention is always better than the cure. One of the more effective
ways to achieve this is by giving practical guidance to data users.
For example, I have been involved in developing the Privacy Guidelines:
Monitoring and Personal Data Privacy at Work ("the Guidelines"),
which is issued by the Commissioner. It recommends practices to
be followed by employers who wish to monitor their employees. The
Guidelines introduced a simple "3A" and "3C"
approach with ample practical examples to illustrate the concepts
of fairness and transparency in data protection. The approach is
user friendly and can be easily applied by employers.
I
have to handle administrative appeal cases and legal proceedings
brought against the Commissioner. Decisions handed down by the Judicial
and Administrative Appeals Board ("AAB") are useful references
that I use to support legal advice. An AAB hearing is an appeal
channel available under the Ordinance to a party who is dissatisfied
with the decision made by the Commissioner. Unlike judicial court
hearings, the AAB proceedings are conducted in a simple and informal
manner with the parties taking turns to make their submissions.
The Board is made up of three members, one of whom is the presiding
chairman. Since the Commissioner plays the role of respondent in
the appeal, I have to defend and explain the decisions made by the
Commissioner. Issues might include the interpretation of certain
provision of the Ordinance and how the discretion of the Commissioner
was properly exercised in a case. Sometimes it can be an uphill
battle. The decisions of the AAB are useful precedents as they either
reinforce the views adopted by the Commissioner or correct them.
The relatively high rate these appeal cases are dismissed indicates
the Commissioner is usually correct.
I
also have to keep updated on international and local privacy developments
and the impact of any technological advancement on personal data
privacy. There are constantly new IT breakthroughs, such as RFID,
e-health, GPS, Smart ID and others that raise privacy issues. As
Legal Counsel, I assist the Commissioner in reviewing and assessing
the adequacy of the Ordinance to uphold personal data privacy rights.
Appropriate amendments will be proposed to the Government.
Author:
Ms Margaret Chiu
Legal Counsel of the PCPD
|
| Activities |
|
Seminar on "Protecting Personal Data in the Electronic Media"
|
| [Image of image] |
In
order to raise awareness of the protection of personal data
privacy among IT professionals, the PCPD organized a seminar
with three major local IT professional bodies on 27 March 2007.
The event received an overwhelming response with over 340 participants
from the government and telecommunications, financial and educational
institutions. |
| From
left: Ir. Dr. K.P. Chow, Committee Member, IT Division, HKIE,
Mr. Micky Lo, Managing Director and Head - Asia IT Risk Management,
JPMorgan Chase Bank, N.A., Dr. Elizabeth Quat, Co-founder, iProA,
Mr. Dale Johnstone, Chief Information Security Officer, PCCW
Ltd and Mr. Vincent Chan, President, ISACA shared their views
with participants during the panel discussion. |
[Image of image] |
|
| DPOC
News |
[Image of DPOC News] |
|
|
Luncheon-cum-sharing
gathering
In
order to foster better communication between the PCPD and its members,
the DPOC organized four informal luncheon meetings in February and
March 2007.Members from different sectors were grouped into separate
luncheons so they could share their work experience in a [Image of image]relaxing
atmosphere.
Representatives from PCPD's Legal, Operations and Compliance Divisions
also joined in. Members generally felt the gathering provided them
a platform to build up a network with other data protection officers
and enhance their work experience and knowledge in personal data
protection.
|
|