| [Image of image]
FEATURE |
|
The
Right of Making Data Access Requests
In
this computer age, our personal data are recorded in various systems
in our daily lives or work. Sometimes, people may worry if they
will suffer losses when there are errors in such data, e.g. applications
for mortgage loan are rejected due to inaccurate data in consumer
credit reports. In fact, there is no need to worry. Under the Personal
Data (Privacy) Ordinance ("the Ordinance"), an individual has the
right to make a request to be informed by a data user, e.g. government
department or private organization, whether the data user holds
his personal data and to be supplied with a copy of such data. If
errors are spotted, requests for correction of data can be made.
It
is very simple to make a data access request. When the Data Access
Request Form (OPS003) issued by the Privacy Commissioner is completed
by the data subject or a relevant person, it can be directly sent
to the data user concerned, which then has the duty to respond within
40 days after receiving the request. When completing the form, requestor
should specify clearly and in detail the personal data requested.
Description of the data should be as specific as possible in order
to facilitate the data user in complying with the request.
From
April 2006 to March 2007, the PCPD received 85 complaints about
data access and data correction requests. Three types of common
misunderstanding are found in these cases:
The
first is about reply. The Ordinance imposes a strict obligation
upon the data user to comply with the request within 40 days after
receiving it. Even if it has justifications to refuse compliance,
e.g. if it is not supplied with sufficient information to enable
it to locate the personal data requested, it should still give a
written reply within the time limit, stating the reasons for refusal.
The
second is about payment. People are usually dissatisfied when a
data user imposes a fee for complying with a data access request.
In fact, the Ordinance allows a data user to impose a fee that is
not"excessive". What is"not excessive"? Although the Ordinance is
silent on what is"excessive" fee, the Privacy Commissioner finds
it against the legislative interest that the provision be used by
the data user to make profit, much worse if it is used to deter
a data subject from exercising his data access right. In general,
a data user should only charge for the labour cost and actual expenses
incurred in the process of data searching, retrieving and copying.
The
third is about the personal data of a third party. Since a data
subject is only entitled to access his own personal data, a data
user should ensure that in complying with a data access request,
personal data of third parties are not disclosed unless consent
is obtained. A data user may achieve this by omitting the names,
or other identifying particulars of those third parties.
[Image of image]In
recent years, the Administrative Appeals Board have heard and decided
various cases in relation to data access request. With the benefit
of these decisions, the Privacy Commissioner has amended the Data
Access Request Form (OPS003) so that the public and data users alike
can clearly know the scope of a data access request under the Ordinance,
as well as their rights and responsibilities. The new form was gazetted
on 4 January and will be effective on 1 April. Copies will be available
from the office of the PCPD or various District Offices, or can
be downloaded from the website of the PCPD (www.pcpd.org.hk)
from that day onwards.
| [Image of image] |
[Image of image]
|
[Image of image] |
|
| [Image of image]
A NOTE FROM THE COMMISSIONER |
|
More
Fruitful Outcomes
In
reviewing our work done in the area of personal data protection
last year, I am gratified to note that the level of awareness of
personal data protection was very high. There are of course many
reasons for this, but I am satisfied that my Office had made a significant
contribution in helping to promote that awareness.
The
numbers of complaints and enquiries remained constant. This comes
as no surprise because the Ordinance has been in place for more
than ten years. The statistics do not however show that the enquiries
from the private sector as well as those from government departments
and government-related agencies had become more complex and sophisticated
than ever before. The enquirers clearly demonstrated that they had
more than a passing knowledge of the provisions of the Personal
Data (Privacy) Ordinance.
Reportedly
more than 160 million copies of personal data were stolen or missing
on the internet in the USA in 2007. This represented a drastic triple
increase from the previous year. We may console ourselves that locally
no large volumes of personal data were mishandled in the same period,
but we cannot be complacent. Hong Kong must continue to give serious
attention to personal data protection.
My
colleagues and I are expected to play many roles. One of these is
that of a promoter and educator. In 2007, we regularly held training
seminars. All of these were exceedingly well attended. The message
that we put out from year to year is that personal data should be
handled with due care by both the data users and the data subjects.
Much of it is common sense, e.g. bank statements should be shredded
and not just thrown away if they are not longer wanted. We had tried
to communicate with individual industries that handled large volumes
of personal data. The Hotel Privacy Campaign was a resounding success.
So were the training sessions for IT professionals and managers
on protecting personal data in the electronic media which were held
in conjunction with other concerned professional groups. We will
certainly continue in that direction.
We
are expected to handle complaints from the public, and make investigations
in appropriate circumstances. These investigations had in the past
led to some well-publicized reports. We also continue to initiate
compliance checks. Sometimes it would appear that these were luxuries
items because of the limited resources we were given, much of which
had to be assigned to the work related to actual complaints. In
an ideal world situation, compliance checks should be given as much
importance, if not more.
Another
role which we are expected to play is that of an enforcer. Even
though the legislation does not give me power to prosecute offenders
under the Ordinance, I do issue, where appropriate, Enforcement
Notices (ENs). The purpose of issuing ENs is to require the offending
data users to do and or not to do certain things so as to achieve
compliance with the six Data Protection Principles. We also referred
a number of cases to the Police for them to prosecute. In 2007,
there were three successful convictions of offences which were all
related to inappropriate use of personal data for direct marketing.
My
hopes for 2008 include doing more promotion and training work (because
prevention is better than cure); assisting the Administration to
update the Ordinance (because data protection is still in an evolutionary
stage); and making more compliance checks with additional resources.
| Roderick
Woo |
| Privacy
Commissioner for Personal Data |
| February
2008 |
|
| [Image of image]
COMPLAINT CASE/COMPLIANCE CHECK |
| [Image of image] |
Complaint
Case |
[Image of image] |
|
|
Two
Companies Convicted of Improper Direct Marketing
In
recent years, the number of convictions under the Personal
Data (Privacy) Ordinance (the Ordinance) for the use
of personal data in direct marketing has been on the
rise. Last year, for example, a marketing company and
a credit card company were convicted in June and August
and fined $6,000 and $7,000 respectively.
It
is commonly agreed that direct marketing is an acceptable
means of business promotion in a free economy. However,
organizations often ignore the public's right of making
an"opt-out request" and keep causing annoyance to them.
The Ordinance provides that when an organization approaches
an individual for the first time for direct marketing
purpose, the organization should inform the individual
that he/she has the right to request the organization
to stop using his/her personal data for such purpose.
Unfortunately, some organizations did not handle the
optout requests properly. They continued to use the
personal data of the individuals in direct marketing
and thus contravened the requirement of the Ordinance.
In 2007, three organizations were convicted of such
act. In fact, if a responsible organization abides by
the law and protects the interests of the public, its
goodwill will naturally establish with the support of
customers. Improper marketing means are disgusting.
Organizations using such means will achieve no actual
benefit to its business, but exposing itself to the
risk of prosecution under the Ordinance.
|
|
| |
| [Image of image] |
Compliance
Check |
[Image of image] |
|
|
What
kinds of personal data should a job applicant submit?
Job
applicants for the position of a bar captain at a hotel
were asked to fill in personal details on the application
form, including their height, weight, family status
as well as information about their parents and siblings.
After learning about this situation, the PCPD conducted
a compliance check to see if the hotel was collecting
excessive personal data.
The
Code of Practice on Human Resource Management states
that:"An employer should not collect personal data from
job applicants unless the data are adequate but not
excessive in relation to the purpose of recruitment";
"An employer may collect personal data concerning a
job applicant's family members, if the personal data
relate to employment circumstances of the applicant's
family members only to the extent necessary for assessing
whether any conflict of interest might arise should
the applicant be offered the job; and are adequate but
not excessive in relation to this purpose."
Concluding
that the hotel had collected excessive personal data,
contravening the Code, the PCPD demanded that it stop
doing so immediately and destroy the data collected
from the job applicants. The hotel took immediate remedial
action. The PCPD reminds prospective employers to only
collect necessary personal data from job applicants
having regard to the job nature and actual needs during
recruitment, instead of indiscriminately collecting"all"
the data of the job applicants.
|
|
|
| [Image of image]
NEWS FROM THE PCPD |
|
[Image of image]
The
PCPD held the Privacy Awareness Week 2007 with members of the Asia
Pacific Privacy Authorities (APPA), including Privacy Commissioners
of Australia, Hong Kong, New Zealand, and the Australian States
of the Northern Territory, New South Wales and Victoria. The event
took place from 26 August to 1 September, 2007. Under the theme
of"Privacy is Your Business", the event featured various activities
designed to help raise personal data protection awareness in the
region.
In
Hong Kong, the PCPD arranged a series of interesting and meaningful
events:
|
|
26 Aug |
Opening
ceremony of the Privacy Awareness Week and the announcement
of survey results of "Attitudes of Young People towards Disclosure
of Personal Data on the Internet" |
Mr.
Roderick Woo, the Privacy Commissioner for Personal Data, and Miss
Do Do Cheng, the Privacy Ambassador, launched the Privacy Awareness
Week.
Mr.
Woo also announced the results of a survey on the "Attitudes of
Young People towards Disclosure of Personal Data on the Internet".
To better understand the use of blogs and social networking websites
by young people, especially their views on the disclosure of personal
data on the Internet, the PCPD commissioned the Quality Evaluation
Centre of City University of Hong Kong to conduct the survey in
July 2007. A total of 500 young people in Hong Kong aged between
12 and 24 were interviewed. The results found more than half of
the respondents, or 55.3%, who wrote blogs or had personal web pages
disclosed their personal data on the Internet. Although 62% of them
worried that the disclosure would raise privacy concerns, only 48%
used online security to safeguard their personal data. The survey
also indicated that young people are concerned about personal data
privacy on the Internet. The PCPD will plan education and promotion
strategies to better their understanding of this issue.
|
|
|
|
[Image of image] |
| [Image of image] |
[Image of image] |
[Image of image] |
| Mr.
Roderick Woo, the Privacy Commissioner for Personal Data, and
Miss Do Do Cheng, the Privacy Ambassador, officiated at the
opening ceremony of the Privacy Awareness Week. |
[Image of image] |
[Image of image] |
|
|
27 Aug |
Seminar
on Protection of Online Personal Data |
In
light of the recent leaks of personal data on the Internet, the
PCPD invited Mr. Sean Lin, SIP of the Hong Kong Police Force, and
Ir. Dr. K.P. Chow, Center Associate Director of Centre for Information
Security and Cryptography at the University of Hong Kong, to talk
to the Data Protection Officers' Club members about how best to
handle personal data electronically.
Mr.
Lin drew particular attention to transmitting personal data by Wi-Fi.
Dr. Chow spoke about the responsibilities of data users in online
data security and how to avoid leaking data.
|
|
29 Aug |
Seminar
on "Creative Thinking & Blog Writing Skills" for the young
people |
[Image of image]Young
people like to communicate via the Internet. Although this is fast
and convenient, personal data may be easily disclosed. To remind
young people of the importance of personal data privacy, the PCPD
invited renowned writer Mr. Ong Yi Hing and DJ Mr. Francis Mak to
share their views on creative writing and privacy. The audience
was asked to think carefully before providing their personal data
or their friends' personal data on the Internet. After the seminar,
an enlightening discussion and debate about "There is no privacy
protection in the cyber world"took place with the Hong Kong Federation
of Youth Groups and the Hong Kong Girl Guides Association.
|
|
30 Aug |
Members
of the Data Protection Officers' Club visited Macau Consumer
Council |
| [Image of 圖 片] |
| Ms.
Connie Lau, Chief Executive of Hong Kong Consumer Council (left),
Mr. Alexandre Ho, President of Executive Committee of Macau
Consumer Council (middle) and Ms. Shirley Lung, Corporate Communications
Manager of the PCPD (right) shared views with participants. |
Members
of the Data Protection Officers' Club met with consultants of the
Macau Consumer Council and business representatives on 30 August
to exchange their views and experiences on effective ways to protect
personal data. Although the privacy ordinances of Hong Kong and
Macau differ, the common goal remains the protection of personal
data privacy.
|
|
31 Aug |
Prize
Presentation Ceremony of "Privacy is Your Business" Writing
Competition |
[Image of image]One
of the joint activities of the Privacy Awareness Week was a writing
competition aimed at encouraging secondary students in the region
to examine the importance of privacy protection. Entries included
poetry, prose, internet blog entries, diary entries, radio interview
scripts, academic essays and word art about the theme, "privacy
is your business".
There
were a total of 244 entries from Hong Kong and Macau. Using a "treasure
box" as a metaphor for privacy to illustrate that things in the
box are very important, Yeung Kuen (Precious Blood Secondary School)
from Hong Kong won the second-place regional prize and came in first
for the Hong Kong and Macau award. Erica Hei-Yuan Chan from Australia
and Briony Bennett from New Zealand were the winner and second runner-up
respectively of the regional prize. In the Hong Kong and Macau area,
Chiu Ka Yi (Po Leung Kuk No.1 W.H. Cheung College) and Chan Weng
Sam, Sammy (Colegio de Santa Rosa de Lima, English Secondary (Macau))
were the first and second runners-up, respectively. The five merit
award winners were Cheng Ka Man (Po Leung Kuk No.1 W.H.Cheung College);
Vanessa Green (South Island School); Lam Ka Ian, Cindy (Colegio
de Santa Rosa de Lima, English Secondary (Macau)); Yeung Chun Hon
(Christ College) and Ng Tat Lam (CNEC Christian College).
|
|
01 Sep |
Deputy
Privacy Commissioner for Personal Data held a dialogue session
with young people |
Deputy
Privacy Commissioner for Personal Data, Mrs. Bonnie Smith (middle),
talked about the protection of personal data privacy to young people
at a live radio programme at Radio Television Hong Kong.
[Image of image]
|
|
More
Fruitful Outcomes
[Image of image]With
the development of technology, an increasing number of organizations
use fingerprint scanners for recording attendance, giving access
to facilities, security control or other purposes. In order to assist
data users to comply with the relevant requirements of the Ordinance
and as a useful reference in their consideration of fingerprint
collection, the PCPD has published a new guidance note, titled "Personal
Data Privacy: Guidance on Collection of Fingerprint Data".
Fingerprint
data are very sensitive personal data. Due care should be taken
in collecting and using them. A data user shall have sufficient
reasons to justify that collection of fingerprint data is necessary
for its lawful function or activity and that only adequate but not
excessive personal data is collected.
To
facilitate compliance with the collection limitation principle,
a data user is encouraged to undertake an assessment process by
first examining the extent of privacy intrusiveness of the proposed
act or practice in question and then consider whether there are
sufficient safeguards in place to mitigate the adverse privacy impact
brought by such act or practice. Insofar as it is practicable to
do so, a data subject should be given other less privacy intrusive
options to choose from. When consent is purportedly obtained from
the data subjects on collection of their fingerprint data, Privacy
Commissioner warns against collection of these data from tender
age and the need to dispel any reasonable doubt on undue influence
when special relationship exists.
The
guidance note can be downloaded from the PCPD website (www.pcpd.org.hk).
Copies are also available from the PCPD at 12/F., 248 Queen's Road
East, Wan Chai, Hong Kong.
|
| [Image of image]
DPOC NEWS |
|
Familiarization
Visit to the Cathay Pacific City
[Image of image]During
a visit to Cathay Pacific City on 1 November 2007, DPOC members
had the chance to share and exchange with one another valuable data
protection experiences. Mr. Albert Wong, Manager Personnel Strategy
& Relations, and Ms Anthea Leung, Assistant Personnel Manager
at Cathay Pacific, also highlighted an online training module to
members.
DPOC
members were invited to comment on the visit:
|
| [Image of image] |
| [Image of image] |
|
"……Mr.
Albert Wong, Manager Personnel Strategy &
Relations, also shared with us a specially designed
on-line learning unit, which teaches new staff
of different grades (e.g. cabin crew and management)
how to handle personal data."
Ms
Janet Chu
Customer Services Officer,
Chevron Hong Kong Limited
|
|
| [Image of image] |
|
| [Image of image] |
| [Image of image] |
|
"…….While
touring around the magnificent complex of Cathay
Pacific City, club members chatted and shared
their views in a most relaxing and effective atmosphere."
Ms
May Yu
Community Relations Manager,
Main Shine Development Ltd.
[Image of image]
|
|
| [Image of image] |
|
Please
visit the PCPD website (http://www.pcpd.org.hk/english/activities/activitiesupdate.html)
for viewing members' original articles.
|
|
Introduction
to the Personal Data (Privacy) Ordinance Seminar
|
In
order to raise public's awareness and understanding of the
Personal Data (Privacy) Ordinance, the PCPD will organize
free seminars on the following dates:
[Image of image]
|
[Image of image]
Please
visit our website (www.pcpd.org.hk)
for further information, or contact: 2877 7159 (Mr. Cheung)
or 2877 7152 (Ms. Chan).
|
|
| [Image of image]
STATISTICS ON COMPLAINTS & ENQUIRIES |
| No.
of Enquiries |
| [Image of image] |
| No.
of Complaints |
| [Image of image] |
|
|