|
UK and Canada's experiences in protecting personal data
| [Image of Photo] |
|
From
right: Mr. David Loukidelis, the Information and Privacy Commissioner
for British Columbia (Canada), Mr. Roderick Woo, the Privacy
Commissioner for Personal Data, Hong Kong, Mr. Richard Thomas,
the Information Commissioner of the UK and Mrs. Bonnie Y.
L. Smith, the Deputy Privacy Commissioner for Personal Data,
Hong Kong attended the open forum on 27 February 2008 to share
experiences in data protection in Canada, UK and Hong Kong.
|
The Privacy
Commissioner for Personal Data, Mr. Roderick Woo invited Mr. Richard
Thomas, the Information Commissioner of the UK and Mr. David Loukidelis,
the Information and Privacy Commissioner for British Columbia (Canada),
to come to Hong Kong to share knowledge and information in data
protection from a regulatory perspective. An open forum was held
on 27 February 2008 to which the public was welcomed.
"As personal
data privacy has become an important social issue that impacts on
our daily lives, organizations are urged to embrace privacy as a
competitive advantage and a business imperative. The forum provided
a unique opportunity for both the private and public sectors to
learn directly from the two commissioners in charge of information
and privacy rights in the UK and Canada's Asia Pacific province
about effective data protection and prevention of data leakage."
Mr. Woo said.
"There
are massive collections of data by governmental and private sector
bodies. There is the ability, now, to build up a comprehensive picture
of our daily lives. We all leave electronic footprints in almost
everything we do day by day." Mr. Thomas said.
"Privacy
regulation is not about black and white easy solutions. The approach
my office takes is calling upon people who are collecting data for
commercial purposes or the fight against crime, to justify the approach
they are taking; to justify each new initiative, whether it is new
data collection or new types of data sharing. For example, nobody
would take exception to CCTV cameras in airports and railway stations.
But we would question whether we need them on every street corner
purely for the fight against terrorism. In our new Code of Practice
on CCTV, we have outlawed the use of cameras with microphones. We
are also sceptical about any justification for the introduction
of biometric identity cards in the name of the fight against terrorism.
We also have some concerns about proposals to retain telecommunications
traffic data on a compulsory basis." Mr. Thomas explained his
views clearly with examples.
"In Canada,
the debate has shifted. There is increasingly an onus on those who
are concerned about new security measures in the name of fighting
terrorism or crime to show that they have nothing to hide. This
stands things to their head." Mr. Loukidelis said. There were
measures proposed in Canada to allow the police to demand that internet
service providers disclose personal details of individuals as part
of investigations without prior judicial authorization and without
the case having been made that it is truly necessary because of
emergency circumstances. "We should be very vigilant to ensure
that we are requiring public officials to constantly prove the need
for more intrusive powers. I think that the real issue is to continue
to require our governments to show the need before we acquiesce
in what they are trying to do."
Recently, a
spate of data loss incidents took place in Hong Kong. But Hong Kong
is never alone in facing this problem. In the UK, HMRC (the tax
collecting organization), which is also the Child Benefit Administration,
lost two unencrypted CDs containing personal details of 25 million
child benefit payments, and 7 million personal bank account details;
the Ministry of Defence has lost details of 600,000 people who expressed
interest in joining the armed forces over the past decade; the Driving
Standards Agency lost 3 million names and addresses by its outsourced
company in the US State of Iowa. There have also been expamles of
banks dumping bank statements, loan applications and health insurance
rejection letters in plastic bags in streets. Struck by the massive
numbers? Sometimes, small numbers could be more worrying. Earlier
this year a part of the Courts Inspectorate lost some 50 or 60 personal
details which are highly sensitive: details of victims of crime,
of witnesses to crime and of police intelligence.
[Image of Image]Reacting
to data loss problems, there is a growing international consensus
towards making breach notification a mandatory requirement for serious
cases.
In Canada, there
are now three legislative recommendations that there be mandatory
duties to notify customers that their data have been lost. However,
there is still some scepticism about the effectiveness of these
laws in preventing data leakages. "We still have to ask, is
there a hard benefit to these laws? And there is a concern about
breach notification fatigue. I believe notification should be left
for significant cases where a risk assessment shows it will be effective
in helping individuals protect themselves." Mr. Loukidelis
said.
"There
is still no general consensus on the need for mandatory notification
in the UK. It is now a requirement from the Cabinet Secretary that
all significant data losses from government departments should be
reported to my office. However, there is a risk of trivial notifications.
Among the 40 reported cases that came to me, there're at least two
cases of a single file going missing. Also, if you notify all individuals
every time there is a loss, you run the risk of devaluing the message.
It is not just security. It is almost inevitable that data will
be lost in some situations ¡V the immediate priority is to stop the
breach.The
priority is not to tell people ¡V it is to stop any more damage being
done. In this respect, I like the Australian Law Reform Commission
approach, which is defining cases in terms of serious harm where
the regulator can do something about the situation." Mr. Thomas
said.
In Hong Kong,
existing laws currently do not make a breach of data protection
principles a crime. In a case of a contravention of the PD(P)O,
an enforcement notice will be served. Only when the data user fails
to comply with the enforcement notice does it commit an offence.
"A mandatory notification requirement does not necessarily
prevent data leakage. However, in some situations, it is arguable
that a notification system may help to contain, at an early stage,
the spread of any leakage of personal data, which in turn may minimize
the damage that the data subject concerned might suffer. This is
particularly so when a significant number of data subjects are affected
by a breach and where sensitive personal data are lost or stolen."
Mr Woo said.
In the UK, a
data user registration regime has been implemented, which proves
to be a resounding success. "This is a light-touch scheme requiring
data users to provide me with their basic details. The scheme provides
for transparency and accountability on the part of the data users
but it is not burdensome. It is especially useful when we get complaints
or when we need to undertake some sort of investigation, which provides
a good starting-point for my staff." Mr. Thomas said.
"Our philosophy,
as the regulator, is that we seek to simplify data protection law,
to make it as easy as possible for the vast majority who want to
get it right, but a bit tougher for the very small minority who
don't want to get it right." Mr. Thomas concluded.
In Canada, there
is no registration system. But public bodies have an obligation
to create directories of the various personal information databases
or databanks that they have, and make that information publicly
available. This helps promote transparency and accountability and
lets people know who has information about them, what kinds of personal
information are being held and for what purposes. "Another
advantage is that you can communicate with the data users, not just
for the purposes of enforcement but in order to promote good practice
and to help them comply with the obligations under the law."
Mr. Loukidelis said.
[Image of Image]
|
|
A
doctor convicted of failing to comply with Data Access Request
A doctor
("the doctor") was convicted of breaching sections
19 of the Personal Data (Privacy) Ordinance ("the Ordinance")
and was fined $1,000 on 22 February 2008 in the Kowloon City
Magistrates' Courts.
This is
the first conviction for breach of section 19 (noncompliance
with data access request) since the enactment of the Ordinance.
Many complaints showed that data users did not handle such
requests seriously. The PCPD hopes that data users could learn
from this case so that they will handle data access requests
seriously and adopt adequate measures to ensure compliance
with the Ordinance.
Section
18 of the Ordinance stipulates that a data subject may make
a request to be informed by a data user whether the data user
holds his / her personal data and to be supplied with a copy
of such data. Section 19 of the Ordinance provides that a
data user shall comply with a data access request not later
than 40 days after receiving the request. If the data user
is unable to comply with all or part of the request within
the 40-day period, he shall inform the data subject of the
situation and the reasons in writing within the period. Moreover,
he shall fully comply with the request as soon as practicable
after the expiration of the period.
In May
2007, a patient (Ms. A) made her first data access request
to the doctor for copies of her medical records from June
2006 to April 2007. The doctor failed to respond to Ms. A
within 40 days after receiving the request, so Ms. A lodged
a complaint with the PCPD. Upon mediation of the PCPD, the
doctor provided Ms. A with the requested data in July 2007.
A written warning was also issued to the doctor.
[Image of image]In
July 2007, Ms. A made her second data access request to the
doctor for copies of her medical records from January 1993
to July 2007. The doctor again failed to respond to Ms. A
within 40 days after receiving the request, so Ms. A made
her second complaint to the PCPD. The case was subsequently
referred to the police for prosecution.
After
investigation, the doctor was summonsed for an offence under
section 64(10) for breach of section 19 of the Ordinance.
The doctor pleaded guilty to the summons and was fined $1,000.
|
|
|
|
SUCCESSFUL
MEDIATION CASE |
|
|
Collection
of residents' personal data for electronic door access system
In introducing
an electronic door access card system, a property management
company ("the company") required residents of the
building to submit an application form containing information
on date of birth, Hong Kong Identity Card number, copy of
identity document, copy of tenancy agreement, etc. (collectively
"the personal data"). Believing that the company
requested excessive personal data, a resident lodged a complaint
with the PCPD.
Since
the complainant did not at the end provide the company with
the personal data requested, the PCPD decided to conduct a
compliance check against the company. The company told the
PCPD that the personal data were collected for verification
of the identity of the residents and security purpose.
[Image of image]Under
the Data Protection Principle 1 of the Personal Data (Privacy)
Ordinance, data shall be collected for a lawful purpose directly
related to a function or activity of the data user, and the
data collected are adequate but not excessive.
After
mediation of the PCPD, the company took appropriate remedial
action. It stopped
immediately collecting the personal data from the applicants
for the door access card, amended the application form and
destroyed the personal data collected.
|
|
|
Revised
Data Access Request Form
The revised
Data Access Request Form (the Form) published by the Privacy
Commissioner for Personal Data, Mr. Roderick B. Woo in the
Government Gazette on 4 January 2008 and took effect on 1
April 2008.
[Image of image]Under
section 18 of the Personal Data (Privacy) Ordinance (the Ordinance),
an individual has the right to make a request to be informed
by a data user, e.g. government department or private organization,
whether the data user holds his personal data and to be supplied
with a copy of such data. The data user shall respond not
later than 40 days after receiving the request by complying
with or refusing (where conditions in section 20 of the Ordinance
being satisfied) to comply with the request. Failure to do
so may constitute an offence and an offender is liable on
conviction to a maximum penalty of $10,000 (a fine at level
3) under section 64(10) of the Ordinance.
The revised
Form enables the public and organizations to understand more
clearly the scope of a data access request, as well as their
rights and responsibilities. A data access request may be
refused if it is not made in the revised Form. The completed
Form, either in Chinese or in English, should be sent directly
to the data user concerned for processing.
The revised
Form
is available for download from the website of the PCPD. Copies
are also available from the office of the PCPD (12/F., 248
Queen's Road East, Wan Chai, Hong Kong) or various District
Offices.
|
|
Privacy
Awareness Week 2008
The "Privacy
Awareness Week 2008" will be held in the week from 24
to 30 August 2008 by the Office of Privacy Commissioner for
Personal Data of Hong Kongtogether with 7 Asia Pacific Privacy
Authorities includingcountries such as Australia, New Zealand
and Canada.
The purpose of the activity is to promote the awarenessof
the importance of protecting and respecting privacy.The theme
of this year is "Privacy is Your Business".
[Image of image]The
PCPD will arrange a variety of promotional activities during
the week in Hong Kong. An inauguration ceremony for the "Privacy
Awareness Week 2008" will be held on 25 August to mark
the commencement of the Week. A kick-off ceremony will be
held on 26 August for the "Personal Data Privacy Campaign
for Estate Agency Trade." The Campaign is organized jointly
with the Estate Agency Authority to promote the awareness
among the agents of the importance of protecting clients'
personal data. A seminar will be held on 27 August for members
of the Data Protection Officers' Club, and we have invited
professionals to speak on security measures in the use of
mobile phone and sharing softwares.
Another
key event of the Week is "Privacy is Your Business"
International Video Competition held by the PCPD with the
Hong Kong Federation of Youth Groups and Office for Personal
Data Protection, Macau. Hong Kong and Macau secondary school
students are invited to join the competition. Participants
will plan and product a short video to promote respecting
and protecting personal data privacy. The results of the competition
will be announced at the prize awarding ceremony on 28 August
2008.
The PCPD
will also hold an open forum for youths on 29 August, during
which computer experts are invited to teach participants about
computer security. We will publish and handout a booklet on
secure use of computer at the forum, and such booklet will
also be available to schools on request.
| Schedule |
|
| 25
August |
Privacy
Awareness Week 2008 Inauguration Ceremony |
| 26
August |
Personal
Data Privacy Campaign for Estate Agency Trade Kick-off
Ceremony cum Seminar on Personal Data (Privacy)
Seminar |
| 27
August |
Seminar
| Topic
: |
Security
measures of mobile phone
Security
Analysis of the Foxy Peer-to
Peer File Sharing Tool
|
|
| 28
August |
"Privacy
is Your Business" International Video Competition
Prize Presentation Ceremony |
| 29
August |
Seminar
for young people
(Releases
the" Protect your personal data
while engaging in IT related activities"
booklet for youngsters)
|
|
|
|
|
|
|
Education
& Careers Expo 2008 |
| PCPD
participated in the Education & Careers Expo held
by the Hong Kong Trade Development Council on 21 to 24
February 2008. In the Expo, we promoted awareness on personal
data protection to job seekers and youths, such as the
care to be taken when they are requested to provide personal
data in applying jobs. |
|
|
Meeting
with Coordinator of the Office for Personal Data Protection
of Macau |
|
| On
28 March 2008, Miss Chan Hoi Fan, the Coordinator of the
Office for Personal Data Protection of Macau (left), and
colleagues visited the PCPD and exchanged views on privacy
protection in both regions with Mr. Roderick Woo, the
Privacy Commissioner for Personal Data (right). |
|
|
|
Data
Protection Public Forum |
| The
Deputy Privacy Commissioner for Personal Data, Mrs. Bonnie
Y. L. Smith attended the "Data Protection Public
Forum" on 31 May 2008 held by the Internet Society
Hong Kong and Professional Information Security Association,
and explained the requirement of the Ordinance to the
attendees. |
|
|
Visit
the PCPD |
|
| Students
from the University of Ontario Institute of Technology,
Canada visited the PCPD on 3 June 2008. PCPD staff gave
an introduction on the implementation of the Ordinance
in Hong Kong to the visitors. |
|
|
|
Plenary
Meeting and Luncheon
On 25
January 2008, over 80 members attended the Club's Plenary
Meeting.
The theme
of the Meeting is "The best way of handling data access
request". At the Meeting,
Mr. Roderick Woo, Privacy Commissioner for Personal Data,
and PCPD staff explained the recently amended Data Access
Request Form and analysed past cases of data access request
with the members.
A luncheon
was arranged after the meeting to allow members to share their
experience in a relaxed environment.
| [Image of image] |
[Image of image] |
|
|
A
Visit to the Immigration Museum
[Image of image]
Members
of the Data Protection Officers' Club visited the museum of
Immigration Department on 6 June 2008. Immigration officers
and Club members exchanged their knowledge about data protection
during the visit. An introduction to various sections of the
museum was also made to the members, enabling them to have
an insight into the work and history of the Immigration Department.
This is
another visit activity held after the visit to the Cathay
Pacific City last year, and members believe that they can
learn and benefit much from such activities.
[Image of image]
|
|
| Tips
for the protection of privacy |
[Image of image] |
| [Image of image] |
[Image of image] |
In this era
of digitalization, we may save and transfer data with great ease.
For instance, we may save unfinished files in a USB finger (USB
flash drive) from our office, take it home and then transmit the
finished file back to the office computer through Foxy. It is a
convenient and efficient way of getting things done and is therefore
quite popular. However, people often neglected the risk of data
leakage in the use of such saving and transferring tools.
The followings
are two tips for the protection of privacy:
|
[Image of "]USB
flash drive[Image of "]
Many people
would save data in USB fingers. Such device is easy to carry
but also easy to lose which may result in personal data leakage.
Accordingly, users should encrypt files before saving them
into a USB finger, or to add encryption for the whole finger.
USB fingers with built in encryption feature are now available
in the market, some of which use fingerprint for identification
and some use private code (for fingers with U3 feature). For
existing USB fingers without built in encryption feature,
we may use the TrueCrypt software (http://www.truecrypt.org/)
for encryption. USB finger encrypted with TrueCrypt, when
connected to a computer, requires the user to input a private
code before accessing is allowed. In this way the user's data
in the device may be prevented from leakage.
|
[Image of image]
|
[Image of "]File-sharing
softwares[Image of "]
File-sharing
softwares (such as BT and Foxy) are often used by people nowadays
to transfer files. An example is to transmit a file from one's
office to his home. Although the speed in such transfer is
very high, P2P networks are usually flooded with illegal softwares
and files and there is no way users may know whether a file
is safe. In case a file is planted with a Trojan or virus,
your computer will be completely unguarded. Not only data
in your computer may be accessed by others, your computer
may also be used to attack other computers, thus participating
in crime without your notice. Furthermore, some P2P softwares
require user to open many network transfer ports and this
will render a computer more vulnerable to internet attacks.
Therefore,
when using Foxy, users have to set up their "upload folders"
carefully. It's easy to do it: simply unclick the files that
you do not want to be shared in the setting profile of "share
folders".
Can users
then rest assured? Not yet. They have to carefully set the
location of their "download folders" because the
data inside the "download folders" will be automatically
put on the Internet for searching and downloading by other
Foxy users. Therefore, it is proposed to set the "download
folder" as a blank folder that is only used for downloading
and frequently clear up the folder by deleting those data/files
that should not be shared.
|
In fact, the
most important thing is that we must have high awareness of privacy
protection. We must remain vigilant and adopt preventive measures
in order to avoid leakage of important data.
|
|
|
STATISTICS
ON COMPLAINTS & ENQUIRIES |
|
|
Enquiries
and Complaint received by the PCPD (1 Jan - 30 Jun 2008)
|
Number of Enquiry Cases: 6,082 |
| [Image of image] |
|
| [Image of image] |
|
Number of Complaint Cases: 366 |
| [Image of image] |
|
| [Image of image] |
|
|