(27 January 2015) The Office of the Privacy Commissioner for Personal Data ("PCPD") received 1,702 complaints in 2014, of which 206 complaints (nearly 12%) were related to the use of information and communications technologies ("ICT").
2. Mr Allan Chiang, Privacy Commissioner for Personal Data ("Commissioner") commented at today's media briefing on the achievements of the PCPD in 2014, "These 206 complaints are a record high. It underlines the need for organisations and consumers to treat privacy and data protection seriously when engaged in the use of ICT. Even though we live in an information age in which we share personal data more freely than before, we must reject the conclusion that privacy is an outmoded value. Whilst the intelligent use of ICT holds great promise for enriching the quality of life and powering our economic and social development, consumer privacy and data security must remain a priority."
3. The highlights of the PCPD's achievements in 2014 are outlined below.
4. In 2014, the PCPD received a total of 17,328 enquiries, representing a decrease of 28% compared with the figure of 24,161 for 20131 . They were mainly concerned with data access requests (11.9%), the use of personal data in direct marketing (11.1%), employment (11.1%), CCTV / video / voice recording (5.9%) and collection / use of Hong Kong identity card numbers or copies (5.2%).
5. There was a sharp increase of 44% in internet related enquiries from 425 cases in 2013 to 611 cases in 2014. They were mainly concerned with cyber-profiling, excessive collection of personal data and cyber-bullying.
6. In 2014, the PCPD received a total of 1,702 complaints, which represented a slight decrease of 5% compared with the record high figure of 1,792 for 2013.
7. Of the complaints received, 74% were made against the private sector (1,264 cases), 10% against the public sector/government departments (176 cases) and 16% against individuals (262 cases).
8. Among the private sector organisations, the sector which received the most complaints was the financial sector (288 cases), followed by property management (119 cases) and telecommunications (98 cases).
9. As regards the nature of the complaints, 41% of the 1,702 complaints received concerned the use of personal data without the consent of data subjects (694 cases), 37% were about the purpose and manner of data collection (633 cases), 12% were related to data security (197 cases) and 6% were about data access /correction requests (112 cases).
Complaints Related to Direct Marketing
10. The number of direct marketing-related privacy complaints received dropped by 49% from the record high of 538 cases in 2013 to 277 cases in 2014.
11. In a survey commissioned by the PCPD in March 2014, it was revealed that unsolicited direct marketing calls were prevalent and 55% of the respondents reported that more than 40% of calls received by them involved the use of personal data.
12. In some cases involving offer of personal loans, the call in question was purportedly made by a bank but upon investigation, the bank denied having authorised its staff to make the call, and other lending institutions as well as intermediaries were identified to have been involved. In many such cases, the calls were made outside Hong Kong using 8-digit numbers assigned by the Office of the Communications Authority ("OFCA") from the numbering plan of Hong Kong, with ‘2' or ‘3' as the prefix. Calls made outside Hong Kong have caused difficulties in identifying the Hong Kong companies ultimately responsible for the calls, against which charges of contraventions of the provisions of the Personal Data (Privacy) Ordinance ("Ordinance") may be brought. The difficulties are compounded by the callers' practice to change their numbers on a frequent basis.
13. A multi-pronged approach is required to tackle these problems. In this regard, the Commissioner has appealed to the Secretary for Commerce and Economic Development for the expansion of the Do-not-call registers presently administered by the OFCA to include person-to-person calls. This could be arranged expeditiously by way of an amendment notice published in the Gazette under section 7 of the Unsolicited Electronic Messages Ordinance. Compared with the provisions of the Ordinance which serve as remedy after the fact, the expanded register will provide a preventative one-stop-shop that enables the consumer to opt out of all unwanted telemarketing calls at one go and at the outset. Further, the PCPD has been working with the Department of Justice and the Police to address the difficulties in criminal investigation caused by calls made outside Hong Kong.
Complaints Related to Use of ICT
14. In line with the large increase in the number of ICT-related enquiries, ICT-related privacy complaints are also on the rise – an increase of 122% from 93 cases in 2013 to 206 cases in 2014.
15. This rising trend is principally attributable to the increasing popularity of smartphones and the prevalent use of the Internet among netizens. Common privacy disputes arose from the use of mobile apps and social networking websites (157 cases), the disclosure or leakage of personal data on the Internet (57 cases), and cyber-bullying (34 cases).
Compliance Checks and Self-initiated Investigations
16. 70 data breach incidents were brought to light in 2014 (compared with 61 incidents in 2013), affecting 47,000 individuals. The nature of these incidents ranged from unauthorised disclosure of personal data through hacking to inadvertent circulation of lists of personal data to unrelated third parties.
17. With a view to promoting compliance with the requirements under the Ordinance, the PCPD completed 217 compliance checks and 102 self-initiated investigations in 2014, compared with 208 checks and 19 investigations in 2013.
18. The PCPD conducted inspections on the Student Financial Assistance Agency's personal data system in respect of four of its financial assistance schemes, and on the Labour Department's personal data system in respect of its employment services. The inspections identified no major problems but there were areas for improvement and recommendations for tightening personal data protection have been made for the two organisations to follow up.
19. The Commissioner published 5 investigation reports in 2014 (compared with 6 published reports in 2013). These reports covered:-
(a) 71 "blind" recruitment advertisements placed in seven major advertising platforms soliciting personal data of job applicants but without revealing the employers' identities;
(b) unnecessary collection by six tutorial service agency websites of the private tutors' Hong Kong identity card numbers and the personal particulars of their contact persons;
(c) posting on the websites of 10 major employment agencies for domestic helpers of the personal data of overseas job applicants, members of their families and their past employers (including Hong Kong employers), which served no useful purpose for employee screening by prospective employers;
(d) excessive collection of personal data by two travel agencies from customers when they enrolled for the agencies' loyalty programme and when making enquiries about the reward points under the programme using the mobile application developed by the agencies; and failure to explain to the application users the purpose of use of the personal data collected; and
(e) leakage of personal data of the customers of an airline services company through a mobile application running on iOS platform as a result of the failure of the application maintenance contractor in responding to the introduction of a new privacy protection feature on iOS7.
20. In 2014, the PCPD issued 20 warnings and 90 enforcement notices to organisations, compared with 32 warnings and 25 enforcement notices in 2013. 69 of the enforcement notices were served in connection with the investigation of "blind" recruitment advertisements.
21. The number of cases referred to the Police for criminal investigation and consideration of prosecution in 2014 was the same as in 2013, namely, 20. Of these, 17 cases were related to suspected contraventions involving the use of personal data in direct marketing.
22. Only one conviction was recorded in 2014. This involved an insurance agent's contravention of section 50B(1)(c)(i) under the Ordinance by making false statements to the Commissioner during an investigation into his misleading the complainant as regards the identity of the issuer of the insurance policy to be sold to the complainant. Together with convictions under other charges, the accused was sentenced to 4 weeks' imprisonment. Since the Ordinance came into force in 1996, this is the first conviction for misleading the Commissioner in discharging his statutory functions and the first conviction with a custodial sentence.
Legal Assistance Scheme
23. The Legal Assistance Scheme commenced on 1 April 2013 under the Amendment Ordinance. Under the scheme, the PCPD may provide assistance to a person who has suffered damage by reason of a contravention under the Ordinance and intends to institute proceedings to seek compensation from the organisation at fault. The PCPD received in 2014 seven new applications for legal assistance, on top of eight applications brought forward from 2013. Of these applications, one has been granted assistance, nine were rejected, two were withdrawn by the applicants and three are being considered.
Electronic Health Record Sharing System Bill
24. During 2014, the PCPD took an active part in the deliberations of the Bills Committee on the Electronic Health Record Sharing System Bill as they relate to privacy and data protection. Among other issues, the following major concerns were raised:-
(a) healthcare professionals should only access health records of a patient on a strictly "need-to-know" basis;
(b) the need to provide a "safe deposit box" that allows the separate storage of certain particularly sensitive health data (such as psychiatric diseases/ mental conditions or hereditary diseases) with enhanced access control by the patient;
(c) the need to introduce offences such as civil penalties for unauthorised access of electronic health records by means other than the use of computer and for unauthorised use of the data other than direct marketing;
(d) the unreasonable denial of a patient to authorise a representative in writing to exercise his data access and correction rights in respect of his health data kept in the system; (e) the unduly wide discretion of the Electronic Health Record Commissioner in allowing registration under the system of bodies who "directly or indirectly provide healthcare" and government bureau or department that "involves providing healthcare"; and
(f) the unacceptable arrangement to relieve the Electronic Health Record Commissioner from the legal obligation to inspect the information systems used by the healthcare providers participating in the system.
The Government is still considering the first three concerns while it has agreed to make amendments to the Bill to address the last three concerns.
Privacy Management Programmes
25. The PCPD has recognised that privacy and data protection in this era of Big Data and rising public expectation cannot be managed effectively if they are merely treated as a legal compliance issue. It has advocated that organisations should embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a top-down business imperative throughout the organisation. This entails the adoption of holistic and encompassing privacy management programmes that ensure robust privacy policies and procedures are in place and implemented for all business practices, operational processes, product and service design, physical architectures and networked infrastructure.
26. In 2014, the Government, together with 25 companies from the insurance sector, nine companies from the telecommunications sector and five organisations from other sectors, all pledged to implement privacy management programmes. The Hong Kong Association of Banks also indicated that the banking industry supports the initiative.
Regulating Cross-border Flows of Personal Data
27. Section 33 of the Ordinance provides a very stringent and comprehensive regulation of the transfer of data outside Hong Kong. It expressly prohibits all transfers of personal data 'to a place outside Hong Kong' except in specified circumstances such as:-
(a) the place is specified by the Commissioner as one which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance; and
(b) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be handled in a manner tantamount to a contravention of a requirement under the Ordinance.
However, section 33 has not been brought into force since its enactment in 1995. Hence the current protection for personal data transferred to overseas jurisdictions is weak and far from comprehensive.
28. To encourage the Government to have a renewed focus on section 33 of the Ordinance so that the international status of Hong Kong as a financial centre and a data hub will be preserved, the PCPD has completed in 2013 a survey of 50 jurisdictions and come up with a white list of places which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance. A copy of the report has been forwarded to the Government.
29. Further to this initiative, the PCPD has in 2014 published a Guidance which assists organisations to prepare for the eventual implementation of section 33 and enhance privacy protection for cross-border data transfer. In particular, the Guidance contains a set of recommended model data transfer clauses to assist organisations in developing their cross-border data transfer agreement with the overseas data recipients. Organisations are encouraged to adopt the practices recommended in the Guidance as part of their corporate governance responsibility before section 33 comes into operation.
Promotion and Public Education
30. During the year, a total of 20 promotional and education activities were organised with 140,000 participants (compared with 16 activities and 58,979 participants in 2013). In particular, the "Privacy Campaign for the Retail Industry" was satisfactorily completed, with the intensive participation of 1,295 practitioners from over 180 organisations and the launch of a new online assessment tool tailor-made for the industry. As in previous years, the University Privacy Campaign was held, attracting participation of 35,000 staff and students from the 10 local universities. Further, the "Student Ambassador for Privacy Protection Programme" continued, with participation increased by 57% from 4,840 students in 2013 to 7,593 students in 2014.
31. A total of 245 seminars and workshops were conducted, with a total attendance of 14,845 reaching over 300 organisations. Digital privacy issues remained a major focus of the year, with a new seminar entitled "Developing Mobile Apps with Privacy Protection in Mind" launched to target app developers.
32. Guidance notes and information leaflets issued in 2014 included: (1) Privacy Implications for Organisational Use of Social Network, (2) Guidance for the Banking Industry on the Handling of Customers' Personal Data, (3) What you need to know about cyber-bullying, (4) Best Practice Guide for Mobile Applications Development, and (5) Guidance on Personal Data Protection in Cross-border Data Transfer.
33. The PCPD website was revamped in 2014 to provide a one-stop portal on privacy protection matters. It has become an increasingly important channel for the PCPD to reach out to the community with its growing wealth of privacy information. It received an average of over 55,000 visits per month.
34. The Data Protection Officers Club has grown in membership, reaching 557 in 2014, an increase of 60% over the preceding year.
Strategic Focus for 2015
35. The PCPD will continue to face the privacy and data protection challenges by stepping up efforts in enforcement as well as public education. There will be a special focus on:-
(a) the privacy and data protection issues associated with the prevalent use of mobile apps;
(b) a survey on the public perception of the PCPD and various topical privacy issues;
(c) a survey on the protection of personal data contained in public registers maintained by the Government;
(d) assisting the Government and the private sector in administering privacy management programmes; and
(e) assisting the Bills Committee in the deliberations of the Electronic Health Record Sharing System Bill as they relate to privacy and data protection.
- End -