Date: 4 November 2018
Data Breach and Associated Issues of Public Concerns
In response to the public concerns expressed, including those made in RTHK Radio 1 programme “Hong Kong Letter” (香港家書) (the Letter) yesterday (3 November 2018) and the media today, and considering the inaccurate and misleading information arising therefrom, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) hereby provides the relevant facts and information as appropriate to put the record straight and clear any misunderstanding that may have caused.
The Reported Data Breach Incident:
-
Upon receipt of the Data Breach Notification filed by Cathay Pacific Airways, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) announced, in response to media enquiries, that a compliance check in accordance with the Personal Data (Privacy) Ordinance (the Ordinance) would be initiated forthwith. Before the Privacy Commissioner makes a determination on the findings and results, it would be improper for him to comment on and divulge the details of the case, the secrecy provision in the Ordinance also considered. In view of the public concerns over the incident, the Privacy Commissioner has given his views on privacy issues limited to the undisputed facts of the case as disclosed in the two public statements made by Cathay Pacific Airways. One of the issues, which appeared to be a major public concern, related to notification of the incident to PCPD and affected persons and the associated timing of notification. The Privacy Commissioner made it quite clear that under the current law there is no mandatory requirement for any organization to file a notification, whether to PCPD or persons affected, although notification is encouraged as a good practice. Given the significant amount of persons affected and the time the incident was detected or confirmed, as disclosed in one of the statements filed by Cathay Pacific Airways, the Privacy Commissioner urged that justification be provided to satisfy the expectation of members of the public.
The Due Process – Law, Procedure and Practice
-
PCPD is an independent statutory authority regulating the behaviour of human beings and organisations in connection with personal data. The relevant powers, functions and responsibilities are dictated by the Ordinance.
-
As a regulator, PCPD spares no efforts in enforcing the law fairly.
-
The law provides, amongst others, that the Privacy Commissioner may carry out a compliance investigation where he has reasonable grounds to believe that there may be a contravention of a requirement under the Ordinance (section 38). What amounts to contravention turns on the facts of each case and the corresponding requirement under the Ordinance.
-
It has been an established policy and practice for eight years that upon receipt of a data breach notification, a compliance check will be initiated for the purposes of finding facts, identifying root cause and evaluating proposed actions or actions taken. Advice and assistance would be provided by the PCPD at the same time to ensure timely remedial steps would be taken on board to contain any possible damage to persons affected. The objective is obviously to protect the interest of the individuals in the first place.
-
Should the compliance check result in finding, more importantly, prima facie evidence of contravention of the law, a compliance investigation will be carried out. This policy and practice has been in place for years and made known to the public (see Annex for the procedure in handling a data breach; and the Annual Report of PCPD 2014-15, at p. 36).
-
Compliance checks serve to find out the relevant material facts, which may not be apparent or disclosed at the initial stage of a data breach concerning data security in particular where, as provided under the Ordinance, a contravention may not be established if “all reasonably practicable steps” have been taken. A common example shows that organizations, especially SMEs, would have their customers’ data hacked or tempered without their knowledge or knowing the reasons.
-
In addition, as a matter of procedural fairness, a compliance check preceding a compliance investigation which gives the Privacy Commissioner additional powers to summon witnesses, enter premises, seize evidence and conduct public hearings, would help reduce the possible confrontational and untoward attitude and atmosphere at the initial stage which would not be conducive to protecting the data privacy right of the individuals affected at the earliest opportunity, considering also the fact that notification is entirely voluntary under the current law.
-
A compliance check preceding a compliance investigation, being an established policy and practice in the PCPD in accordance with the Ordinance has nothing to do with, let alone derogating, the stringency of determining a contravention. It is entirely incorrect and irresponsible to suggest that after a compliance check, the process of compliance investigation will automatically stop. Any message to the public purported to suggest that PCPD will not carry out a detailed compliance investigation of the reported incident at this stage is ill-informed and misleading.
Figures on Compliance Checks and Compliance Investigations
-
Figures of enforcement cases of themselves do not speak for the quality of regulatory efforts. As a fair regulatory authority, PCPD does not regulate for figures but results. An analogy is that when the crime rate drops, it does not mean that the law enforcement agencies laxed in their crime investigation efforts.
-
But the practice that all significant compliance investigation cases in the past, such as the Octopus case, various data security incidents concerning Police and Hospital Authority, etc., having gone through the compliance check stage before proceeding to compliance investigation stage is followed. Cases in recent years include the PopVote data security issue, data leakage incident regarding the screenshots of CCTV footage of the Education University of Hong Kong, images captured from webcams in Hong Kong being displayed in a United Kingdom art exhibition, etc.
-
In 2014, the total number of compliance investigations (compliance checks-turned and complaints driven) surged to 149 (compared to 79 in 2013). It was caused by the initiation of a project related to unfair collection of personal data by the use of blind recruitment advertisements scanned from various sources.
-
In 2014, 106 compliance investigations were conducted, of which only five reports were published; 90% of which related to three projects concerning data collection (Data Protection Principle 1, DPP1) or use of data (DPP3) on “blind” recruitment advertisements, domestic helpers’ profiles and kindergarten placements applications.
-
Since 2014, cases of data breach have shifted to data security (DPP4) mainly, and the number of compliance checks has been on the high side: 219 (in 2014), 279 (in 2015), 259 (in 2016), 253 (in 2017) and 253 (as of 31 October 2018). There are other compliance investigations arising out of complaints received. It is regrettable that only one case of “investigation” and “report” was selected to be included in the Letter as the basis for ungrounded criticism.
-
Publication of Compliance Investigation Reports
-
In 2017 when the only one compliance investigation report was published, the 1,944 complaint cases relating to the same subject, i.e. the loss of Registration and Electoral Office’s notebook computers containing personal data of 3.78 million electors, were counted as one only to avoid improper statistics inflation. The other 89 complaints-driven compliance investigations in 2017 were not mentioned in the Letter.
-
Pursuant to section 48(2) of the Ordinance, a compliance investigation report will only be published where the Privacy Commissioner is of the opinion that it is in the public interest to do so. In other words, compliance investigation reports are published on a justifiable basis. It is a misnomer to say that compliance investigation would automatically and necessarily lead to publication of compliance investigation reports. Taking the publication of reports as a matter of routine in the past is simply wrong in principle.
-
Upon completion of significant compliance checks or compliance investigations, the PCPD would issue detailed press statements, followed by media interviews and responses to media enquiries so as to inform the public of the findings and important issues to note. Effectively, the same result as publishing a report is served, without “naming and shaming” the party investigated though.
Fair and Effective Enforcement
-
Breach of DPPs is no offence under the Ordinance. Only a failure to comply with an Enforcement Notice issued after a determination of convention is. Since the establishment of PCPD in 1996, a total of 6 cases of non-compliance of Enforcement Notice have been recorded. Three of them secured convictions after judicial proceedings and the maximum fine was HK$5,000. During the period 2010 and August 2015, no prosecution was instituted. These figures may be seen as an indication of the de facto deterrent effect on enforcement under the current law.
-
The timely response to reported data breaches and statements on self-initiated checks and complaints concerning significant cases of public interest, as opposed to the time-consuming compliance investigations followed sometimes by out-of-proportion “naming and shaming” reports, has been a new approach adopted by PCPD since August 2015.
-
Early dispute resolution by way of mediation is now encouraged and commonly accepted to address grievances. The PCPD has also adopted this approach where appropriate, with a view to conciliating between the parties in dispute and finding a resolution with which they are happy.
Since August 2015, voluminous press statements and information leaflets have been released and publicized, conventionally and digitally, through various channels including website so as to raise the awareness and provide practical guidance for all stakeholders.
-
The PCPD seeks to help build the sense, if not a culture, of personal data protection and respect in stakeholders’ DNA as the solution in the longer term.
-
Sparing no sticks, PCPD seeks to provide carrots too. Enforcement since 2016 has been complemented by the advocacy of trust, respect, data governance and data ethics through facilitating, incentivising and engaging all stakeholders, organisations in particular which is becoming a global trend in privacy protection.
-
The continuous adoption of compliance checks before compliance investigations encourages cooperation, openness, flexibility, willingness of organisations to offer facts and tender notifications to the PCPD and consumers in cases of data breaches.
-
The new approach of enforcement has been well-received by stakeholders with encouraging feedback including those from overseas.
Revision of the Ordinance
-
The PCPD has the statutory obligation to review the Ordinance from time to time and to provide recommendations in a timely manner. Currently a review of the law is underway.
-
It should be noted that any suggestions to reform the law should be considered in the light of the interest of all stakeholders, individuals and organisations alike; the legitimate purpose; the pressing need; proportionality, the local circumstances and the relevant global development, with a view to striking the proper balance between data privacy protection and other rights, including the irreplaceable attribute to the success of Hong Kong in terms of free flow of information, freedom of expression and of the press.
-
Our considered observations and recommendations on the areas of the law that warrant amendments will be made known to the government and the public within months.
Updates on Complaints and Enquiries Received
-
As of 5pm on 2 November 2018, the PCPD has received 80 complaints and 104 enquiries in relation to the data breach incident of Cathay Pacific Airways.
-End-