In response to interests and enquiries expressed following the Joint Meeting of the Panel on Constitutional Affairs, the Panel on Information Technology and Broadcasting and the Panel on Security of the Legislative Council earlier today (14 November 2018), the Privacy Commissioner for Personal Data, Hong Kong (the PCPD), Mr Stephen Kai-yi WONG hereby provides the following supplementary information.
Check is integral to Investigation
The PCPD deplores pre-judged investigation and upholds fair enforcement of the law. A compliance check has always been part and parcel of the process of determining if there exist reasonable grounds to believe that there may be a contravention. Nowadays, cases of contraventions have shifted from improper collection and use of data, which is often easily discernible, to breach of data security, which begs the intricate question of whether all reasonably practicable steps have been taken by the data user to safeguard data security. The organisation is best placed to explain to the regulator, among others, its data security infrastructure. A compliance check immediately after a data breach incident would help engage the organisation to come up with the remedial acts forthwith and the relevant facts of the breach in a non-confrontational manner, with a view to determining whether there is a prima facie case for a contravention before triggering a formal investigation. This approach is also in line with procedural fairness.
Publication of investigation reports
Pursuant to section 48(2) of the Personal Data (Privacy) Ordinance (the Ordinance), a compliance investigation report will only be published where the Privacy Commissioner is of the opinion that it is in the public interest to do so. Amongst others, the gravity of the breach and its impact on and damage to the public are relevant factors to be taken into consideration when assessing whether it is in the public interest to disclose the investigation result. An issue that is of interest to the public alone does not justify disclosure or publication. Unwarranted publication would inevitably deter organisations from filing voluntarily data breaches which in turn undermines privacy protection of individuals.
Review of the Ordinance
The PCPD has a statutory obligation to review the Ordinance from time to time. Related issues such as a mandatory notification requirement, sanctions for non-compliance and regulation of data processors have recently been brought into sharp focus in our ongoing exercise of reviewing the Ordinance. The PCPD will continue to keep an open mind and abide by the following principles to ensure that our upcoming observations and recommendations are well-considered, fair, and balanced:
The purpose of the legislative restriction must be legitimate.
There is a reasonable connection between the legislative restriction and the legitimate purpose.
It is entirely necessary to impose such restriction to achieve the purpose.
A reasonable balance should be struck between legislative protection and the overall benefits of the community.
The interests of all stakeholders should be considered.
The local circumstances should be taken into account alongside the global development.
The legislative restriction should not hinder development of information communications technology and the economy.
As at 5:00pm today, the PCPD has received 148 enquiries and 109 complaints relating to the Cathay Pacific data breach incident.