Skip to content

Media Statements

Media Statements

Date: 28 December 2018

Privacy Commissioner Releases Inspection Report on
Personal Data Systems of Private Tutorial Services Industry to
Encourage Organisations in Enhancing Data Stewardship and
Sharing Mutual Fairness, Respect and Benefit with Customers

The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) Mr Stephen Kai-yi WONG today released an inspection report (the Report) about the personal data systems of private tutorial services industry (the industry). The findings revealed that whilst personal data protection measures are generally acceptable, inadequacies were reflected in the functions of individual private tutorial institutions (the institutions). Inadequacies included unnecessary or excessive collection of personal data, indefinite data retention, improper use of personal data and inadequate personal data security. The Privacy Commissioner was of the view that there was still room for improvement in personal data protection in the industry. He also proposed a number of recommendations for the industry to improve its personal data protection policies and operation practices, and encourage the industry to extend privacy protection to corporate accountability and to establish mutual trust with customers. 
Private tutorial services industry in Hong Kong continues to thrive and provides a wide range of services. The institutions need to handle a vast quantity of personal data, and as their main service targets are children, it is believed that special privacy protection on personal data should be given to this group. The Privacy Commissioner considered that it would be in the public interest to examine the operation of the private tutorial services industry in relation to the protection of personal data privacy. He therefore carried out an inspection of the personal data systems of three private tutorial institutions in different business models under section 36 of the Personal Data (Privacy) Ordinance (the Ordinance). 
As the business models of the three institutions were different (chain-run, franchise, and online platform), they had different understanding and perceptions about personal data handling, resulting in strengths and weaknesses at different aspects of their personal data systems. On the whole:
  • The three institutions viewed the personal data of children, parents and tutors as important assets. They would not, as a matter of principle, handle or use the data indiscriminately. They were also committed to ensuring that the data was properly managed. 
  • An institution which used a mobile application as a service platform relied on its own advantages by making use of information technology tools to carefully segment and monitor access rights to its computer systems so as to reduce the risk of unauthorised or disclosure of personal data. 
  • The three institutions had taken measures to protect personal data in their operational procedures and practices. However, only fragmented measures were in place, and data privacy protection was not included as part of their corporate governance. 
The Privacy Commissioner stated that as best practice organisations should formulate and maintain a comprehensive privacy management programme (the PMP). He said, “Data stewardship should cover the overall business practices, operational processes, product and service design, physical architectures and network infrastructure. The PMP, supported by an effective ongoing review and monitoring process to facilitate its compliance with the requirements under the Ordinance, serves as a strategic framework to assist the organisations in building a robust privacy infrastructure and to share mutual fairness, respect and benefit with their customers.” 
The Privacy Commissioner, with reference to the requirements of a comprehensive PMP and the related requirements of the data protection principles under the Ordinance, proposed the following recommendations to institutions in the industry to enhance corporate accountability and establish mutual trust with customers so as to achieve a win-win situation in the process of handling personal data:
  1. Integrate the ideas of data privacy protection into corporate governance; and to designate a data protection officer from top management to oversee data protection matters; 
  2. Incorporate privacy protection when designing new products and services; and assess the relevant impact on personal data privacy;
  3. Formulate a comprehensive privacy policy (covering information technology security issues), and inform all staff members about the related measures;
  4. Establish effective personal data reporting and monitoring mechanism, as well as data breach notification mechanism;
  5. Provide regular education and training to all employees in order to raise their awareness of privacy protection;
  6. Review personal data collection practices, and cease excessive or unnecessary data collection;
  7. Establish personal data retention policies as well as the procedures and methods for destroying such data;
  8. Conduct a comprehensive review on the use of personal data to ensure that such use is consistent with or directly related to the purpose for which the data was originally collected, or has obtained prescribed consent from the data subject concerned;
  9. Develop a comprehensive information security policy (covering information technology systems and physical security measures); 
  10. Adopt contractual means to manage the personal data entrusted to data processors, and conduct regular monitoring and compliance procedures to ensure data processors’ compliance with the requirements of privacy protection; and
  11. To be held to a higher data ethical standard that meets stakeholders’ expectation in actual operation.

Click here to download the Inspection Report “Personal Data Systems of Private Tutorial Services Industry in Hong Kong”