Please click here if the email does not display properly.

“Hong Kong Enterprise Cyber Security Readiness Index”
Recorded the Largest-Ever Decline in 2023
Actions Required to Bolster Staff Awareness on Cyber Security

On 14 November, the PCPD and the Hong Kong Productivity Council Cyber Security (HKPC Cyber Security) jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” survey report. The “Hong Kong Enterprise Cyber Security Readiness Index” has dropped by 6.3 points to 47.0 points (maximum being 100 points) compared with last year, recording the largest-ever drop since the launch of the index. Both Small-and-Medium Enterprises (SMEs) (43.6 points) and Corporates (62.5 points) suffered drops of 7.1 points and 4.1 points in the index respectively.
 
Hong Kong Enterprise Cyber Security Readiness Index
 
The “Hong Kong Enterprise Cyber Security Readiness Index” comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”. This year, “Process Control” (68.1 points) continued to rank top among all sub-indices, categorised as “Managed” level. However, “Technology Control” (55.1 points) plunged by 11.2 points owing to fewer enterprises having patch management, as well as the reduced number of measures and solutions adopted to protect against cyber threats, while “Policy and Risk Assessment” (39.7 points) also dropped by 8.9 points to its record low as fewer enterprises conduct cyber security risk assessments. Besides, “Human Awareness Building” stayed low at 25 points and continued to be an area which warrants attention.
 
By business sector, Financial Services sector (64.9 points) and Information and Communications Technology (ICT) sector (63.3 points) continued to be vigilant and maintained a “Managed” level, while ICT sector was the only sector registering an increment in the index this year. On the other hand, Manufacturing, Trading and Logistics sector (48.6, -8.9 points) as well as Retail and Tourism-related sector (33.3, -12.5 points) suffered more significant drops in the index, with the latter even dropping to “Ad hoc” level.
 
The survey also found that close to three-quarters (73%) of the surveyed enterprises had encountered at least one type of cyber attacks in the past 12 months, a further uplift of eight percentage points from last year to its record high. The uplift was mainly due to the increased proportion of SMEs having encountered cyber attacks, resulting in a surge of 10 percentage points compared with last year. In particular, phishing attacks continued to be the most common type of cyber attack encountered by almost all of these enterprises (96%). In addition to the major types of phishing attacks such as phishing emails (79%) and vishing (voice phishing) (35%), the survey also found that smishing (SMS phishing) (34%, +14 percentage points) and angler phishing (social media phishing) (16%, +6 percentage points) had become more common compared with last year. In addition, emerging types of phishing attacks, namely phishing using artificial intelligence (AI) or Generative AI and QR Code phishing (Quishing) also recorded a 9% and 8% respectively.
 
Privacy Awareness Survey
 
The thematic survey this year examined the awareness of protecting personal data privacy among surveyed enterprises and their corresponding measures adopted, as well as their perception towards the level of personal data privacy protection in Hong Kong. The results found that enterprises in general were aware of the risk to privacy in using emerging technologies, with corresponding average scores ranging from 2.75 to 3.06 (a score of 1 indicates no risk perceived and a score of 5 indicates very high risk perceived). In particular, these enterprises considered the use of Generative AI having the highest level of privacy risk at 3.06. This was closely followed by Cookies and other online trackers (3.00), cloud computing (2.92) and Internet of Things (2.83). It is worth noting that among those enterprises using these technologies (37%), only around half (48%) of them had provided internal guidelines to address the privacy risks arising from such use. The proportion of enterprises providing internal guidelines on the use of Generative AI was even lower, with only about forty percent (41%) of them having such guidelines.
 
The survey also found that 76% of the surveyed enterprises see no difficulty or little difficulty in complying with the Personal Data (Privacy) Ordinance (PDPO). 42% actually indicated compliance “with no difficulty at all”. On the other hand, “increasing complexity of data processing activities”, “lack of knowledge or education for employees” and “lack of resources” were the top three key challenges perceived by enterprises in complying with the PDPO. In terms of the level of personal data privacy protection in Hong Kong, slightly over half (51%) of the surveyed enterprises held a neutral stance, while 18% considered the level of protection “sufficient” or “very sufficient”.
 
Overall, more Corporates would implement or adopt various privacy and data security protection measures. For instance, half of the Corporates (51%) have started implementing or have fully implemented a Personal Data Privacy Management Programme (PMP), but over half of the SMEs (55%) have not considered implementing a PMP. On the other hand, nearly eight in ten Corporates (79%) have implemented different privacy and data security protection measures, including formulating internal policies for handling personal data handling, discussing and recognising the importance of a PMP at senior management meetings, establishing a data breach notification mechanism, and providing employees with privacy-related training. However, the corresponding figure was only 54% among SMEs.
 
The survey was commissioned by the PCPD and conducted independently by HKPC Cyber Security, with a view to assessing the readiness of local enterprises in responding to cyber security threats and gauging public awareness on topics related to privacy. The latest survey was conducted in September 2023, interviewing 378 enterprises from six business sectors by telephone.
 
Please click here to download the survey report “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness”.

PCPD Launches the Data Security Thematic Webpage and the “Data Security Scanner”
 
With the aim of providing enterprises with a one-stop access to information concerning data security and helping them to enhance their capability to protect data and comply with the requirements under the PDPO, the PCPD launched the Data Security thematic webpage and the “Data Security Scanner” on the PCPD website, as well as the “Data Security Hotline” 2110 1155. 
 
The Data Security thematic webpage enables enterprises to conveniently obtain information related to data security, including security alerts, latest updates on data security, information on data breach notifications, relevant requirements under the PDPO, cases, education materials and other information. Separately, the “Data Security Scanner” is a self-assessment toolkit that enables enterprises to conduct a quick and easy self-assessment on the adequacy of their data security measures for ICT systems.
 
Please click here to access the Data Security thematic webpage and click here to access the “Data Security Scanner”.

PRIVACY 101

Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data for direct marketing activities to promote products or services. Under the PDPO, “direct marketing” refers to the offering, or advertising of the availability, of goods, facilities or services; or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means. These means include sending information or goods, addressed to specific persons, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons.

The use of personal data in direct marketing activities is governed by the PDPO. If organisations plan to use customers’ personal data for direct marketing, they must provide customers with the following clear and understandable information before data collection:

• Their intention to use the customers’ personal data for direct marketing, and that they may not do so without the consent of customers;

• Details on the intended use of personal data, including the kinds of personal data to be used and classes of marketing subjects for which the data will be used; and

• A free-of-charge response channel for customers to communicate their consent to the intended use. 

Organisations must also respect and comply with any customers’ requests to opt-out and cease using their personal data for direct marketing. Review the following checklist to assess your organisations’ handling of opt-out requests made by the customers.

Please read the PCPD’s publication below to learn more about the regulatory regime of direct marketing under the PDPO: Guidance on Direct Marketing.

PRIVACY COMMISSIONER’S FINDINGS

A Staff Member of a Beauty Centre Recorded a Customer’s Conversation during a Medical Consultation by Unfair Means

The Complaint

The complainant, a customer of a beauty centre, had a dispute with the centre concerning a beauty treatment. At the request of the beauty centre, the complainant visited a designated clinic with a staff member to consult a doctor regarding her skin condition. During the consultation, the complainant discovered that a staff member from the beauty centre had audio-recorded the conversation between her and the doctor without notifying her. Dissatisfied with the staff member’s unfair collection of her personal data, the complainant lodged a complaint against the beauty centre with the PCPD.

Outcome

The beauty centre attributed the incident to an individual staff member’s inadequate understanding
of the PDPO. After confirming with the PCPD that the recording in question had been deleted, the centre apologised to the complainant and issued a warning to the staff member involved, cautioning her against making recordings without prior notification to customers. To prevent recurrence of similar incidents, the beauty centre promised to arrange relevant PDPO training for its staff members to enhance their awareness of protecting customers’ personal data privacy.

The PCPD issued a warning to the beauty centre, requesting it to ensure its frontline staff members fully understand and comply with the requirements of the PDPO in relation to the collection of personal data. To comply with relevant requirements of the PDPO, if staff members intend to record customers’ conversations during medical consultations, they should take all practicable steps to ensure that the customer is given prior notice and provided with a Personal Information Collection Statement to explicitly inform customers of the recording purpose. 

Lessons Learnt

The PCPD understands that organisations may have legitimate reasons for audio-recording customers’ conversations under certain circumstances. However, if such conversations involve customers’ personal data, the recording will amount to the collection of personal data, and the relevant requirements under the PDPO must be observed. In such situations, organisations must first notify customers of their intention to make audio recordings and the purpose of recording to comply with the requirements of Data Protection Principle 1 under the PDPO regarding the collection of personal data. Additionally, the staff member involved in this case demonstrated a lack of awareness of the importance of protecting customers’ personal data privacy. Organisations should provide regular personal data privacy training to their employees to ensure they fully understand and comply with the requirements of the PDPO.

TECH TALK

Beware of Social Media Scams – Stay Vigilant to Suspicious WhatsApp Video Calls

With multiple functions including text messaging, audio and video calls, WhatsApp has become a popular communication tool for individuals and organisations worldwide. However, a new WhatsApp scam has emerged recently, in which fraudsters impersonate police officers or bank officers through WhatsApp video calls in an attempt to lure users to provide personal data or money.

Why do fraudsters prefer video calls to voice calls? 

Firstly, fraudsters can capture users’ appearances during video calls and link these images to identifiable individuals by searching online platforms such as search engines, social media posts or online photo albums. Details in the background or the users’ appearances can provide information that can aid future social engineering or identity theft attacks.

Secondly, with advanced technologies and artificial intelligence, fraudsters can collect biometric data such as facial information and voice of users during video calls to create highly realistic deepfakes for use in other fraudulent activities.

Thirdly, having both video and voice data from users allows fraudsters to create an illusion with fabricated scenes, backgrounds or costumes, and impersonate officers from organisations such as law enforcement agencies or banks for illegal scam activities.

Fourthly, video calls create a sense of urgency, compelling users to respond quickly without sufficient time for critical thinking. This helps fraudsters maintain control of the interaction for their scams.

To protect yourself from falling prey to this new WhatsApp scam, you can consider the practical tips below:

• Exercise caution when answering video calls from unknown individuals. If you do not recognise the caller, you can choose not to answer or directly reject the call;

• Do not disclose sensitive personal data such as passwords or bank account numbers during unknown video calls. Staff members from legitimate institutions will not request such information through video calls;

• Be cautious if a stranger asks you to download or open a file during a video call. Only download files from trusted sources and scan files with secure antivirus software;

• Check the privacy options of your devices and applications to ensure that only authorised individuals can initiate video calls with you; and

• Mute unknown callers if appropriate (Open WhatsApp “Setting” > “Privacy” > “Calls” > enable “Silence Unknown Callers”).

WHAT’S ON

Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the Thematic Seminar on Data Flow of 2023 Beijing-HK Thematic Programme

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Thematic Seminar on Data Flow (New Developments in Promoting Cross-boundary Flow of Credit Data) of the 2023 Beijing-HK Thematic Programme organised by the Chaoyang District People’s Government of Beijing Municipality and delivered a speech on 28 November. The Privacy Commissioner introduced to the participants the work and vision of the PCPD in promoting cross-boundary flow of personal information.

The PCPD was the Honorary Patron for the seminar in Hong Kong. At the seminar, the Privacy Commissioner congratulated Nova Credit Limited and its related company in successfully entering into standard contracts under the Mainland’s Personal Information Protection Law for the movement of personal information from Mainland to Hong Kong. She also thanked the Cyberspace Administration of China (CAC) and the Beijing CAC office for their support and recognition of the PCPD’s work.

The Privacy Commissioner shared her insights on Hong Kong’s important role in facilitating the development of digital economy under the guiding principle of “One Country, Two Systems”. The Privacy Commissioner also encouraged local enterprises to make contributions towards the cross-boundary interconnection with the Mainland and the Guangdong–Hong Kong–Macao Greater Bay Area.

Please click here for the Privacy Commissioner’s speech (Chinese only).

Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Meeting of the Legislative Council Panel on Constitutional Affairs

The Secretary for Constitutional and Mainland Affairs (SCMA) Mr Erick TSANG Kwok-wai, GBS, IDSM, JP attended the Policy Briefing meeting of the Legislative Council (LegCo) Panel on Constitutional Affairs on 20 November to brief Panel members on the Chief Executive’s 2023 Policy Address. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by members on personal data privacy issues and the work of the PCPD.

In responding to a question on the effectiveness of the anti-doxxing regime since its implementation in October 2021, the Privacy Commissioner said that since the amendment of the PDPO came into effect to the end of October 2023, the PCPD initiated 228 criminal investigations and made 39 arrests, with a total of 40 persons arrested. The PCPD referred 55 cases to the Police in respect of the more serious cases and cases involving other criminal offences. During the same period, the PCPD issued over 1,800 cessation notices to 41 online platforms, requesting the removal of nearly 27,000 doxxing messages. The compliance rate on the removal of doxxing messages was over 95%. Other than individual doxxing messages, over 180 doxxing channels were successfully removed.

The Privacy Commissioner reported that the enforcement efforts were very effective. There was a significant reduction in the number of doxxing messages on the internet, and that was attributable to the PCPD’s resolute enforcement efforts and a more harmonious atmosphere in the society.

Please click here for the paper provided by the Constitutional and Mainland Affairs Bureau to the LegCo Panel on Constitutional Affairs.

Please click here for the opening remarks of the SCMA at the Policy Briefing meeting of the LegCo Panel on Constitutional Affairs (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by the RTHK Radio 1’s “HK2000”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 15 November to explain the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” survey report, and the three initiatives to help organisations enhance their data security launched by the PCPD.
 
During the interview, the Privacy Commissioner said that the “Hong Kong Enterprise Cyber Security Readiness Index” dropped to 47.0 points (maximum being 100 points), recording the largest-ever drop since the launch of the index. She pointed out the four major challenges faced by the organisations, namely lacking IT support staff and security expertise or knowledge, requiring different kinds of investments and more investment on infrastructure. She recommended organisations to devote more resources to protect cyber security and strengthen employees’ awareness of cyber security.
 
With the aim of helping organisations to enhance their capability to protect data and comply with the requirements under the PDPO, the PCPD launched the Data Security thematic webpage and the “Data Security Scanner”, as well as the “Data Security Hotline” 2110 1155.

Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Responsible ‘Sharenting’ for Protecting Children’s Digital Privacy” on Hong Kong Lawyer.

The Privacy Commissioner pointed out that as the phenomenon of “sharenting” (a portmanteau of “sharing” and “parenting”) is getting more popular nowadays, parents may unintentionally compromise their children’s security by divulging their children’s personal data or identity via online posts. As the potential impacts of oversharing children’s daily lives online may encompass long-term consequences affecting their education or work prospects, parents are encouraged to seek their children’s views before posting any materials relating to them to show respect to their privacy rights.

The Privacy Commissioner also mentioned that the PCPD recently published a pamphlet entitled “Sharenting Dos and Don’ts”, which sets out some helpful tips for parents to consider before publishing any posts about their children online. The Privacy Commissioner urged parents to consider the long-term consequences of their behaviours online when cocreating a shared digital presence with their children.
 
Please click here to read the article.

Enhancing Data Security – Privacy Commissioner’s Office Organises a Seminar on “Enhancing Data Security to Prevent Cyber Attacks”

The PCPD organised a seminar on “Enhancing Data Security to Prevent Cyber Attacks” in hybrid mode on 7 November, which attracted over 500 participants.
 
At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling explained the means to enhance cybersecurity and highlighted some recommended data security measures and the key points to note in preventing and handling data breach incidents. Mr Lester IP, Chief Inspector of the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force, spoke as a guest speaker on the latest trends of cyber threats for organisations, using real cybercrime cases as examples.
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Please click here for Chief Inspector IP’s presentation deck (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by “StandUp”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Orange News’ current affairs programme “StandUp” to explain the work done by the PCPD on the protection of personal data privacy.

In response to the recent fraud cases relating to the hijacking of WhatsApp accounts, the Privacy Commissioner reminded users to stay vigilant of the latest tricks of fraudsters and beware of scams. During the interview, she also mentioned the privacy policies of online shopping and social media platforms, and offered tips to users to surf the internet safely.

In addition, the Privacy Commissioner pointed out in the interview the privacy risks brought by generative artificial intelligence (AI). Since the use and training of chatbots involve the collection of a vast amount of personal data, the society cannot overlook its data security risks. The Privacy Commissioner introduced the leaflet entitled “10 TIPS for Users of AI Chatbots” recently published by the PCPD to help users better protect their personal data privacy. 

Please click here (first episode, second episode, third episode) to view the interview by “StandUp”(Chinese only).

Promoting Ethical and Responsible Use of AI – Privacy Commissioner Publishes an Article in A Plus

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Navigating the Privacy and Ethical Challenges of Generative AI” in A Plus, a journal of the Hong Kong Institute of Certified Public Accountants, where she discussed the impact of generative AI on the accounting profession and the associated privacy and ethical risks as well as the evolving regulatory landscape of AI.

In the article, the Privacy Commissioner pointed out that the PCPD published the “Guidance on the Ethical Development and Use of Artificial Intelligence” in August 2021 to help organisations develop and use AI systems in a privacy-friendly and ethical manner.

She called on accountants to join hands to rise to the challenges brought by generative AI, and to build a stronger profession amidst technological developments.

Please click here to read the article.

Reaching Out to Schools – Privacy Commissioner Speaks on the Protection of Students’ Personal Data Privacy and the Doxxing Offence

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the hybrid seminar entitled “Media and Information Literacy Series: Seminar on Understanding the Internet, Social Media and Protection of Personal Data Privacy” co-organised by the Education Bureau and Journalism Education Foundation on 31 October, and gave a presentation to more than 300 primary and secondary school principals and teachers.
 
The Privacy Commissioner elaborated on how to protect students’ personal data privacy by providing concrete examples and practical advice to the audience. Besides, she also explained the elements of the doxxing offences under the Personal Data (Privacy) Amendment Ordinance 2021. At the seminar, Manager (Corporate Communications) of the PCPD Mr Eric PHENG also shared some practical tips on how to protect personal data online.
 
Please click here for the presentation deck (Chinese only).

Reaching Out to Universities – PCPD’s Senior Legal Counsel Explains the Relationship between Media Work and Personal Data Privacy

Senior Legal Counsel of the PCPD Ms Hermina NG gave an online lecture to around 60 university students in the course on “Communication, Ethics and Law” of the Department of Journalism, School of Communications of the Hong Kong Baptist University on 27 November.
 
Ms Ng pointed out that privacy right and freedom of the press are fundamental rights enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance. However, privacy right and freedom of the press are not absolute rights and must be balanced with other rights and public interest.
 
She briefed students on the privacy issues in the digital world, the privacy protection issues to be borne in mind by the media, including the relevant Data Protection Principles under the PDPO and relevant court cases, the exemption of news activities under the PDPO, as well as the regulatory provisions relating to doxxing.
 
Please click here for the presentation deck (Chinese only).

PCPD Publishes 2022-23 Annual Report

The 2022-23 Annual Report of the PCPD was tabled in the Legislative Council on 8 November.
 
The PCPD’s 2022-23 Annual Report, themed “Protecting Personal Data Privacy for a Smart Hong Kong”, emphasises the importance of protecting personal data privacy amidst the rapid technological advancement in our society.
 
The Annual Report highlights the significant achievements of the PCPD during 2022-23, including the successful implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021, which led to the first-ever conviction and sentencing of the doxxing offence during the reporting year. In 2022-23, we commenced 83 criminal investigations and mounted 19 arrest operations, resulting in the arrest of 19 persons. We also took proactive measures against doxxing by serving a total of 1,006 cessation notices on 28 online platforms, most of which were operated by overseas service providers. These actions resulted in the removal of 17,829 doxxing messages and in some cases, the removal of the entire doxxing channels. The overall compliance rate was over 95%.
 
The year 2022-23 also witnessed other remarkable achievements by the PCPD, including an array of initiatives to combat data fraud, and raise public’s anti-fraud awareness. The PCPD published a series of investigation reports highlighting the importance of privacy protection measures and providing recommendations to prevent recurrence of similar breaches. The PCPD made strides in promoting public awareness on data security through informative publications and seminars, including, in particular, the “Guidance Note on Data Security Measures for Information and Communications Technology” issued in August 2022. Furthermore, the PCPD was honoured to host the 57^th Asia Pacific Privacy Authorities Forum, a pivotal platform to foster and strengthen cooperation with other data protection authorities across the Asia Pacific region.
 
Please click here to download the Annual Report.

MEDIA STATEMENT

A 30-year-old Female Arrested for Suspected Doxxing of Her Neighbours

The PCPD arrested a Chinese female aged 30 on Hong Kong Island on 28 November. The arrested person was suspected to have disclosed the personal data of two data subjects without their consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the two victims were a married couple, and the arrested person is their neighbour. The relationship between two households had been tense because of previous grudges. In March 2022, a dispute arose between the arrested person and the victims, during which the arrested person took a video of the victims with her mobile phone. On the date following the dispute and until May 2023, four messages containing the personal data of the victims, each with the said video attached, were posted in two open discussion groups on a social media platform, alongside some negative comments and allegations against the victims. The personal data disclosed included the victims’ Chinese names, residential address and photos, as well as their appearances as recorded in the said video.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
 

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject – 

   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

2. the disclosure causes any specified harm to the data subject or any family member of the data subject. 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means –

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

A 27-year-old Female Arrested for Suspected Doxxing of a Pet Seller

The PCPD arrested a Chinese female aged 27 in Kowloon on 16 November. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person purchased three kittens from the victim in late 2022. The arrested person subsequently requested a refund from the victim because of the health issue of one of the kittens, but the two could not agree on the amount of refund and a dispute arose between them. In May 2023, a message containing the personal data of the victim was posted in an open discussion group on a social media platform, alongside some negative comments and allegations against the victim. The personal data disclosed included the victim’s Chinese name, photo, parts of her mobile phone numbers and former area of residence.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

PCPD Officer Receives The Ombudsman’s Awards

An officer of the PCPD received The Ombudsman’s Awards 2023 for Officers of Public Organisations (the Awards) in recognition of her professionalism in handling complaints and contribution in improving public service.
 
The PCPD awardee is Senior Personal Data Officer of the Complaints Division, Ms Terri WU Wai-nga. Ms WU has demonstrated great competency in the handling of public complaints. She is fair and practical and always handles all complaints in a professional and dedicated manner with a view to bringing about a satisfactory result to all parties.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the award presentation ceremony on 15 November and congratulated Ms Terri WU, “This is the seventh year in a row for our officers to receive the Awards in recognition of their exemplary performance in serving the public. We will continue to strive our best to enhance the protection of privacy in relation to personal data.”

A 32-year-old Male Arrested for Suspected Doxxing of His Former Classmate

The PCPD arrested a Chinese male aged 32 in the New Territories on 31 October. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim and the arrested person were former secondary school classmates whose relationship turned sour because of some personal grudges. In January 2023, two messages containing the personal data of the victim were posted in two open discussion groups on a social media platform, alongside some negative comments and allegations against the victim. The personal data disclosed included the victim’s Chinese name, former occupation and his photo.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Draft Practical Guidance of Cybersecurity Standards — Requirements for Protection of Personal Information for Cross-Boundary Transfers within the Guangdong-Hong Kong-Macao Greater Bay Area” 
《網絡安全標準實踐指南 — 粵港澳大灣區跨境個人信息保護要求（徵求意見稿）》的重點

To foster the safe and orderly cross-boundary flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (the Greater Bay Area), the National Information Security Standardization Technical Committee (TC260) released a set of “Draft Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information for Cross-Boundary Transfers within the Guangdong-Hong Kong-Macao Greater Bay Area” (the Draft Requirements) on 1 November 2023 to collect public opinions until 15 November 2023. The Draft Requirements set out basic principles and processing requirements for personal information processors to observe where cross-boundary transfers of personal information within the Greater Bay Area are to be carried out. This article provides an overview of the Draft Requirements.

為促進粵港澳大灣區（大灣區）個人信息跨境安全有序流動，全國信息安全標準化技術委員會於2023年11月1日發布《網絡安全標準實踐指南 — 粵港澳大灣區跨境個人信息保護要求 （徵求意見稿）》（《徵求意見稿》）¹，向公眾徵求意見。有關意見反饋時間已於2023年11月15日結束。《徵求意見稿》就個人信息處理者在大灣區内進行跨境處理個人信息活動時應遵循的基本原則及處理要求提出規定，有關重點如下：

適用範圍及定義

《徵求意見稿》只適用於大灣區內個人信息處理者²依據《關於促進粵港澳大灣區數據跨境流動的合作備忘錄》（備忘錄）以認證方式開展的個人信息跨境處理活動³。根據《徵求意見稿》，有關個人信息及其他相關術語須按照屬地的相關法律法規⁴詮釋。

基本原則

個人信息處理者在大灣區内跨境處理個人信息時，需遵守以下基本原則⁵：

• 合法、正當、誠信原則；
• 最小必要原則；
• 公開透明原則；
• 質量保障原則；
• 確保安全原則；及
• 責任明確原則。

個人信息處理要求

《徵求意見稿》列明與處理個人信息相關的要求，包括⁶：

• 個人信息處理者在處理個人信息時應符合屬地法律法規的要求，包括需要告知個人信息主體的項目及有關取得個人信息主體同意的規定，如何存儲、使用或加工個人信息，以及如何委托第三方處理、提供或公開個人信息等；
• 個人信息處理者在跨境處理個人信息時，應同時符合以下要求：
  • 通用規則⁷：
    • 制定個人信息跨境安全管理制度和操作規程，採取相應安全技術措施；
    • 就個人信息跨境處理活動進行日誌記錄，並至少保存日誌3年；
    • 識別數據跨境處理中涉及的個人信息，形成個人信息跨境處理目錄，並及時更新；
    • 對被授權跨境訪問或查閱個人信息的人員，建立最小授權的訪問控制策略；及
    • 承諾接受認證機構對個人信息跨境處理活動的持續監督，並提供已採取必要行動的書面證明。
  • 提供方除滿足上述通用規則外，亦需要確守以下責任⁸：
    • 在跨境處理個人信息之時或之前，向個人信息主體告知接收方的資訊以及個人向接收方行使個人信息權利的方式和程序等事項⁹；
    • 按照屬地法律法規要求取得個人信息主體的同意；
    • 與接收方簽訂具有法律約束力的文件，其中須要求接收方不得將接收的個人信息轉移至大灣區之外的第三方；及
    • 採取合同協議約定、向認證機構承諾、主管部門備案、定期審計接收方日誌、每年開展數據出境安全風險自評估等措施，防止接收方將接收的個人信息轉移至大灣區之外的第三方。
  • 接收方除滿足上述通用規則外，亦需要確守以下責任¹⁰：
    • 按照簽訂的具有法律效力文件處理個人信息，若接收方違反相關約定，獲得的認證即被視為終止或失效；及
    • 當合同協議未生效、無效、被撤銷、終止或按個人信息處理者要求應當刪除時，應將個人信息返還跨境提供個人信息的個人信息處理者或者予以刪除，不應保留。

其他個人信息權益保障要求及安全要求

《徵求意見稿》另外列出個人信息主體應享有的權利，主要包括¹¹：

• 有權查閱或複製被處理的個人信息；
• 若發現其個人信息不準確或者不完整，有權請求個人信息更正或補充；
• 有權要求對其個人信息處理的規則進行解釋說明；
• 有權撤回對其個人信息處理的同意；及
• 個人信息處理者在特定情形下應按照屬地法律法規要求主動刪除個人信息。

個人信息處理者亦要履行以下責任義務¹²：

• 為個人信息主體提供查閱、更正、刪除、撤回同意、拒絕處理個人信息的便捷渠道；
• 建立便捷的個人行使權利的申請受理和處理機制，及時回應個人信息主體提出的權利請求¹³；及
• 出現難以保證個人信息安全的情況時，應及時停止跨境處理個人信息，並通知相關個人信息處理者。

《徵求意見稿》最後亦指出個人信息處理者應采取下列措施以保護個人信息安全，防止跨境個人信息的洩露、篡改、破壞或丟失，主要包括¹⁴：

• 指定個人信息保護負責人，設立個人信息保護機構，並定期對相關人員進行個人信息安全教育和培訓；
• 傳輸和存儲敏感的個人信息時，應採用加密等安全措施；
• 合理限制個人信息處理的操作權限，與相關人員簽署保密協議；
• 對個人信息的重要操作設置内部審批流程；
• 制定個人信息安全事件應急預案；及
• 一旦發生個人信息安全事件，應立即採取補救措施並通知相關個人信息處理者，向有關部門報告，按照有關要求通知個人信息主體，並就安全事件作出紀錄。

總結

總括而言，《徵求意見稿》就於大灣區内以認證方式進行個人信息跨境處理活動提供更爲詳細的指引，務求推動大灣區的高質量發展。有關個人信息處理者宜密切留意内地法規的最新進展，以便及時採取相應行動，確保其個人信息跨境處理活動能在符合法規的前提下順利進行。

¹ 全文：https://www.tc260.org.cn/upload/2023-11-01/1698813097992054356.pdf

² 大灣區內的個人信息處理者是指註冊於（適用於組織）／位於（適用於個人）粵港澳大灣區內的個人信息處理者，即廣東省廣州市、深圳市、珠海市、佛山市、惠州市、東莞市、中山市、江門市、肇慶市，及香港特別行政區的個人信息處理者。

³《徵求意見稿》第1條。

⁴《徵求意見稿》第2.5條提及，就內地而言，屬地法律法規是指《網絡安全法》、《數據安全法》和《個人信息保護法》等法律法規；就香港而言，則指《個人資料（私隱）條例》等法律法規。

⁵《徵求意見稿》第3條。

⁶《徵求意見稿》第4條。

⁷《徵求意見稿》第4.5.1條。

⁸《徵求意見稿》第4.5.2條。

⁹ 包括接收方的名稱或姓名、聯繫方式、處理目的、處理方式、個人信息的種類、保存期限。

¹⁰《徵求意見稿》第4.5.3條。

¹¹《徵求意見稿》第5.1條。

¹²《徵求意見稿》第5.2條。

¹³ 即在40 日內或屬地法律法規所規定的期限內作出答覆及合理解釋。若拒絕個人行使權利請求，應說明理由。

¹⁴《徵求意見稿》第6條。

RECOMMENDED TRAININGS

Seminar on “Safe Use of WhatsApp and Social Media Platforms” 

In recent months, there has been a concerning increase in the hijacking of instant messaging accounts, with scammers impersonating victims to fraudulently obtain money from their online contacts. The PCPD has also received a number of data breach notifications from organisations and schools relating to the hijacking of WhatsApp accounts, reflecting a rising trend in the number of hijacking cases on WhatsApp accounts.

Against this background, the PCPD organises this seminar to explain the methods used by fraudsters to hijack WhatsApp accounts, and provides advice on minimising privacy risks when using instant messaging apps and social media platforms. In addition, a guest speaker from Meta will speak on Meta’s policy and approach to combat scams on WhatsApp, Facebook and Instagram platforms, as well as the tools and features that users can use to protect their accounts.

All members of the public with an interest in the topic are welcome to attend.

Enrolment is free-of-charge and on a first-come-first-served basis.

Date: 8 December 2023 (Friday)

Time: 3:00pm – 4:00pm

Mode: Online / Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: Free-of-charge

Language: Cantonese

Who should attend: all members of the public with an interest in the topic 

Professional Workshops on Data Protection in Banking / Financial Services 

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/ financial practitioners, company secretaries and solicitors.

Date: 6 December 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry

New Series of Professional Workshops on Data Protection from Jan to Mar 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming session shows below:

Date: 14 December 2023 (Thursday)

Time: 3:00pm – 4:30pm

Mode: Virtual

Language: Cantonese

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

New Series of Introduction to the PDPO Seminars from Jan to Mar 2024:

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.