Skip to content

PCPD e-Newsletter

Facebook Youtube

Seminar on “Managing Sustainable Corporate Cyber Defense”

In today’s digitally driven world, multiplying cyber threats and attacks, as well as the rapid internet and digital technology changes pose grave risks to privacy and raise serious concerns about personal data protection. Safeguarding information especially personal data becomes pivotal to companies.

The PCPD is delighted to have representatives of the Hong Kong Innovative Technology Development Association talk with DPOC members on how to manage sustainable corporate cyber defence. This seminar will also review the cyber threats driven by artificial intelligence, impersonation risk, and personal cyber credibility reference.

Date: 27 November 2019 (Wednesday)
Time: 4:00 PM - 5:30 PM
Language: Cantonese
Venue: Lecture Room,
        the office of the Privacy Commissioner for Personal Data,
12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai,
Hong Kong

 Mr Bernard LEE, FinTech Committee Member
        Hong Kong Innovative Technology Development Association
        Mr Leo Tong, Vice President (Professional Development)
        Hong Kong Innovative Technology Development Association

- Sustainable corporate cyber defence
- Corporate Information Security Management
- Threat intelligence and Intelligence-led Cyber Attack Simulation Testing
- Emerging artificial intelligence driven cyber threats
- Impersonation risks and cyber credibility

Priority enrollment for DPOC members until 7 November 2019 

Enrol Now!

Seminar on “China Cybersecurity Law”
New Legal and Regulatory Updates; Practical Implications and Challenges

China’s Cybersecurity Law came into effect in 2017, and has evolved with ongoing draft measures being released over time; with the most recent in Dec 2019. Please join us for our China Cybersecurity Law session, organised by the PCPD and supported by the International Association of Privacy Professionals (IAPP) Hong Kong Chapter. A distinguished group of subject matter experts would share their insights on the recent developments on legal, regulatory and practical implementation challenges which organisations need to consider.

Date: 11 December 2019 (Wednesday)
Time: 4:30 PM - 6:00 PM
Language: English
Venue: Lecture Room,
        the office of the Privacy Commissioner for Personal Data,
12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai,
Hong Kong
Cost:  HK$350 each;
        IAPP and DPOC Members HK$280 (i.e. 20% off)

Keynote Speakers and Panelists:
Mr. Stephen Kai-yi Wong
Privacy Commissioner for Personal Data, Hong Kong 
Ms. Barbara Li, Partner
Norton Rose Fullbright, Beijing

Mr. Allen Ting, Senior Legal Councel
Mr. Bernard Tan, Chief Legal Counsel, Data and Cybersecurity

Adjunct Professor Jason Lau,
Regional Lead and Co-Chair of the IAPP

- PCPD’s Guidance on China Cybersecurity Law
- Regulatory and Data Privacy Implications
- China Cybersecurity Law
- Recent Legal Developments and Impact on Business

Enrol Now!



Data Protection in Property Management Practices (26 November 2019)

Property management officers face many data protection compliance challenges in their daily operation as many aspects of their work involve the collection and use of personal data of flat owners, residents, car park users and others. This workshop takes a holistic approach to the handling of personal data in property management and is specially designed to provide in-depth discussion and practical guidance on data protection in relation to the work context of the property management industry. The workshop will be conducted by an experienced officer of PCPD, and is suitable for property management staff at all levels.

Enrol now!

Data Protection and Data Access Request (7 November 2019)

Dealing property and effectively with Data Access Request (DAR) is a challenge for many organisations as there are stringent requirements for compliance with a DAR under Personal Data (Privacy) Ordinance. This workshop will examine in detail those requirements and offer guidance to participants on handling of DAR. Your questions will get answered during the workshop.

Highlights of course outline:

- What is DAR
- How to make a DAR
- What should a data user do in order to comply with a DAR
- Charges for a DAR
- Consequences of breach of the DAR provisions

Enrol now!

Data Protection in Direct Marketing Activities (13 November 2019)

Direct marketing is widely adopted by different types of organisations in promoting their products and services. From time to time there are cases convicted for failing to comply with the requirements of direct marketing activities under Personal Data (Privacy) Ordinance, posing risks to a company’s reputation and consumer trust. This workshop provides a practical approach to the compliance of the requirements under the Ordinance in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Enrol now!

Privacy Commissioner Advocates Combatting Violent Content and Hate Speech on Social Media and Strengthening Collaboration in Law Enforcement and Regulation at International Privacy Conference (24 October 2019)

Read more

Now TV Programme (時事全方位) – Interview with Privacy Commissioner Mr Stephen Wong: Doxxing and interim injunction (Cantonese only) (29 October 2019)


Watch the programme - Part 1
Watch the programme - Part 2

TVB News Programme (講清講楚) – Interview with Privacy Commissioner Mr Stephen Wong: Doxxing and interim injunction (Cantonese only) (27 October 2019)


Watch the programme

Privacy Commissioner Mr Stephen Wong delivered a speech on "Stand Shoulder to Shoulder Propelling Innovation and Privacy Protection" at the anniversary luncheon of Hong Kong Innovative Technology Development Association (18 October 2019)

Read more

Privacy Commissioner’s Response to Media Enquiries about Chief Executive’s Suggestion of the Need for Legislative Amendment to Tackle Doxxing (18 October 2019)

Read more

International Data Protection Commissioners Plan Greater Enforcement Cooperation

The 41st International Conference of Data Protection and Privacy Commissioners was held on 21-24 October 2019 in Albania. Members agreed on a framework that continues to strengthen the group’s position as an effective international forum. Several resolutions were passed in the conference.

Read more

Is Security the Same as Privacy?

Can you make a clear differentiation between security and privacy? In today’s digital-driven world, security and privacy have become interchangeable, but in fact, they are not the same. The article suggests a few simple precautions to create a truly private online experience.

Read more

German Data Protection Authorities Publishes a New GDPR Model for Fines

The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has published a new framework model to calculate fines pursuant to Article 83 of the GDPR. This article will list out how violations be calculated in 5 steps. The DSK believes that their model guarantees a systematic approach for a transparent and comprehensible calculation of fines.

Read more

Protecting Privacy – Using Computers and the Internet Wisely

Securing devices such as computers, smartphones and tablet computers that you use to connect to the Internet is the first line of defence. This booklet aims to provide practical tips and advice on how individuals can protect their personal data when using information and communication technologies.


Read publication

Q: What is a data breach?

A: A data breach is generally taken to be a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised or accidental access, processing, erasure, loss or use. It may amount to a contravention of Data Protection Principle 4 – security of personal data of Personal Data (Privacy) Ordinance.

Q: How should a data breach be handled?

A: A data user shall take remedial actions to lessen the harm or damage that may be caused to the data subjects in a data breach. The following action plan is recommended for a data user's consideration:

- Immediate gathering of essential information relating to the breach 
- Contacting the interested parties and adopting containment measures 
- Assessing the potential harm 
- Considering the giving of data breach notification

Q: What is a data breach notification?

A: A data breach notification is a formal notification given by the data user to the data subjects affected and the relevant parties and regulators in a data breach, and is useful in:

- drawing the affected data subjects' attention to take proactive steps or measures to mitigate the potential harm or damage, for example, to protect their physical safety, reputation or financial position
- allowing the relevant authorities to undertake appropriate investigative or follow-up actions consequent to the breach
- showing the data user’s commitment to proper privacy management in adhering to the principles of transparency and accountability
- increasing public awareness, for example, in situations when public health or security is affected by the data breaches

Q: Is data breach notification mandatory under Personal Data (Privacy) Ordinance?

A: No. But the PCPD encourages organisations to notify the PCPD and the affected people as soon as possible to minimise the potential harm.

Extended Reading:
Guidance on Data Breach Handling and the Giving of Breach Notifications

Data Protection Principle 3 - Use of personal data
A school provided students’ personal data to an online tool services provider for creating service accounts for students without notifying the parents

The Complaint

The complainant’s daughter was a primary school student. Without notifying the parents, the school provided its students’ names, classes and class numbers to the contractor of its online tool for creating user accounts, which were used by students for logging into services provided by the tool such as email, cloud disk and learning applications. Student number and date of birth were used as default log-in name and password respectively. The complainant was worried that the school might keep track of students’ account usage, and that the terms of conditions to be accepted upon logging in might be incomprehensible to primary students. The complainant therefore complained to the PCPD on behalf of her daughter.


The school stated that although it had control over students’ accounts and might decide on the services used by students according to teaching needs, it was unable to review students’ account activities. Besides, the school explained that naming service accounts by student name, class and student number could facilitate identification of users by teachers. The setting of date of birth as default password was also done on purpose for easy recall by students. The school stressed that it had required the students to change their account password upon the first log-in.

When parents provided their children’s personal data to the school, they were not informed that the data would be transferred to the contractor of its online tool. In the circumstances, parents’ concern about possible misuse of their children’s personal data was understandable.

After the PCPD explained the relevant requirements under the Ordinance to the school, the school undertook that it would use other combinations of characters to create user account for students. For the existing accounts, parents might choose whether they would keep using them or not. Besides, the school would develop a policy on usage of the online tool, define the purposes of account creation, and publicise account safety and the school’s right to manage the accounts, to alleviate parents’ concern.

Extended Reading:

Guidance for Data Users on the Collection and Use of Personal Data through the Internet

Industry-specific Resources

A number of compliance resources and good practice materials have developed for specific industries.


Secure Socket Layer (SSL)

Make good use of SSL to protect online information.


For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.