DPOC

PCPD e-Newsletter

Privacy Campaign for Property Management Industry

As property management practitioners and members of owners’ corporations collect and use a sheer amount of personal data, the PCPD has launched the Privacy Campaign for Property Management Industry to promote the culture of protecting and respecting personal data privacy in the industry.

The Campaign comprises a series of events, including the PCPD’s Professional Workshop on Property Management (with CPD accreditation), and talks for property management companies and members of owners’ corporations. The Campaign will kick off with the Slogan Composition Competition.

The Slogan Composition Competition is now open for participation! The award-winning property management companies will be presented with trophies and cash prizes in recognition of their effort and creativity. Don't hesitate and grab the chance to join now!

Meanwhile, the Professional Workshop on Property Management Practices is coming up soon! This CPD-accredited Workshop provides in-depth discussion and practical guidance on data protection in relation to property management industry and is designed to staff at all levels. You will get practical tips on how to manage the vast amount of customers’ personal data properly. The course outline includes:

points to note when installing CCTV in public areas for the prevention of crimes;
whether a property manager could transfer personal data of customers to a third party when handling complaints;
how to handle data access requests.

Besides, a newly revised Guidance on CCTV Surveillance and Use of Drones will be distributed during the Workshop.

Date: 26 November 2019
Time: 2:15pm - 4:15pm
Venue: Lecture Room,
　　    The office of the Privacy Commissioner for Personal Data,
　　    12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong
Cost: HK$750 (Standard fee);
　     HK$600 for DPOC members and members of supporting organisations

Seminar on “China Cybersecurity Law”
New Legal and Regulatory Updates; Practical Implications and Challenges (Limited seats available!)

China’s Cybersecurity Law came into effect in 2017, and has evolved with ongoing draft measures being released over time; with the most recent in December 2019. Companies both large and small are impacted, so please join us for this China Cybersecurity Law session. It is our honour to have a distinguished group of subject matter experts to share their insights on the recent developments on legal, regulatory and practical implementation challenges which organisations need to consider.

Date: 11 December 2019 (Wednesday)
Time: 4:30 PM - 6:00 PM
Language: English
Venue: Lecture Room,
12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai,
Hong Kong
Cost: HK$350 (Standard fee);
　 HK$280 for DPOC and IAPP members

Keynote Speakers and Panelists:
Mr. Stephen Kai-yi Wong
Privacy Commissioner for Personal Data, Hong Kong
Ms. Barbara Li, Partner
Norton Rose Fullbright, Beijing

Panelists:
Mr. Allen Ting, Senior Legal Councel, Huawei
Mr. Bernard Tan, Chief Legal Counsel, Data and Cybersecurity, SAP

Moderator:
Adjunct Professor Jason Lau,
Regional Lead and Co-Chair of the IAPP,
CISO at Crypto.com

Highlights:
- PCPD’s sharings on China's Cybersecurity Law
- Regulatory and Data Privacy Implications
- China Cybersecurity Law
- Recent Legal Developments and Impact on Business

Professional Workshop on Data Ethics (17 December 2019) "New"

Big data analytics, artificial intelligence and machine learning are increasingly applied to various business operations to improve operational efficiency, but at the same time different privacy issues also arise from these applications.

Data ethics is the world trend of responsible management of personal data. Organisations that amass and derive benefits from personal data should ditch their mindset of conducting their operations to meet the minimum regulatory requirements only. They should also be held to a higher ethical standard that meets the stakeholders’ expectations by doing what they should do.

To promote the ethical use of personal data, the PCPD rolls out a brand new Professional Workshop on Data Ethics. The first-run of this workshop will be free of charge. Here are the details of the workshop:

Date: 17 December 2019 (Tuesday)
Time: 2:15 pm – 3:45pm (1.5 hrs)
Venue: Lecture Room, Office of the Privacy Commissioner for Personal Data, 12/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong
Outline:

Why data ethics is important in the digital era
PCPD’s Ethical Accountability Framework
Global development on data ethics
Scenario group exercise

Data Protection in Insurance (10 December 2019)

Insurance practitioners handle a large amount of customers' personal data in their daily work. This workshop would provide practical tips on what insurance practitioners should do to protect customers' personal data when providing insurance services. Core concepts of data protection compliance illustrated by specific scenarios such as collection of customers' medical data, engagement of private investigators in insurance claims and use of customers' data for internal training etc. will be examined.

RTHK - "Letter to Hong Kong"
Mr Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong (2 November 2019)

Listen to the programme
(Cantonese programme)

Privacy Commissioner Stephen Kai-yi WONG delivered a presentation titled “Data Protection in Hong Kong from a Regulatory Perspective” in an event of International Association of Privacy Professionals (IAPP) hosted by the Huawei Headquarters (1 November 2019)

Two PCPD Staff Members Receive Individual Awards of The Ombudsman’s Awards 2019 (8 November 2019)

Brexit eroded data leaders’ confidence in govt, a report finds

Brexit does not only impact the economy of the UK, but also affect the ownership of personal data in UK. After completion of Brexit, the leader of UK will govern the data. However, the public's faith in data privacy has fallen since 2018. Thus, the UK government is now considering tightening the privacy regulations.

What’s your company’s digital ethics score?

Company today must possess ethical digital strategies to build up trust among their consumers. To change consumer sentiment, you need to put solid, trust-instilling policies into practice. Action is needed for corporations to realign their overall governance and ethics to the changing world demands.

3 steps banks & credit unions should take as data privacy gets hotter

The California Consumer Privacy Act (CCPA) is the latest data regulation to address the perceived imbalance in power that exists between companies and consumers. In order to better assure compliance with CCPA, businesses need to know the many different types of data they collect on individuals and where each type falls in regard to the act, provide consumers with access to the personal information held on them by a company and enhance the ethical capacity on financial institutions.

Can GDPR handle blockchain’s privacy problem?

While the General Data Protection Regulation is now effective law, blockchain is lack of regulatory guidance and striking the balance of blockchain development and user privacy will require pragmatism.

Hong Kong Lawyer November 2019 issue: Cookies – Ever Your Choice? - by Mr Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong

A cookie is a small computer file stored in website user's device that allows website operators to track the user's online activities including functionality, performance of website and marketing cookies. For the marketing cookies, it would be able to observe or infer behavioural patterns and eventually guessing in an informed manner of user's interest. It is of great privacy concern as whether the validity of user's consent was obtained before use.

Q: Why is a Privacy Impact Assessment (PIA) useful?

A: A PIA is useful in:

enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project

directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage providing benchmarks for future privacy compliance audit and control being a cost-effective way of reducing privacy risks providing a credible source of information to allay any privacy concerns from the public and the stakeholders

Q: When should a PIA be undertaken?

A: A PIA should be undertaken by data users in both the public and the private sectors to manage the privacy risks arising from a project that involves:

processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data;
the implementation of privacy-intrusive technologies that might affect a large number of individuals; or
a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: What are the key components that a PIA includes?

A: A PIA generally includes the following key components:

Data processing cycle analysis; Privacy risks analysis; Avoiding or mitigating privacy risks; and PIA reporting.

Extended Reading: Information Leaflet: Privacy Impact Assessments

Data Protection Principle 2 – Accuracy and duration of retention of personal data

Use of inaccurate personal data

The complainant had taken out a loan with a bank. He subsequently moved to a new address and notified the bank of the change. Upon his defaulting on repayment of the loan, the bank engaged the service of a debt collection agent and passed to it personal data of the complainant, including his old and new addresses. The debt collection agent sent demand letters to both addresses, thereby making known to people who were living in the complainant's old address that the complainant was in debt.

Investigation revealed that subsequent to being notified of the complainant's new address, the bank had been communicating with him there. It also had no reason to believe that the complainant could still be contacted at the old address.

Privacy Commissioner's views on the matter

In treating the complainant's old address as his correspondence address for debt collection purpose, the bank had acted in breach of Data Protection Principle (DPP) 2(1)(b), which requires all practicable steps to be taken to ensure that inaccurate data are not used or are erased. As a result of the PCPD's investigation, the bank agreed to erase the complainant's old address from all its records except the original loan application form. The bank also instructed the debt collection agent to erase all data concerning the complainant from its records. In the circumstances of the case, the retention by a bank of an applicant's old address as shown on the original loan application form was justified. However, in accordance with the requirements of DPP2 (1), inaccurate data should not be used until their accuracy is re-confirmed.

Tips on Encryption

Encryption is an effective way to prevent data from being understood when your computer is hacked or when your Portable Storage Devices are lost.

Tips on Log-in Information Understand what precautions to take to protect your user name and password.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.