Skip to content

PCPD e-Newsletter

PCPD Facebook Instagram LinkedIn Twitter Weibo YouTube

The Privacy Commissioner for Personal Data, Hong Kong Mr Stephen Kai-yi WONG issued a media statement on 24 July 2020 to review his 5-year work. He emphasised that the data protection law must be complemented by the application and practice of ethics in order to safeguard protection of privacy.  

Read media statement

On 28 July 2020, the Privacy Commissioner for Personal Data, Hong Kong Mr Stephen Kai-yi WONG hosted the last public seminar entitled “Working Out for the New Data Ecosystem and Legal Frameworks” in his five-year term. The seminar was attended by more than 1,200 participants comprising privacy professionals, lawyers, bankers, corporate managers etc. and members of the public through video conferencing and live streaming on social media platforms.

Commissioner Wong gave an all-round overview of data privacy topics and shared the learnings gained and the work done during his five-year service to help all stakeholders “get fit” mentally and physically to embrace the novel challenges in the future.

Download presentation materials
View the Q and A session
Read media statement (Chinese only)

The Privacy Commissioner for Personal Data, Hong Kong, Mr Stephen Kai-yi WONG (right) and the United Kingdom Information Commissioner Ms Elizabeth Denham CBE (left) signed a Memorandum of Understanding (MOU) on 29 July 2020.

Under the MOU, the two regulatory bodies will engage in the sharing of experiences and exchange of best practices, collaborate on joint investigations, enforcement actions and research initiatives where opportunities arise and share information on regulatory approaches and activities. It lays the basis of the enhanced work relationship for the two authorities to go forward in matters of mutual regulatory interest.

Read media statement

Online Professional Workshop - Data Ethics

Date: 7 August (Friday)
Time: 2:15pm - 3:45pm
Fee:   $375/ $300*

Highlights of the course outline:

 - Why data ethics is important in the digital era
 - PCPD’s Ethical Accountability Framework
    - data stewardship values 
    - guiding principles and organisational policies and procedures
    - when and how to conduct Ethical Data Impact Assessment
    - how to assess the effectiveness of an organisation’s data stewardship
    - Process Oversight Model
 - Global development on data ethics

Enrol Now

Online Professional Workshop - Data Protection in Human Resource Management

Date: 12 August (Wednesday)
Time: 2:15pm - 5:15pm
Fee:   $750/ $600*

Highlights of the course outline:

- What are the general requirements for the collection and retention of personal data, and ensuring their accuracy and security in each phase of the employment process
- What are the requirements of the Code of Practice on Human Resource Management
- Collection of personal data in recruitment process e.g. medical data, reference data
- What is "Blind Recruitment Advertisement"
- What are the restrictions on keeping personal data, setting appropriate periods of time for keeping information
- What are the legal requirements in transferring personal data to third parties
- Collection of biometric data
- How to handle a Data Access Request by job applicants or employees
- What are the requirements for engaging in employee monitoring activities
- Data Ethics

Enrol Now

Online Professional Workshop - Recent Court and Administrative Appeals Board Decisions

Date: 19 August (Wednesday)
Time: 2:15pm - 5:15pm
Fee:   $950/ $760*

Highlights of the course outline:

- A thorough discussion of the following decisions made by the High Court of Hong Kong and the Administrative Appeals Board:-
   - HKSAR v Hong Kong Broadband Network Limited (HCMA 624/2015)
   - HKSAR v Leung Chun-kit Brandon (HCMA 49/2016)
   - AAB 17/2015 and AAB 18/2016
   - AAB 42/2016
   - AAB 40/2016

Enrol Now

Online Professional Workshop - Data Protection in Insurance

Date: 26 August (Wednesday)
Time: 2:15pm - 5:15pm
Fee:   $750/ $600*

Highlights of the course outline:

 - An overview of the data protection provisions
 - Recent topical issues on data privacy
 - Liabilities of insurance companies and insurance practitioners
 - Useful pointers on Personal Information Collection Statement
 - Collection of customers’ medical data
 - Collection of Hong Kong identity card number and copy
 - Engagement of private investigators in insurance claims
 - Retention of customers’ personal data
 - Use of customers’ data for internal training
 - Security of customers’ personal data handled by staff and agents
 - Handling of data access requests from customers
 - Data Ethics


Enrol Now

*Members of PCPD's Data Protection Officers' Club and the supporting organisations can enjoy discounted fee of all workshops above.

Response to media enquiry on guidelines of personal data collection during the pandemic (30 July)

Read media response

Fight COVID-19 Pandemic, Privacy Commissioner Provides Advisory to Premises Operators on Temperature Measurement and Collection of Relevant Personal Data (27 July) 

Read media statement
(Chinese version only)

Response to media enquiry on invalidation of the EU-US Privacy Shield (24 July)

Read media response

Data Protection Authorities Issue Co-signatory Letter to Voice Out Global Privacy Expectations of Video Teleconference Providers (21 July)

Read media statement

Response to media enquiry on privacy issues involved in bluetooth application (21 July)

Read media response
(Chinese version only)

Suspected Data Breach of a Hong Kong VPN Company (19 July)

Read media statement

Response to media enquiry on personal data privacy issues relating to“Democrats 35+ Civil Voting” Project (14 July)

Read media response

Response to media enquiry on a suspected phone scam (13 July)

Read media response
(Chinese version only)

Response to media enquiry on personal data privacy issues on the use of register of electors
(12 July)

Read media response
(Chinese version only)

Response to media enquiry on the disclosure of personal data of a reporter (10 July)

Read media response
(Chinese version only)

Guidance Note: Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users (Revised in July 2020)

Organisational data users who handle Data Access Requests (DAR) properly will demonstrate their respect for customers’ personal data privacy and gain trust from their customers. This guidance note provides clear guidelines and work procedures to data users on the proper handling of DARs and the charge of DAR fees.





Download here

Four steps for drafting an ethical data practices blueprint

To avoid the risk of damaging a brand’s reputation due to lack of sustainable data ethics framework, data or analytics officers in organisations should be responsible for spearheading ethical data practices. This article shows us four key practices when creating ethical data and business practice framework within organisations.

Read more

What happens when someone steals your identity?

How is your identity stolen and what will happen next? This article lists out three common circumstances of how your personal data was leaked and elaborates on the journey of where your stolen data goes to. To avoid your personal data being sold on Dark Web, we should keep vigilant about personal data to make identity theft difficult.

Read more

These major VPN providers leaked data of millions of users

Researchers discovered that some of the most popular VPN providers are actually collecting users’ data. To choose a trustworthy VPN provider, we should seek out providers whose services could undergo “no-log” audits to ensure privacy standards are upheld.

Read more

Data Protection Principle 6 – Access to personal data

Data access request – Requested data included data stored in paper file and computer system

The complainant was an applicant of an assistance scheme provided by an institution. He lodged a data access request with the institution for his personal data contained in the handling records of his application.

Given that the institution had only provided the complainant with a copy of documents which were submitted by him at the time of application, he lodged a complaint with the PCPD against the institution for non-compliance with his data access request.


The PCPD carried out an investigation to ascertain if the institution held any other records which should have been provided to the complainant. According to the institution, upon receipt of an application for the assistance scheme, it would put the hard copy of the application form and the supporting documents into a paper file. All processing records (e.g. notes of communications between the applicants and the institution, details of assessment made to the applications) would be inputted into the institution’s computer system.

Since the institution had only made reference to the complainant’s paper file upon receipt of his data access request, it overlooked the requested data stored in its computer system and thus did not provide the same to the complainant.

Upon the PCPD’s intervention, the institution furnished the complainant with a printout of the requested data stored in its computer system and also a written apology for the oversight.

Data users should bear in mind that the definition of “personal data” means any data “in a form in which access to or processing of the data is practicable” under the Personal Data (Privacy) Ordinance. This includes both data stored in physical and electronic means.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.