Skip to content

PCPD e-Newsletter

PCPD Facebook Instagram LinkedIn Twitter Weibo YouTube

The Acting Privacy Commissioner Mr Tony Lam (pictured) was interviewed by the International Association of Privacy Professionals (IAPP) in relation to a joint IAPP-EY research project on COVID-19. He shared his thoughts on the implications of COVID-19 on privacy practices, priorities, challenges and customers’ trust. He said, "It is crucial to distinguish what needs to be known from what you want to know in times of COVID-19."

Read more

[Final call!] Online Professional Workshop - Data Protection in Insurance

Date: 26 August (Wednesday)
Time: 2:15pm - 5:15pm
Fee:   $750/ $600*

Insurance practitioners handle plenty of personal data of their clients. It would be therefore an essential part of their skillset to handle clients' data responsibly and to be legally compliant. This Workshop helps insurance practitioners get an in-depth understanding of the core concepts of data protection as illustrated with  practical examples, related cases and scenarios as well as recent topical issues on data privacy.

Key take-aways:

 - An overview of the data protection provisions
 - Recent topical issues on data privacy
 - Liabilities of insurance companies and insurance practitioners
 - Useful pointers on Personal Information Collection Statement
 - Collection of customers’ medical data
 - Collection of Hong Kong identity card numbers and copies
 - Engagement of private investigators in insurance claims
 - Retention of customers’ personal data
 - Use of customers’ data for internal training
 - Security of customers’ personal data handled by staff and agents
 - Handling of data access requests from customers
 - Data Ethics

*Members of PCPD's Data Protection Officers' Club and the supporting organisations can enjoy a discounted fee.

Enrol Now

Enrol in our new season of professional workshops!

Professional workshops organised by the PCPD are well sought after by those who are charged with the responsibility of advising and acting on compliance with the Personal Data (Privacy) Ordinance. The solid knowledge imparted and the interactive components of the workshops are most frequently acclaimed by those who attended the workshops.
Due to the ongoing pandemic situation, workshops to be held in September and October will be conducted online for the sake of public health safety.

If you enrol for any of the professional workshops in the new season, a free copy of the "SME Personal Data Protection Toolkit" will be posted to you. This publication is a structured tool for assisting organisations, particularly SMEs, in carrying out compliance and governance work.










Enrol now

Sign up now to receive updated data protection information, keep abreast of the latest trends of the international privacy landscape, interact and learn with your counterparts, and stay ahead of the game!

DPOC provides a platform for data protection personnel or interested individuals to obtain updated information on data protection and participate in training and sharing sessions organised by the PCPD.

Click to apply now

Privacy Impact Assessment is a tool for identifying and assessing privacy risks throughout the development life cycle of a programme or system. It states what personal data is collected and explains how that information is maintained, how it will be protected and how it will be shared.

Response to media enquiry on the use of customers' personal data  (13 August)

Read media response
(Chinese version only)

Response to media enquiry on privacy issues relating to coronavirus testing (11 August)

Read media response
(Chinese version only)

Disclosure of personal data of Hong Kong SAR officials and others by the US Government
(8 August)

Read media statement

Response to media enquiry on the disclosure of personal data of staff of a media organisation through a website (4 August)

Read media response
(Chinese version only)

Response to media enquiry on search of public registers (4 August)

Read media response
(Chinese version only)

Response to media enquiry on a poster displaying photo of students from a school (4 August) 

Read media response
(Chinese version only)

Hong Kong Lawyer - August issue "Right to Privacy and Right to Vote" 
Personal data can be accessed and obtained from the public domain through different channels such as a public register. It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without regulation. In this article, the PCPD reminds members of the public to pay attention to the original purpose for which the personal data was placed in the public domain.

Read the article

Singapore is putting trackers on some incoming travelers to make sure they’re following quarantine measures. Will the US and Australia do the same?

Some travelers entering Singapore will now leave with their luggage, a new passport stamp—and a wearable location tracking device. In Asia, similar tracking methods have been trialed in both Hong Kong and in South Korea. It may be due to “collectivist spirit" that may encourage the civic-minded embrace of and more willing compliance with governments’ infection control.
Will this also happen in Unite States and Australia?

Read more



AI bias detection (aka: the fate of our data-driven world)

Human choices undergird every aspect of AI, from the curation of data sets to the weighting of variables, and usually there is little or no transparency for the end user, meaning resulting biases are next to impossible to account for. It is therefore important for the future of our increasingly data-driven society to take the issue of bias in AI seriously.

Read more

Productivity and Privacy: The case against remote employee tracking tools

With many employees now working from home, many companies in the US are deploying tools to track their remote employees’ online habits in the name of maintaining productivity. However, indiscriminate deployment of tracking tools would create a surveillance work culture that is likely to cause significant harm, while at the same time failing to deliver the results that business leaders expect.

Read more

U.K. facial-recognition pilots broke privacy, data protection, and equality laws, court rules

While authorities in United Kingdom are increasingly putting facial-recognition smarts behind those cameras, one of the UK’s pioneering deployments of automated facial recognition has been ruled unlawful by an appeals court on three separate grounds: privacy, data protection, and equality.

Read more

Think your mask makes you invisible to facial recognition? Not so fast, AI companies say

The future of facial recognition technology may depend on one very specific part of the face: the area around the eyes, the visible portion of the face when people wearing masks, because of the pandemic of COVID-19 around the world.

Read more

Data Protection Principle 4 – Data security 

Advisable to delete data after trying out smart devices

The complainant tried out a smart phone at a telecommunications store. During the tryout, she logged into her Cloud storage account on a trial phone for a short period of time. A few months later, the complainant received a call from an unknown person, telling her that he was able to access her personal data in her Cloud storage account via such account of his. The complainant was worried about the security vulnerabilities of the relevant Cloud storage service, and hence made a complaint to the PCPD.


Our investigation revealed that although the complainant had logged out of her Cloud storage account after trying out the smart phone, she did not delete the data synchronised to the trial phone (i.e. the data which had been automatically downloaded from the complainant’s Cloud storage to the trial phone after she had logged into her Cloud storage account) before logging out.

At a later time, an unknown person visited the same store and tried out the same trial phone. During the tryout, he had also used the trial phone to log into his Cloud storage account. As a result, the complainant’s data which had been synchronised to the trial phone earlier, was then synchronised to the person’s Cloud storage account.

The PCPD considered that this incident was not caused by any security vulnerabilities in the Cloud storage service, but the complainant’s lack of awareness of the data synchronisation between her Cloud storage account and the trial phone.

The PCPD had therefore sent a letter to the telecommunications company, suggesting it to remind its customers (by posting notices or otherwise) not to use their online service accounts when trying out devices, and to ensure that data downloaded to the relevant device was deleted before leaving company.

Lesson learnt

When trying out or borrowing devices like smart phones, tablets and computers, users should be mindful of the privacy risks associated with using the devices in logging into their own online services accounts, in particular accounts concerning online banking, email, Cloud storage, online shopping, social networking sites and photo albums, etc. Customers are also reminded to delete all data downloaded to the trial devices during tryout to prevent leaving any digital footprints.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.