3 CPD points-accredited online workshop – Data Protection in Human Resource Management

Date: 6 October (Tuesday)
Time: 2:15pm - 5:15pm
Fee:   $750/ $600*

One of the essential skills of a good human resource manager is ethical, smart and lawful management of personal data in order to build employer’s brand and trust, create and maintain a suitable and effective workforce for his or her organisation. Job applicants, employees and job leavers from time to time request access to their personal data kept by companies. During the COVID-19 pandemic, employers are faced with the challenges of whether, and if so, how they may collect health-related data of their employees complying with personal data privacy law. On the other hand, they are expected to continue to protect and respect their employees’ personal data privacy. Join this online workshop to learn how to deal with these issues.

Key take-aways:

• A thorough understanding of the requirements of the Personal Data (Privacy) Ordinance (PDPO) when handling personal data in the entire employment process from cradle to grave
• How to properly handle Data Access Requests
• How to tackle employees’ personal data privacy issues arising from COVID-19

*Members of PCPD's Data Protection Officers' Club and the supporting organisations can enjoy the discounted fee.

Want to get to know the basics of PDPO? The PCPD organises introductory seminars on the PDPO for members of the public for free. The details are as follows:

Time: 3:00pm - 4:30pm

Key Takeaways:

• A general introduction to the PDPO
• The six data protection principles
• Offences & compensation
• Direct marketing
• Q & A session

Hong Kong Lawyer – September Issue “The Implications of Schrems II Judgment on Cross-border/boundary Data Transfer”

On 16 July 2020, the Court of Justice of the European Union (CJEU) struck down the framework of the EU-US Privacy Shield. In this article, the PCPD highlights the major consideration of the CJEU regarding the invalidation of the Privacy Shield and the validity of the Standard Contractual Clauses. The impact of the judgment on data controllers dealing with transatlantic transfer of personal data is also discussed.

["Police Magazine" x PCPD]
Get to know about doxxing (In Cantonese only)

Doxxing acts have become prevalent since June last year. Personal data has been “weaponised” to cause psychological harm to the victims.　

Doxxing acts may constitute offences for “disclosing personal data obtained without consent from data users” under the PDPO. Testing the limits of the law is inadvisable.

Earlier on, PCPD was interviewed by the Radio Television Hong Kong (RTHK) TV programme “Police Magazine”, explaining what doxxing was and how PCPD followed up doxxing cases. Some practical tips were also shared on how to protect individuals’ personal data privacy when using online social platforms. 

The PCPD has updated the ‘Case Notes’ page at the PCPD website to include recent cases about the Privacy Commissioner's views on the application of the PDPO in different situations.

The page is an easy-to-navigate library of summaries of complaint and enquiry cases handled by the PCPD. You can search for cases by provisions of the PDPO, Data Protection Principles, topics, etc.

Data Protection Principle 1 - Purpose and manner of collection of personal data

A bank recorded phone conversations without sufficiently informing customers

The complainant was a customer of a bank. After the complainant called the bank's customer service hotline, his feedback was referred to a back-office department of the bank for follow-up. When the department called the complainant, it recorded the telephone conversation without informing him. He thus lodged a complaint against the bank.

The bank explained that it had informed the complainant of its recording arrangements via the recorded message played to him during his call to the customer service hotline. The same was also stated in the terms of service provided to him upon bank account opening. Around the time of the incident, the back-office department did not ask its staff to inform customers of the recording arrangements.

Outcome

The bank failed to adopt measures to sufficiently and effectively notify its customers of its recording arrangements. Upon the PCPD’s intervention, the back-office department amended its policy so that during their first contact with customers, they would explain to customers that relevant conversations would be recorded.

Lesson learnt

The PCPD understands that organisations may record phone conversations between staff and customers out of operational needs. As the conversations may contain personal data, for protection of personal data privacy, customers should be informed of the recording arrangements as far as practicable. Merely stating the practice in the documents relating to opening of bank accounts is not sufficient. Organisations are recommended to step up its efforts to enhance the transparency of their audio recording arrangements. It would not only avoid misunderstanding and complaints, but also help manifest a high regard for privacy.

Coronavirus: European Commission starts testing interoperability gateway service for national contact tracing and warning apps

European Commission is setting up an interoperability gateway service linking national apps across the EU to facilitate travel and personal exchanges in the time of pandemic.

Incorporating Privacy-by-Design & Security-by-Design into medtech development

Adopting Privacy-by-Design and Security-by-Design can provide safeguards for privacy while enabling a high degree of utility and usability, which in turn can increase consumer/user confidence and trust.

Luxury Institute: data privacy is a brand reputation issue, not a compliance issue

Given escalating concerns for personal data privacy across all demographics, Luxury Institute believes data privacy would be one of the pillars of brand reputation and optimal consumer experience.

Digital surveillance by intelligence services: states must take action to better protect individuals

Countries have been urged to strengthen the protection of personal data in the context of digital surveillance carried out by intelligence services, by joining the Council of Europe convention on data protection “Convention 108+” and by promoting a new international legal standard to provide democratic and effective safeguards in this field.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.