Skip to content

PCPD e-Newsletter

PCPD Facebook Instagram LinkedIn Twitter Weibo YouTube

The PCPD has been advocating that organisations should embrace protection of personal data privacy as part of their corporate governance. The Privacy-Friendly Awards organised by the PCPD will be the first of its kind to showcase personal data privacy achievements of organisational data users in Hong Kong. The PCPD encourages organisations in both the public and private sectors in Hong Kong to participate in the Awards and become part of the privacy-friendly community in promoting personal data privacy.

Stay tuned to find out more from us.

Protect Personal Data Privacy of Teachers, Staff and Students

With the resumption of classes in phases from 23 September, the PCPD has issued the “Guidance for Schools on the Collection and Use of Personal Data of Teachers, Staff and Students during COVID-19 Pandemic”. The Guidance reminds schools to strike a reasonable balance between safeguarding public health and protecting personal data privacy, while also underscoring the importance of the security of data, given that health data is relatively sensitive data.

Read the Guidance Note

PCPD revised the "Guidance on Collection and Use of Biometric Data"

The application of biometric data is increasingly prevalent. Examples include unlocking smart phones with fingerprints, identity authentication by voiceprints for telephone banking and access control at airports by facial recognition, etc. Biometric data is relatively sensitive personal data. Unlike passwords, one cannot ‘reset’ his/her biometric data if it is leaked. Extra caution is therefore warranted for its collection, use and security. The PCPD has recently revised the “Guidance on Collection and Use of Biometric Data”. We have elaborated on the good practices in collecting and using biometric data, thereby reinforcing the protection of sensitive personal data. Some noteworthy principles and measures for data collectors and users include:

  1. Assessing the necessity and proportionality in collecting and using biometric data
  2. Conducting Privacy Impact Assessment to avoid or minimise adverse impact on the individuals concerned
  3. Being transparent, providing clear explanations and informed choices to individuals concerned
  4. Ensuring data minimisation, data accuracy and data security

Individuals should also be vigilant when providing biometric data, and should not get carried away in the pursuit of novelty and convenience.

Read the Guidance Note

3 CPD points-accredited online workshop – Data Protection in Human Resource Management

Date: 6 October (Tuesday)
Time: 2:15pm - 5:15pm
Fee:   $750/ $600*

One of the essential skills of a good human resource manager is ethical, smart and lawful management of personal data in order to build employer’s brand and trust, create and maintain a suitable and effective workforce for his or her organisation. Job applicants, employees and job leavers from time to time request access to their personal data kept by companies. During the COVID-19 pandemic, employers are faced with the challenges of whether, and if so, how they may collect health-related data of their employees complying with personal data privacy law. On the other hand, they are expected to continue to protect and respect their employees’ personal data privacy. Join this online workshop to learn how to deal with these issues.

Key take-aways:

  • A thorough understanding of the requirements of the Personal Data (Privacy) Ordinance (PDPO) when handling personal data in the entire employment process from cradle to grave
  • How to properly handle Data Access Requests
  • How to tackle employees’ personal data privacy issues arising from COVID-19

*Members of PCPD's Data Protection Officers' Club and the supporting organisations can enjoy the discounted fee.

Enrol Now

Other Professional Workshops on Data Protection in 2020

Enrol now

[Free] Online Seminar: Introduction to the Personal Data (Privacy) Ordinance

Want to get to know the basics of PDPO? The PCPD organises introductory seminars on the PDPO for members of the public for free. The details are as follows:

Time: 3:00pm - 4:30pm

Key Takeaways:

  • A general introduction to the PDPO
  • The six data protection principles
  • Offences & compensation
  • Direct marketing
  • Q & A session
Enrol Now

Hong Kong Lawyer – September Issue “The Implications of Schrems II Judgment on Cross-border/boundary Data Transfer”

On 16 July 2020, the Court of Justice of the European Union (CJEU) struck down the framework of the EU-US Privacy Shield. In this article, the PCPD highlights the major consideration of the CJEU regarding the invalidation of the Privacy Shield and the validity of the Standard Contractual Clauses. The impact of the judgment on data controllers dealing with transatlantic transfer of personal data is also discussed.

Read the article

["Police Magazine" x PCPD]
Get to know about doxxing (In Cantonese only)

Doxxing acts have become prevalent since June last year. Personal data has been “weaponised” to cause psychological harm to the victims. 

Doxxing acts may constitute offences for “disclosing personal data obtained without consent from data users” under the PDPO. Testing the limits of the law is inadvisable.

Earlier on, PCPD was interviewed by the Radio Television Hong Kong (RTHK) TV programme “Police Magazine”, explaining what doxxing was and how PCPD followed up doxxing cases. Some practical tips were also shared on how to protect individuals’ personal data privacy when using online social platforms. 

Watch the relevant part of the RTHK TV programme

The PCPD has updated the ‘Case Notes’ page at the PCPD website to include recent cases about the Privacy Commissioner's views on the application of the PDPO in different situations.

The page is an easy-to-navigate library of summaries of complaint and enquiry cases handled by the PCPD. You can search for cases by provisions of the PDPO, Data Protection Principles, topics, etc.

Learn more

Case Note

Data Protection Principle 1 - Purpose and manner of collection of personal data

A bank recorded phone conversations without sufficiently informing customers

The complainant was a customer of a bank. After the complainant called the bank's customer service hotline, his feedback was referred to a back-office department of the bank for follow-up. When the department called the complainant, it recorded the telephone conversation without informing him. He thus lodged a complaint against the bank.

The bank explained that it had informed the complainant of its recording arrangements via the recorded message played to him during his call to the customer service hotline. The same was also stated in the terms of service provided to him upon bank account opening. Around the time of the incident, the back-office department did not ask its staff to inform customers of the recording arrangements.


The bank failed to adopt measures to sufficiently and effectively notify its customers of its recording arrangements. Upon the PCPD’s intervention, the back-office department amended its policy so that during their first contact with customers, they would explain to customers that relevant conversations would be recorded.

Lesson learnt

The PCPD understands that organisations may record phone conversations between staff and customers out of operational needs. As the conversations may contain personal data, for protection of personal data privacy, customers should be informed of the recording arrangements as far as practicable. Merely stating the practice in the documents relating to opening of bank accounts is not sufficient. Organisations are recommended to step up its efforts to enhance the transparency of their audio recording arrangements. It would not only avoid misunderstanding and complaints, but also help manifest a high regard for privacy.

Coronavirus: European Commission starts testing interoperability gateway service for national contact tracing and warning apps

European Commission is setting up an interoperability gateway service linking national apps across the EU to facilitate travel and personal exchanges in the time of pandemic.

Read more

Incorporating Privacy-by-Design & Security-by-Design into medtech development

Adopting Privacy-by-Design and Security-by-Design can provide safeguards for privacy while enabling a high degree of utility and usability, which in turn can increase consumer/user confidence and trust.

Read more

Luxury Institute: data privacy is a brand reputation issue, not a compliance issue

Given escalating concerns for personal data privacy across all demographics, Luxury Institute believes data privacy would be one of the pillars of brand reputation and optimal consumer experience.

Read more

Digital surveillance by intelligence services: states must take action to better protect individuals

Countries have been urged to strengthen the protection of personal data in the context of digital surveillance carried out by intelligence services, by joining the Council of Europe convention on data protection “Convention 108+” and by promoting a new international legal standard to provide democratic and effective safeguards in this field.

Read more

Watch this space: PCPD's e-Newsletter will become a monthly publication

From next issue onwards, the PCPD e-Newsletter will be issued monthly to provide more informative and diverse contents about personal data privacy. Everything you need to know about the latest developments and news on personal data protection, as well as more in-depth analyse and observations on various data protection issues - the PCPD e-Newsletter remains what you should go for.

Stay tuned for our coming issues!

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.