Skip to content

PCPD e-Newsletter

PCPD Facebook Instagram LinkedIn Twitter Weibo YouTube

Join the Inaugural Privacy-Friendly Awards    
Become a Member of the Privacy-friendly Community

The PCPD has been encouraging data users to embrace the protection of personal data privacy as part of the policies and culture of the organisations. Many organisations treat personal data protection as an important part of their operations and a lot of efforts are being made to this end.

Showcase your achievements in protection of privacy 

If you would like to showcase the achievements of your organisations in protecting personal data privacy, here comes the opportunity. Please join the inaugural Privacy-Friendly Awards (Awards) organised by the PCPD.

In an ever-changing business environment, protecting and respecting personal data privacy is of crucial importance. Through the Awards, the PCPD would like to recognise the efforts made by organisations in protecting personal data privacy, and enable enterprises, government departments as well as public and private organisations to showcase their achievements in protecting privacy.

Check if your organisation has "Privacy Protection Measures"

Five “Privacy Protection Measures” are set as goals for the Awards. Organisations should indicate whether the following “Privacy Protection Measure(s)” has/have been put in place or has/have been completed by the application deadline for the Awards (6 November 2020), and provide brief supporting information for illustration:

1. Have at least one Data Protection Officer (either on a full-time or part-time basis) or have established a 
    dedicated department for data protection.
2. Have discussed matters relating to personal data privacy at the board of directors or at the highest
    decision-making level in the organisation during the aforementioned period in 2020 (on or before 6
    November 2020).

3. Have stated in public the maximum retention period of any kind of personal data held by it.
4. Have put in place a data security breach notification mechanism and a written policy.
5. Have provided training or education for staff on personal data privacy protection.

Get your "Privacy-Friendly" Certificates

Depending on the number of “Privacy Protection Measures” already put in place or completed by an organisation, a Gold, Silver or Bronze “Privacy-Friendly” Certificate will be awarded to the organisation.

Gold “Privacy-Friendly” Certificate

Silver “Privacy-Friendly” Certificate

Bronze “Privacy-Friendly” Certificate


In addition to the “Privacy-Friendly” Certificates, the awardees will be presented with free annual membership of the PCPD Data Protection Officers’ Club and specified numbers of enrolment of Professional Workshops organised by the PCPD. Outstanding performers will also be invited to participate in publicity programmes to showcase their achievements in privacy protection.

The Awards are now open for application until 6 November 2020. Since the Awards were launched earlier this month, applications have continued to come in. Application procedures are simple and no fees will be charged. Don’t miss the chance!

View the Awards website and submit your application

Doxxing Case Defendant Sentenced for Breaching Injunction Order
Privacy Commissioner Urges the Public Not to Flout the Law

The High Court granted an interim injunction order (HCA 1957/2019) in October 2019 to restrain persons from disclosing personal data of police officers and their family members without their consent, with intention to intimidate or harass, or likely to intimidate or harass, police officers and their family members. The order also restrains persons from intimidating or harassing police officers and their family members. It further restrains persons from assisting, inciting or abetting others to commit any of the aforesaid acts.

In addition, the High Court issued another interim injunction order (HCA 2007/2019) restraining persons from wilfully disseminating or publishing on internet-based platform or medium any material or information for the purpose of promoting, encouraging or inciting the use or threat of violence, with intention to cause, or likely to cause, bodily injury to any person or damage to any property within Hong Kong. The order also restrains persons from wilfully assisting, inciting or abetting others to commit any of the aforesaid acts.

In a case which involved the posting of the personal data of a police officer on a social media platform in violation of an interim injunction order granted by the High Court, the defendant was convicted of civil contempt of court on 19 October 2020 and sentenced to 28 days’ imprisonment, suspended for one year.

Privacy Commissioner Ms Ada Chung Lai-ling respected and welcomed the judgment. She stressed, “The cyber world is not beyond the law. The two interim injunction orders relating to doxxing granted by the High Court last year are still in force at present. Contempt of court is a serious matter. Anyone who breaches the relevant injunctions, once convicted, may be subject to an immediate custodial sentence. Members of the public are urged not to flout the law.”

Since the above-mentioned injunction orders were granted, the PCPD has referred 45 doxxing cases of suspected violations of the injunction orders to the Department of Justice for follow-up.

Read the summary of the judgment

A staff member of a driving school prematurely collected enquirer’s Hong Kong Identity Card number


An individual made enquiries on course details and fees at a driving school. He was required by a staff member of the school to provide his Hong Kong Identity (HKID) Card number before he could obtain the price of a driving course. He did not enrol on any courses with the school eventually and considered that the school should not retain his HKID Card number. He hence made a complaint to the PCPD.


Data Protection Principle 1(1) of Schedule 1 to the PDPO provides that personal data shall be collected for a lawful purpose directly related to a function or activity of the data user; the collection of the data is necessary for or directly related to that purpose and the data is adequate but not excessive in relation to that purpose. Furthermore, HKID Card number is sensitive personal data. A data user may only collect HKID Card number or a copy of the HKID Card of an individual under the circumstances specified in the Code of Practice on the Identity Card Number and Other Personal Identifiers (PI Code) issued by the Privacy Commissioner.

The driving school explained to the PCPD that the collection of HKID Card number of the complainant was for arranging driving tests to be conducted by the Transport Department. However, the PCPD considered that the driving school should not collect the complainant’s HKID Card number before the complainant made any enrolment. After intervention by the PCPD, the driving school apologised to the complainant and destroyed the complainant's HKID Card number from the school's records.

Lesson learnt

Notwithstanding that a data user is allowed to collect the HKID Card number of an individual under the PI Code, a data user should duly consider the timing of collection. Premature collection of HKID Card numbers may constitute excessive collection. If a data user has not yet established a firm relationship with the data subject so as to justify collection of the HKID Card numbers, the data user should not collect such data at that point.

Personal Information Collection Statement (PICS)

You may have to provide your personal data to different organisations in everyday life, in situations ranging from purchasing online, paying bills online, registering for free gifts to taking part in online lucky draws.

Under the PDPO, an individual has the right to be informed of the collection and use of their personal data. On or before the collection of your personal data, an organisation should provide you with a Personal Information Collection Statement (PICS). It is important to understand how PICS can protect your personal data privacy.

What is a PICS?

A PICS is a statement given by a data user for the purpose of complying with the notification requirements under Data Protection Principle 1(3) of the PDPO. A PICs should be easy to find, easy to read and easy to understand, covering the “statement of purpose”, “statement as to whether it is obligatory or voluntary for the individual to supply his personal data”, “statement of possible transferees”, “statement of rights of access and correction of personal data and contact detail” and “notice of contact person for requesting access or correction”. 

What other areas should you be aware of as a data subject when providing personal data to others?

Before providing your personal data to others, you should read the PICS thoroughly and consider if the requisite personal data are necessary. You should provide necessary but not excessive personal data to organisations for the prescribed purpose.

When providing personal data to organisations for commercial promotion to obtain free services or gifts, you should consider whether there are any privacy risks involved and whether the provision of personal data is proportionate to the value of the free service or gifts.

How do you protect your personal data privacy when participating in lucky draw activities online?

Online lucky draws may be tempting. However, you should stay vigilant when the provision of personal data is required, and should also pay attention to the information released by the organisers in order to ascertain the correct websites or methods for registration; the requisite personal data to be provided; the purposes of collection and the retention period, etc. 

To avoid falling prey to fraudulent promotional activities, you should also be aware of phishing websites when providing information online.

Tackling Privacy Issues with Care Amidst COVID-19 Pandemic

Governments around the world have taken different measures to respond to  pandemic continuously. The adoption of public health surveillance technologies is critical to containing the spread of COVID-19, but we should always be vigilant to the personal data privacy concerns that are raised in the process. The widely-used contact tracing or exposure notification apps which generally use Bluetooth signals of mobile devices to keep records  of individuals who come into close proximity of each other, allow public health authorities to notify people who are in close contact with the infected. Some countries have further incorporated real-time GPS tracking data into the apps, thereby increasing data accuracy and tracing effectiveness. However, this way of continuously tracing geolocation data is highly privacy-intrusive.

To protect data privacy, the European Data Protection Board suggested collecting anonymised proximity data by the apps through a decentralised approach in order to minimise the collection of personal data. It also stressed the importance of data protection by design and by default when developing the contact tracing measures. Governments should also consider the privacy implications before implementing digital technologies to fight COVID-19.

While privacy right is a fundamental human right, it is not an absolute right and is subject to other competing rights and interests, such as the right to life and the interests of public health. To reduce the hindrance to pandemic fighting measures, some jurisdictions adopt a relaxation or amendment of certain laws and enforcement policies to cater for unconventional uses of personal data. On the other hand, in view of the increased collection and use of personal data and its impact on our daily lives, some authorities tighten up privacy protection specific to the use of personal data during COVID-19.

Back in Hong Kong, the Hong Kong SAR Government has deployed various data-led measures to contain the spread of the virus, while at the same time good efforts have been made to minimise personal data privacy intrusion. When introducing new initiatives to further strengthen the fight against the pandemic, it is important for the Government to consider and incorporate the protection of personal data in the design of the initiatives. Well devised step-by-step procedures and proper oversight of the implementation details must be embodied as integral parts of the initiatives to ensure adherence to the data protection measures.

Read the article contributed by Privacy Commissioner Ms Ada Chung Lai-ling to "Hong Kong Lawyer" (issue of October 2020) to learn more about tackling privacy issues amidst COVID-19.

Read the

Online Professional Workshop on Data Ethics (1.5 CPD points)

Big data analytics, artificial intelligence and machine learning are increasingly applied to various business operations to improve operational efficiency. At the same time, different privacy issues also arise from these applications.

Data ethics is the world trend of responsible management of personal data. Organisations that amass and derive benefits from personal data should ditch their mindset of conducting their operations to meet the minimum regulatory requirements only. They should also be held to a higher ethical standard that meets the stakeholders’ expectations by doing what they should do.

This workshop aims to help organisations understand the data ethics stewardship management values and models, and how to implement data ethics in their daily operations. Ethical use of personal data can improve business reputation and enhance stakeholders’ confidence, thus enabling organisations to fully reap the benefits of the data-driven economy.

Date: 5 November (Thursday)
Time: 2:15pm - 3:45pm
Fee: $375/ $300*

Key takeaways:

  • Why data ethics is important in the digital era
  • Global development on data ethics
  • The PCPD’s Ethical Accountability Framework
    • - data stewardship values
    • - guiding principles and organisatioal policies and procedures
    • - when and how to conduct Ethical Data Impact Assessment
    • - how to assess the effectiveness of an oganisation’s data stewardship

*Members of the PCPD's Data Protection Officers' Club and the supporting organisations can enjoy the discounted fee.

Enrol Now

Other Professional Workshops on Data Protection in November and December 2020

If you enroll for any of the above professional workshops, you will receive a FREE copy of "SME Personal Data Protection Toolkit" with a set of learning cards, and "A Brief Summary on the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs" (in Chinese only).


Enrol now

[Free]  Online Seminar: Introduction to the Personal Data (Privacy) Ordinance

Your personal data is one of your most valuable assets. Act now to deepen your understanding of the PDPO and learn to protect your personal data privacy by attending this free and interactive seminar on the PDPO. The details of the seminars are as follows:

Time: 3:00pm - 4:30pm

Key Takeaways:

  • A general introduction to the PDPO
  • The six Data Protection Principles
  • Offences & compensation
  • Direct marketing
  • Q & A session
Enrol Now

Privacy Commissioner Ms Ada Chung Lai-ling attended the virtual conference of the 42nd Global Privacy Assembly (GPA) on 13-15 October 2020

While COVID-19 has set a new normal for almost all facets of life, Privacy Commissioner Ms Ada Chung appealed for adherence to the principles of data minimisation, limitation of use and retention of data when combating the pandemic. Ms Chung also presented to GPA members the Compendium of Best Practices in Response to COVID-19, the compilation of which was led by the PCPD.

A Resolution on Accountability in the Development and Use of Artificial Intelligence (AI) was also adopted by all GPA members at the conference, calling for the implementation of accountability measures which are appropriate regarding the risks of interference with human rights in the development or use of AI systems.

Read media statement

The Privacy Commissioner of Canada Finds Pandemic Raises New Privacy Concerns Around Telemedicine, Edtech

A new report from Canada’s Privacy Commissioner specifically warned that technologies and increased activities in the telemedicine and e-learning sectors are creating new privacy risks to sensitive data. The report considered that current federal laws do not provide Canadians with effective protection against such risks.

Read more

Privacy and Security Concerns Increase with Remote Work

Two global research studies showed that the shift to mass remote working has caused people to become increasingly concerned around data sharing and security. The reports recommended options for committing to security tools and technologies that would enable users to access data and applications from any device.

Read More

Online Privacy Loss: Another Covid-19 Aftershock

Many people have no idea they would reveal information about themselves when they go online to search for information related to COVID-19, not just to the government agencies, hospital systems or media outlets whose websites they visit, but to third-party companies that surreptitiously track their activity and invade their online privacy.

Read More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.