MESSAGE FROM THE PRIVACY COMMISSIONER

2020 had been an exceptionally challenging year for all. The COVID-19 pandemic has brought unprecedented challenges to all sectors of the community and the Office of the Privacy Commissioner for Personal Data (PCPD) is of no exception. Other than discharging our normal functions under the Personal Data (Privacy) Ordinance (the Ordinance) in the past year, we strove hard to provide our views and observations to the Government and other stakeholders on a myriad of data privacy issues arising from the use of new technology to combat the pandemic. During the year, we published a series of practical advisories and guidance notes to provide guidance on the handling of COVID-19-related privacy issues to employers and employees, schools, students, as well as users of video conferencing software.

Looking ahead, the year 2021 marks the 25th Anniversary of the PCPD. Established in 1996, the PCPD has been an enforcer, promoter and educator entrusted to protect personal data privacy under the Ordinance — the first comprehensive data protection law enacted in Asia in 1995. Our 25th Anniversary slogan “Guardian • Privacy • 25 Years” (守護 • 私隱 • 廿五載) sums up our role as the guardian of personal data privacy over the years.

As 2021 begins, the PCPD will be organising a series of events to celebrate our 25th Anniversary. The first one was the publication on 28 January of the results of a public opinion survey to gauge, among other things, the public’s awareness and attitude towards the protection of personal data privacy. The inaugural Privacy-Friendly Awards, a flagship event of the Anniversary programme, is designed to publicly recognise organisations with outstanding achievements in the protection of personal data privacy. The Award winners would be announced at a semi-virtual award presentation ceremony to be held in March this year, and this will be followed by thematic live online public seminars, the launch of a series of one-minute videos, and other publicity campaigns. Please stay tuned for our latest updates.

May I take this opportunity to wish you a very healthy and joyous year ahead!

Ms Ada CHUNG Lai-ling

Privacy Commissioner for Personal Data, Hong Kong

PRIVACY 101

What is a Personal Information Collection Statement (“PICS”) and how do you draft one?

According to Data Protection Principle (“DPP”) 1(3) of the Personal Data (Privacy) Ordinance (the “Ordinance”), a data user (typically an organisation) must take all practicable steps to notify the data subjects (e.g. customers and employees) of the purpose of data collection, and the classes of persons to whom the data may be transferred. A PICS is a statement given by a data user for the purpose of complying with the notification requirements under DPP 1(3) of the Ordinance.

A PICS should be given to a data subject whenever a data user collects personal data from him/her. Key elements of a PICS include:

• Statement of purpose
• Whether the provision of certain data is obligatory or voluntary
• Statement of possible transferees
• Statement of rights of access and correction and contact details
• Notice of contact person for requesting access or correction
• Obtaining consent on direct marketing (if applicable)

DOs and DON’Ts when preparing a PICS

For more practical tips and examples on how to draft a PICS and PPS for your organisation, please refer to this Guidance Note issued by the PCPD.

TECH TALK

Instant Messaging App Changes Its Terms of Service and Privacy Policy

An instant messaging app widely used in Hong Kong had recently announced changes to its Terms of Service and Privacy Policy. To continue using the messaging app, user would need to agree to share their information with the parent company of the messaging app and its subsidiaries before a specified date.

The change has caused widespread concern among users across the globe. The PCPD issued a media statement on 11 January 2021, appealing to users to carefully consider the new Terms and Privacy Policy and to the messaging app to extend the period for consideration to allow ample time for users to understand and consider the new Terms and Privacy Policy.  

The messaging app has since then extended the deadline for agreeing to the new Terms and Privacy Policy. The Privacy Commissioner welcomed the new arrangement and called on the messaging app to provide further information and sufficient explanation to alleviate the public’s concern.

PRIVACY COMMISSIONER'S FINDINGS

A Bank Improved its Personal Data Update Webpage by Adopting Setting to Obtain Customers’ Valid Consent Before Using Their Personal Data for Direct Marketing

The complaint

The complainant was a customer of a bank. He updated his contact information through its online banking service. When he input his new contact information on the personal data update webpage, he was asked whether he “do not accept the use of customer’s personal data for direct marketing by the bank”. As the complainant had previously made a written opt-out request to the bank, he believed that he did not need to tick the box to confirm that he did not consent to the use of his personal data for direct marketing by the bank. On the basis that the complainant had not ticked the above-mentioned box, the bank considered that he had cancelled his previous opt-out request and regarded the complainant as a customer who consented to the use of his personal data for direct marketing. The bank later gave the complainant a direct marketing call. The complainant then complained to the PCPD that the bank did not comply with his opt-out request.

Outcome

The PCPD reiterated to the bank that the complainant did not consent to the use of his personal data for direct marketing by the bank, and the bank confirmed that no direct marketing message would be sent to the complainant anymore. Moreover, the PCPD urged the bank to review its personal data update webpage to ensure that customers were given a clear and genuine choice to decide whether to accept the use of their personal data for direct marketing.

The bank agreed that the flow of handling customers’ opt-out requests should be fair and transparent to the customers. Hence, the bank had improved the personal data update webpage by changing the wording of the box from “do not accept the use of customer’s personal data for direct marketing by the bank” to “accept the use of customer’s personal data for direct marketing by the bank”. If customers did not tick the box, the bank would not use their personal data for direct marketing.

Lesson learnt

Under the Personal Data (Privacy) Ordinance, a data subject’s “consent” to the use of his personal data for direct marketing by data users can include the data subject’s “indication of no objection”. However, to satisfy the definition of “indication of no objection”, the data subject must have expressly indicated that he does not object to the use of his personal data for direct marketing by data users. In other words, for a customer who has already made an opt-out request to the bank, even when the bank asks again if he would accept direct marketing and he does not respond, the bank cannot conveniently presume that he “consented” to the use of his personal data for direct marketing, or he wanted to cancel his previous opt-out request.

When collecting customers’ personal data or allowing them to make an opt-in or opt-out choice online or through applications, organisations should adopt the Privacy-by-Design approach to ensure that organisations collect and use customers’ personal data for direct marketing only when customers are clearly informed and their genuine consent is obtained. By doing so, organisations not only win trust from customers, but also enhance their professional image in the industry, as well as the effectiveness of direct marketing.

WHAT'S ON

Media Briefing on the PCPD's Work in 2020 (28 Jan 2021)

Privacy Commissioner Ms Ada CHUNG Lai-ling reported on the work of the PCPD in 2020 in a media briefing held on 28 January 2021. She also outlined PCPD’s strategic focus for 2021, including privacy protection amidst technological development and enhanced enforcement.

Privacy Commissioner Awarded The Hong Kong Institute of Chartered Secretaries Prize 2020 (25 Jan 2021)

Privacy Commissioner Ms Ada CHUNG Lai-ling (left) received the HKICS prize from Ms Edith Shih, the immediate Past International President of The Chartered Governance Institute.

The Privacy Commissioner was awarded The Hong Kong Institute of Chartered Secretaries Prize (the HKICS Prize) 2020 by The Hong Kong Institute of Chartered Secretaries in recognition of her significant contributions to the company secretary and governance profession, and the development of the Institute over a substantial period. The award was presented in the HKICS Annual Celebration 2021 - Mask-uerade Parade held on 25 January 2021.

First presented in 2010, the HKICS Prize is decided by a Judging Panel comprising selected past presidents, current Council members and fellows of the HKICS and represents the highest honour recognised by company secretaries and governance professionals.

RECOMMENDED ONLINE TRAINING

Free Online Seminars: Introduction to the Personal Data (Privacy) Ordinance

Check out our FREE public online seminars to deepen your understanding of the Ordinance.

Time: 3:00pm - 4:30pm

Key Takeaways:

• A general introduction to the PDPO
• The six Data Protection Principles
• Offences & compensation
• Direct marketing
• Q & A session

Professional Workshops on Data Protection (Feb - Mar 2021)

Contact Us

Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.