PCPD e-NEWSLETTER
ISSUE May 2024
|
|
|
|
PCPD e-NEWSLETTER
ISSUE May 2024
|
|
|
|
Safeguard Data Security • Safeguard Privacy! Privacy Commissioner’s Office Launches a Series of Promotional and Educational Activities to Promote Privacy Awareness Week 2024
|
Privacy Commissioner Ms Ada CHUNG Lai-ling (sixth from the right), the Supervisor and Principal of St. Paul’s Convent School, Sister Margaret WONG (fifth from the left), and officiating guests at the kick-off ceremony for the Mobile Exhibition Truck.
|
The PCPD has launched the annual flagship event “Privacy Awareness Week 2024” from 10 to 16 May. Under the theme of “Safeguard Data Security • Safeguard Privacy!”, the PCPD held a series of promotional and educational activities in May, which included launching a mobile exhibition truck “Privacy Protection Truck” to reach out to the community, organising a data security seminar and introducing a data security mascot “Data Guardian”, with a view to raising the awareness of safeguarding data security among organisations and members of the public. On 13 May, the PCPD organised the kick-off ceremony (the Ceremony) for the Mobile Exhibition “Privacy Protection Truck” at St. Paul’s Convent School (SPCS). The Supervisor and Principal of SPCS Sister Margaret WONG, members of the Personal Data (Privacy) Advisory Committee of the PCPD Mr. Raymond SY Kim-cheung, JP, Mr Joseph LIN Ho-man, MH, Dr Patrick WONG Chi-kwong, as well as members of the Standing Committee on Technology Development of the PCPD, Professor the Hon K F WONG, MH, Professor Jason LAU, Professor S M YIU, Ir Alex CHAN, Mr Alan CHEUNG and Dr Gregg LI officiated the Ceremony. Mr Albert Au, a renowned host, was the emcee of the event. Given that human error or cyberattacks on the information systems of organisations occurred from time to time, resulting in the leakage of personal data, the PCPD organised a seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures” on 23 May. The Privacy Commissioner and Chief Personal Data Officer of the PCPD Mr Brad KWOK talked about the lessons learnt from data breach cases which occurred in recent years, and elaborated on the causes of the data breaches and the remedial measures taken. The speakers also provided their recommendations on how to enhance cybersecurity and data security measures, as well as highlighted the key points in preventing and handling data breach incidents. In addition, the PCPD was the supporting organisation of the “Together, We Create a Safe Cyberworld” Webinar held on 10 May, which was co-organised by the Office of the Government Chief Information Officer, the Hong Kong Police Force and the Hong Kong Computer Emergency Response Coordination Centre. The PCPD representative gave a presentation on responding to cybersecurity threats and data breach incidents, and shared insights into the risks of the cyberworld and the cybersecurity measures to be adopted. The webinar attracted over 480 participants. To promote various activities, the PCPD launched a data security mascot, “Data Guardian”. The Data Guardian conveyed messages of data security through different channels, including major public transportation terminals, social media, online platforms, newspapers, etc. Posters were also distributed to members of the PCPD’s Data Protection Officers’ Club, government departments, District Offices, community centres, chambers of commerce, different organisations and schools. Privacy Awareness Week is an annual event jointly supported by members of the Asia Pacific Privacy Authorities to raise public awareness of personal data privacy protection.
For details, please click here to visit the website.
|
The PCPD Publishes Findings on the Data Breach Incident of Consumer Council
|
Privacy Commissioner Ms Ada CHUNG Lai-ling introduced the findings on the data breach incident of the Council.
|
On completion of its investigation into a data breach incident of the Consumer Council (the Council), the PCPD published its findings on 2 May. The investigation arose from a data breach notification lodged by the Council reporting that its servers had been attacked by ransomware (the Incident). The Incident resulted in unauthorised access to the Council’s data, which involved the personal data of more than 450 individuals, including complainants, personnel of information technology service vendors, and current and former staff members of the Council. The PCPD thanked the Council for the various information and cooperation provided by the Council in the investigation. The investigation revealed that a hacker group had obtained the credentials of a user account with administrative privileges and gained access to the Council’s network through a Virtual Private Network. The hacker then deployed ransomware in the servers and endpoints of the Council. According to the evidence obtained in the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling considered that the Incident was caused by the following deficiencies of the Council:
- Failure to enable multi-factor authentication for remote access to data, thereby allowing the hacker to gain access to the Council’s network through the compromised account credentials, conduct ransomware attack and access the personal data held by the Council;
- Failure to properly configure the cybersecurity solutions adopted to detect and block cybersecurity threats, resulting in the failure of the cybersecurity solutions to send email alerts to the Council when cybersecurity threats were detected;
- Lack of sufficient safeguard to prohibit or prevent the storage of personal data on testing servers, which led to the personal data of 289 complainants held by the Council being stored in a testing server that was not protected by the cybersecurity solutions because of human error or oversight, and in turn, exposed to hacking attack;
- Lack of specificity and comprehensiveness in the policies on information security, which did not provide a concrete cybersecurity framework or IT security review requirements and procedures for its staff members to follow; and
- Inadequate awareness of information security and data protection: Apart from the storage of personal data on the testing server owing to human error or oversight, the investigation also revealed that a former IT staff member had not enforced the complex password policy of the Council in the system settings at the time of the Incident, rendering its password policy ineffective. The above examples reflected the lack of awareness of the staff members of the Council in protecting personal data privacy and information security.
Based on the above, Privacy Commissioner Ms Ada CHUNG Lai-ling considered that the Council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the PDPO concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.
With the advancement of technologies, the adoption of information and communications technologies, hybrid work model and remote access to data have become the new normal. While technological development brings benefits and convenience, it also inevitably increases the risks of data security. To address cybersecurity threats, organisations should regularly review and strengthen the security measures of their information systems. The Privacy Commissioner wishes to make the following recommendations to organisations which use information and communications technologies for processing personal data:
- Adopt multi-factor authentication for remote access to information and communications systems to minimise the risk of attacks targeting information systems;
- Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks, thereby reducing the possibility of cyberattacks and the risk of data leakage;
- Conduct regular risk assessments and security audits of information systems;
- Establish a corporate culture that values data security; and
- Devise effective training plans to enhance staff awareness and competence in data security and personal data protection.
Please click here to download the report of “Ransomware Attack on the Information Systems of the Consumer Council”.
|
|
|
The Risk Assessment Tools in Personal Data Privacy Management – Periodic Risk Assessment Questionnaire
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
Mobile Wi-Fi Device Rental Company Took Inadequate Security Measures to Protect Customers’ Personal Data
|
|
Be Smart Online – Tips to Mitigate the Privacy Risks of QR Codes
|
|
|
The PCPD Finds that the Operation of the Worldcoin Project in Hong Kong Contravenes the PDPO
|
The PCPD Urges Users of Cloud Platforms to Ensure Data Security
|
A 40-year-old Male Arrested for Suspected Doxxing Arising from Monetary Disputes
|
Response of the PCPD to the Companies Registry’s Data Breach Incident
|
Upcoming Topical Seminars
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
|
Reaching Out to Schools – Privacy Commissioner Reminds Secondary School Students to Say “No” to Cyberbullying and Doxxing
|
Reaching Out to the Media – The Privacy Commissioner Attends the Cocktail Reception in Celebration of the 65th Anniversary of Ming Pao
|
Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Publishes an Article on China Law
|
Enhancing Data Security – The PCPD Organises a Seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures”
|
Promoting Data Security – Privacy Commissioner Publishes an Article entitled “Safeguarding Data Security to Stay Competitive” at The Bulletin
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Findings on the Data Breach Incident of the Consumer Council
|
Enhancing Data Security – PCPD’s Representative Speaks at the Webinar Entitled “Together, We Create a Safe Cyberworld”
|
|
Highlights of “Data Security Technology – Rules for Data Classification and Grading” 《數據安全技術 數據分類分級規則》的重點
|
UK: ICO Launches Consultation on Data Subject Rights in Relation to Generative AI
|
France: CNIL Publishes Retention Guidance on Data Collected through Public Internet Access
|
Spain: AEPD Publishes Guidance on Processing of Personal Data Using Wi-Fi Tracking
|
USA: FTC Publishes Blog on Collection of Consumer Automotive Data
|
|
|
The Risk Assessment Tools in Personal Data Privacy Management – Periodic Risk Assessment Questionnaire
Personal data privacy risks evolve over time. To implement an effective Personal Data Privacy Management Programme (PMP), organisations should adopt technical and organisational measures to ensure compliance. Periodic risk assessment is an important part of PMP to ensure that organisations’ privacy policies and practices comply with the Personal Data (Privacy) Ordinance (PDPO). An organisation can provide each department with a periodic risk assessment questionnaire for assessment. The completed questionnaire should be returned to its Data Protection Officer for review. If there are non-compliant issues or data privacy risks identified, the organisation should draw up mitigation measures for all identified risks and rectify the non-compliant areas.
Here is a sample of periodic risk assessment questionnaire for reference:
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
Mobile Wi-Fi Device Rental Company Took Inadequate Security Measures to Protect Customers’ Personal Data
|
The Complaint
The complainant was a customer of a mobile Wi-Fi device rental company (the Company). When picking up a Wi-fi device at the Company’s counter located at the Hong Kong International Airport (the Counter), the complainant noticed that the acknowledgment of the receipt form (the Form) used for renting the mobile Wi-Fi device allowed him to access other customers’ personal data, including their full English names, rental periods and destinations. On the other hand, the Company left the Form unattended at the Counter during non-business hours and the customers were required to acknowledge receipt of the Wi-fi devices on their own. This situation might lead to unauthorised access to customers’ personal data.
Outcome
After the PCPD’s intervention, the Company revised the format of the Form, namely, removed the “destination” column and only displayed the customer’s family name with the initial of the given name so that the identity of the customer could not be ascertained from the limited information available on the Form. The Company also covered the Form with non-transparent sheets to avoid accidental access to customers’ personal data on the Form.
Besides, the PCPD issued an advisory letter to the Company in response to the incident requesting it to take all practicable measures to protect the registration data of customers against unauthorised or accidental access, processing, erasure, loss or use. Meanwhile, the Company was requested to provide training to its staff to raise their awareness of personal data privacy protection.
Lessons Learnt
The use of common forms by data users to record personal data is not uncommon. However, this practice is not advisable as it may lead to customers accessing the data of other customers who have registered earlier, resulting in leakage of customers’ personal data. Considering the business operation model in the present case, the PCPD understands that it may be impracticable for the Company to arrange staff to be available around the clock to complete the pick-up procedures. To minimise the risk of personal data leakage, data users should focus on the format of the acknowledgment form by only displaying the necessary information for the purpose of acknowledging receipt. Meanwhile, data users may consider digitising such process by using a computer system instead of physical common forms. As such, customers would not have access to other customers’ personal data when completing the acknowledgment procedures, thereby ensuring better protection of customers’ personal data privacy.
|
Be Smart Online – Tips to Mitigate the Privacy Risks of QR Codes
|
Due to the prevalence use of internet services and mobile devices, QR codes have been widely used in diverse aspects, such as marketing and advertising, mobile payment or even food ordering. By scanning a QR code, which is a machine-readable two-dimensional barcode containing information, you will be redirected to a website or an application.
Although QR codes bring us convenience, they can be hijacked by scammers who attempt to direct users to a fraudulent website to disclose personal data, and hence the users may be exposed to inappropriate materials or malwares.
Here are the practical tips for users to use QR codes safely:
- Stay vigilant before scanning QR codes, do not scan any codes from unknown sources;
- Check the authenticity of websites by reviewing the preview URL before clicking the hyperlinks directed by the QR codes;
- Use the built-in QR code scanner on mobile phones to avoid the increased risk of malware attacks arisen from downloading third-party QR code scanning applications, or use the QR code scanning feature in anti-virus applications;
- Turn off automatic URL redirection function of QR code scanners;
- Do not make electronic payments via QR codes casually. Use the native applications or visit official domains instead; and
- Install security software with content filtering that inspects links and attachments and blocks access to suspicious items.
|
|
|
Reaching Out to Schools – Privacy Commissioner Reminds Secondary School Students to Say “No” to Cyberbullying and Doxxing
|
The PCPD organised a talk at Shatin Pui Ying College on 28 May as part of its School Touring of Anti-doxxing Education Talks. Privacy Commissioner Ms Ada CHUNG Lai-ling explained to more than 170 secondary form four and form five students the new doxxing offences and the importance of protecting and respecting personal data privacy online. The Privacy Commissioner also reminded the students to say “No” to cyberbullying and doxxing.
During the talk, Privacy Commissioner Ms Ada CHUNG Lai-ling said “The consequences of cyberbullying and doxxing acts can be serious. When you receive a doxxing or cyberbullying message, do not believe or forward the message. You should delete the message or block the sender’s account.” The Privacy Commissioner also reminded the students to handle their personal data carefully in the cyber world, and not to provide their personal data arbitrarily, especially data such as identity card numbers, dates of birth, and bank account numbers, etc.
The PCPD has been organising the School Touring of Anti-doxxing Education Talks since April last year. As of this April, the PCPD has visited 37 schools to convey the messages of combating doxxing and protecting personal data privacy to over 12,600 students.
Please click here for the presentation deck (Chinese only).
|
Reaching Out to the Media – The Privacy Commissioner Attends the Cocktail Reception in Celebration of the 65th Anniversary of Ming Pao
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and the Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI attended the cocktail reception in celebration of the 65th anniversary of Ming Pao on 24 May. The Privacy Commissioner congratulated Ming Pao on its 65th anniversary and wished every success with its business.
|
Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Publishes an Article on China Law
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Office of the Privacy Commissioner for Personal Data, Hong Kong: Striving to Safeguard Personal Data Privacy and Promote Cross-boundary Data Flow” on China Law.
In the article, the Privacy Commissioner introduced the statutory functions of the PCPD and the legal framework under the PDPO. Apart from providing a glimpse of the PCPD’s major achievements in 2023, the Privacy Commissioner also highlighted the PCPD’s consistent efforts in capturing the new opportunities offered by the Motherland and furthering the integrated development of the Greater Bay Area. Notably, the Privacy Commissioner introduced the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC) jointly formulated by the Cyberspace Administration of China (CAC), the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) and the PCPD on 13 December 2023. As a facilitation measure to promote cross-boundary flows of personal information (i.e., personal data) in the Greater Bay Area, the GBA SC simplifies the compliance requirements for conducting cross-boundary flows of personal information within the Greater Bay Area, thereby promoting the development of the Greater Bay Area’s digital economy while ensuring the safe and orderly flow of personal information within the Greater Bay Area. Please click here to read the article.
|
Enhancing Data Security – The PCPD Organises a Seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures”
|
The PCPD organised a seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures” in hybrid mode on 23 May, which attracted over 1,100 participants. At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling provided an overview of the latest trends of data breach incidents, highlighted some data breach cases which occurred in recent years and elaborated on the causes of the data breaches and the remedial measures taken. Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr Brad KWOK also spoke on how to enhance cybersecurity and data security measures, as well as explained the key points in preventing and handling data breach incidents. Please click here to download the presentation deck (Chinese only).
|
Promoting Data Security – Privacy Commissioner Publishes an Article entitled “Safeguarding Data Security to Stay Competitive” at The Bulletin
|
Promoting Data Security – Privacy Commissioner Publishes an Article entitled “Safeguarding Data Security to Stay Competitive” at The Bulletin
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Findings on the Data Breach Incident of the Consumer Council
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today”, RTHK Radio 1’s “HK2000” and Commercial Radio’s “On a Clear Day” on 3 May to explain the findings of the PCPD on the data breach incident of the Consumer Council (the Council).
The Privacy Commissioner said that the investigation revealed that a hacker group had obtained the credentials of a user account with administrative privileges and gained access to the Council’s network through a Virtual Private Network. The hacker then deployed ransomware in the servers and endpoints of the Council. According to the evidence obtained in the investigation, the Council’s deficiencies included failing to enable multi-factor authentication for remote access to data, and storing personal data on testing servers.
The Privacy Commissioner emphasised the importance of safeguarding data security. To raise the awareness among companies, the PCPD has already launched the Data Security thematic webpage, the “Data Security Scanner” assessment webpage and the data security hotline, and organised the “Privacy Awareness Week” in May.
Please click here to listen to the interview (53:57-59:34) by RTHK News’ “Hong Kong Today” (Chinese only).
Please click here to listen to the interview by RTHK Radio 3’s “Hong Kong Today” (04:12-09:15).
|
Enhancing Data Security – PCPD’s Representative Speaks at the Webinar Entitled “Together, We Create a Safe Cyberworld”
|
Personal Data Officer (Information Technology) of the PCPD Mr Tamson TAM spoke at the Build a Secure Cyberspace 2024 “Together, We Create a Safe Cyberworld” Webinar on 10 May. Mr. Tam shared some tips with the participants on enhancing cyber security for organisations and on how to prevent and handle data breach incidents. Supported by the PCPD, the webinar was co-organised by the Office of the Government Chief Information Officer, the Hong Kong Police Force and the Hong Kong Computer Emergency Response Coordination Centre. This webinar was one of the activities of the PCPD’s Privacy Awareness Week 2024. Please click here for the presentation deck (Chinese only).
|
|
|
The PCPD Finds that the Operation of the Worldcoin Project in Hong Kong Contravenes the PDPO
|
On completion of its investigation into the Worldcoin project, the PCPD publishes its findings today. The matter arose from the PCPD’s concern that the operation of Worldcoin in Hong Kong involved serious risks to personal data privacy. As such, the PCPD has proactively commenced an investigation against the Worldcoin project in January 2024 to determine whether the operation of Worldcoin in Hong Kong has contravened the requirements of the PDPO, Chapter 486 of the Laws of Hong Kong. The PCPD carried out 10 covert visits during the period from December 2023 to January 2024 at six premises involved in the operation of the Worldcoin project. On 31 January 2024, the PCPD entered the aforesaid six premises with court warrants to carry out investigations. The premises were respectively located at Yau Ma Tei, Kwun Tong, Wan Chai, Cyberport, Central and Causeway Bay. Thereafter, two rounds of inquiries were carried out and the investigation is now completed. The investigation findings revealed that participants of the Worldcoin project needed to allow the relevant organisation to collect their face and iris images through iris scanning to verify their humanness and generate iris codes, thereby obtaining a registered identity (namely, World ID; Worldcoin called it a digital passport), after which the participants would be able to receive Worldcoin tokens, a cryptocurrency, at regular intervals for free. Worldcoin confirmed that there were 8,302 individuals with their faces and irises scanned for verification during its operation in Hong Kong. Having considered the circumstances of the case and the information obtained from the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the operation of Worldcoin in Hong Kong had contravened the Data Protection Principles (DPPs) in Schedule 1 to the PDPO relating to the collection, retention, transparency, data access and correction rights, which included:-
- DPP 1(1) - the PCPD considered that the face and iris images collected by the Worldcoin project were unnecessary and excessive, contravening the requirements of DPP 1(1).
- DPP 1(2) - Worldcoin collected personal data unfairly. In particular, the relevant “Privacy Notice” and “Biometric Data Consent Form” were not available in Chinese, the iris scanning device operators at the operating locations also did not offer any explanation or confirmed the participants’ understanding of the aforesaid documents. They also did not inform the participants the possible risks pertaining to their disclosure of biometric data, nor answered their questions.
- DPP 1(3) - On or before the collection of personal data, participants were not clearly informed of the information as specified under the PDPO, including the purpose(s) of collection, whether it was obligatory or voluntary for them to supply their personal data, the classes of possible transferees, and the right and means to request access to and correction of their personal data.
- DPP 2(2) - Worldcoin would retain personal data for a maximum of 10 years for the purpose of training AI models for the user verification process. The PCPD considered that the retention period was too long and amounted to prolonged retention of personal data.
- DPP 5 - Insufficient transparency of the personal data policy and practices. The Privacy Notice at the material time was not available in Chinese. The PCPD was of the view that participants using Chinese as native language would not be able to clearly understand the relevant policies and practices, terms and conditions of the Worldcoin project, and hence there was a lack of transparency.
- DPP 6 - Participants did not have the means to exercise their rights of data access and correction.
The Privacy Commissioner has served an enforcement notice on Worldcoin Foundation, directing it to cease all operations of the Worldcoin project in Hong Kong in scanning and collecting iris and face images of members of the public using iris scanning devices.
Please click here to download the Investigation Findings “The Operation of the Worldcoin Project in Hong Kong Contravenes the Personal Data (Privacy) Ordinance”.
|
The PCPD Urges Users of Cloud Platforms to Ensure Data Security
|
The PCPD noticed from the data breach notifications recently received from different organisations, including the Electrical and Mechanical Services Department, the Fire Services Department and the Urban Renewal Authority, that in all three incidents, the personal data was stored on the online platform ArcGIS Online (the Platform). The data breach incidents related to the malfunctioning of the login passwords and/or access rights, such that the data stored on the Platform could be accessed without the need to log into the specific interface through the accounts and/or with passwords. Currently, the PCPD has commenced investigations into the aforesaid three incidents in accordance with established procedures.
More generally, the PCPD reminds users of cloud platforms, including both private and public organisations, which have uploaded their data, in particular personal data, onto these platforms to regularly check whether the login passwords and/or access rights to the relevant platforms are valid to ensure data security. If there is any malfunction of the login password and/or access right with the possibility of a data breach, the organisation should inform the affected data subjects as soon as possible and report the breach to the PCPD (telephone: 2827 2827 or email: dbn@pcpd.org.hk).
|
A 40-year-old Male Arrested for Suspected Doxxing Arising from Monetary Disputes
|
The PCPD arrested a Chinese male aged 40 in the New Territories on 10 May. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.
The PCPD’s investigation revealed that the victim borrowed money from a friend (the Person) in early 2024, and sent a photo of his staff card to the Person through an instant messaging application (app) for the purpose. The victim later repaid the debt and borrowed money from the Person again in mid-March 2024. However, a dispute ensued between the two on whether the victim had cleared the second debt. In early April 2024, the victim received a call and a message sent through the instant messaging app demanding him to repay the debt to the Person, or else message(s) about the victim would be published on social media platform(s). Later in the same evening, a message urging for the victim’s repayment of debt with negative comments against him was posted in an open discussion group on a social media platform, alongside a partly redacted photo of his staff card which showed particulars of his personal data, including his Chinese name, English name, the name of his company and his photo. The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
- the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
Response of the PCPD to the Companies Registry’s Data Breach Incident
|
The PCPD noted on 3 May that around 110,000 data subjects were affected in the data breach incident of the Companies Registry. Having considered the number of data subjects involved, the PCPD has immediately commenced an investigation into the incident and has advised the relevant department to notify the affected data subjects as soon as possible. The PCPD appeals to the affected persons to make enquiries (telephone: 2827 2827 or email: communications@pcpd.org.hk) or complaints (telephone: 2827 2827 or email: complaints@pcpd.org.hk) with the relevant department or the PCPD if they suspect that their personal data have been leaked. The PCPD calls on the affected persons to be vigilant of potential theft of their personal data and to take the following measures to protect personal data privacy:
- Consider changing the passwords of online accounts and activate the multi-factor authentication function (if available);
- Beware of any unusual logins of personal emails or accounts;
- Review bank statements to spot any unauthorised transactions;
- Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not arbitrarily open attachments or disclose personal data readily; and
- Be vigilant against phishing or other possible scams.
|
Highlights of “Data Security Technology – Rules for Data Classification and Grading” 《數據安全技術 數據分類分級規則》的重點
|
To facilitate the implementation of the national data classification and grading system as stipulated under Article 21 of the Data Security Law, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) released the “Data Security Technology – Rules for Data Classification and Grading” (the Rules) on 21 March 2024. The Rules, which will come into effect on 1 October 2024, sets out the guidelines in relation to the basic principles, frameworks, methods, and processes for data classification and grading. This article provides an overview of the Rules.
為落實《數據安全法》第21條中所提出的國家數據分類分級保護制度,全國網絡安全標準化技術委員會(網安標委)於2024年3月21日發布《數據安全技術 數據分類分級規則》(《數據分類分級規則》)1。《數據分類分級規則》2 將於2024年10月1日起施行,並就數據分類分級的原則、框架、方法和流程,提出識別指南3,有關重點如下:
定義
《數據分類分級規則》就以下術語作出定義4:
- 數據 (data) – 指任何以電子或者其他方式對信息的記錄。
- 重要數據 (key data) – 指特定領域、特定群體、特定區域或達到一定精度和規模的,一旦被洩露或篡改、損毀,可能直接危害國家安全、經濟運行、社會穩定、公共健康和安全的數據5。
- 核心數據 (core data) – 指對領域、群體、區域具有較高覆蓋度或達到較高精度、較大規模、一定深度的,一旦被非法使用或共享,可能直接影響政治安全的重要數據6。
- 一般數據 (general data) – 指核心數據、重要數據之外的其他數據。
基本原則
《數據分類分級規則》明確指出,行業領域主管(監管)部門及數據處理者需遵循國家數據分類分級保護要求,按照數據所屬行業領域進行分類分級管理,並依據以下五大原則對數據進行分類分級7:
- 科學實用原則
- 邊界清晰原則
- 就高從嚴原則
- 點面結合原則
- 動態更新原則
數據分類規則8
就數據分類的框架而言,《數據分類分級規則》提到數據應先按照行業領域9分類,然後再按業務屬性10進行分類。如涉及法律法規有專門管理要求的數據類別(如個人信息等),則應按照有關規定和標準進行識別和分類。
就數據分類的方法而言,《數據分類分級規則》提到數據分類可根據數據管理和使用需求,結合已有數據分類基礎,靈活選擇業務屬性將數據細化分類。在開展行業領域數據分類時,可參考以下四個步驟:
- 明確數據範圍
- 細化業務分類
- 業務屬性分類
- 確定分類規則
數據分級規則11
根據數據在經濟社會發展中的重要程度,以及一旦遭到洩露、篡改、損毀或者非法獲取、非法使用、非法共享,對國家安全、經濟運行、社會秩序、公共利益、組織權益、個人權益造成的危害程度,數據可從高到低,分為核心數據、重要數據、一般數據三個級別。
就數據分級的方法而言,由於數據分級是爲了保護數據安全,具體流程可參考以下四個步驟:
- 確定分級對象
- 分級要素識別
- 數據影響分析
- 綜合確定級別
值得注意的是,《數據分類分級規則》就上述第三步驟,即「數據影響分析」,提供更詳細的指引。
數據影響分析
《數據分類分級規則》提到,數據處理者在進行數據影響分析時,應考慮影響對象和影響程度。前者是指在數據面臨安全風險時,可能會影響到的對象,通常包括國家安全、經濟運行、社會秩序、公共利益、組織權益、個人權益等12。至於後者,則指數據一旦遭到洩露、篡改、損毀或者非法獲取、非法使用、非法共享,可能造成的影響程度13。
影響程度從高到低可分為特別嚴重危害、嚴重危害、一般危害。對不同影響對象進行影響程度判斷時,採取的基準均不同。如果影響對象是國家安全、經濟運行、社會秩序或公共利益,則以國家、社會或行業領域的整體利益作為判斷影響程度的基準;如果影響對象僅是組織或個人權益,則以組織或公民個人的權益作為判斷影響程度的基準14。
數據分類分級流程15
《數據分類分級規則》特別提到,行業領域主管(監管)部門和數據處理者在數據分類分級的流程上均有不同職責。行業領域主管(監管)部門在遵循國家有關規定要求的基礎上,可先制定行業標準規範,再開始數據分類分級;而數據處理者在遵循國家和行業領域數據分類分級要求的基礎上,則可参考以下步驟開展數據分類分級工作:
- 數據資產梳理
- 制定内部規則
- 實施數據分類
- 實施數據分級
- 審核上報目錄
- 動態更新管理
總結
總括而言,《數據分類分級規則》就如何對數據進行分類分級,以及就各行業領域、各地區、各部門和數據處理者開展數據分類分級工作,提出仔細的規則。作爲網安標委發布的首份數據安全技術標準指引,無疑為數據處理者及企業提供了更具體的工作參考。有關數據處理者及企業宜在《數據分類分級規則》正式施行前就其業務作出適時整改,提前做好銜接工作,依法履行處理相關數據的合規義務。
1 全文:https://www.tc260.org.cn/front/postDetail.html?id=20240321201412
2《數據分類分級規則》不適用於涉及國家秘密的數據和軍事數據。
3《數據分類分級規則》第1條。
4《數據分類分級規則》第3條。
5 僅影響組織自身或公民個體的數據一般不作為重要數據。
6 核心數據主要包括關係國家安全重點領域的數據,關係國民經濟命脈、重要民生、重大公共利益的數據,經國家有關部門評估確定的其他數據。
7《數據分類分級規則》第4條。
8《數據分類分級規則》第5條。
9 如工業數據、電信數據、金融數據、能源數據、交通運輸數據、自然資源數據、衛生健康數據、教育數據、科學數據等。
10常見業務屬性包括但不限於:業務領域、責任部門、描述對象、流程環節、數據主體、内容主題、數據用途、數據處理、數據來源等。
11《數據分類分級規則》第6條。
12《數據分類分級規則》第6.4.1條。
13《數據分類分級規則》第6.4.2條。
14《數據分類分級規則》第6.4.2條。
15《數據分類分級規則》第7條。
|
|
|
Upcoming Topical Seminars
|
More details will be announced on the PCPD’s website. Stay tuned with us!
|
Professional Workshop on Data Protection Law
|
With the rising public awareness and expectations of the protection of personal data privacy, it has become a regular practice for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence.
This workshop will examine the practical application of the PDPO at work by sharing real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.
Date: 5 June 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Online
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers and compliance officers
|
Professional Workshop on Data Protection and Data Access Request
|
Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc.
Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR.
Date: 12 June 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, data protection officers, administration managers, human resource officers and customer services personnel
|
Other Professional Workshops on Data Protection from June to August 2024:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Data security management;
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450 starting from 1 April).
Join us now to keep up-to-date with the latest news and legal developments!
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|