|
|
|
|
|
|
|
|
|
|
2018 Best Practice Guide on Privacy Management Programme
Privacy Commissioner Mr Stephen Wong issued the revised Best Practice Guide on Privacy Management Programme (the Guide). The Guide aims at assisting organisations in constructing a comprehensive Privacy Management Programme (PMP).
Since 2014, Privacy Commissioner has advocated that organisations should develop their own PMP to embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the board room. The Guide is a "2.0 version" of the 2014 issue, with more concrete examples, charts, templates of questionnaire and checklist for reference.
|
|
|
|
|
|
|
|
Study reveals Asia Pacific consumers now prioritise security over convenience
|
|
|
|
A regional survey, conducted by F5 Networks in partnership with YouGov, shows that secure experiences are of foremost importance for Asia Pacific’s consumers, with 53% of them prioritising security features over the functionality and convenience of an app.
|
|
|
|
|
|
|
|
Canada: Privacy commissioners concerned over facial recognition software at Calgary malls
|
|
|
|
Alberta's Office of the Information and Privacy Commissioner says facial recognition technology at two Calgary malls could break privacy laws, but an investigation would be required before jumping to conclusions..
|
|
|
|
|
|
|
|
Peer-to-Peer payments are generally safe, but consumers must be aware of risks
|
|
|
|
According to a comprehensive Consumer Reports study of five of the most popular services, P2P payments are generally safe. However, some of the same qualities that make P2P services so appealing to consumers also expose them to significant risks.
|
|
|
|
|
|
|
|
Re. GDPR: Cross-border cooperation and consistency procedures – State of play
|
|
|
|
On 25 May 2018, the first cross-border cases were initiated in the Internal Market information System (IMI). The first results of the new procedures to deal with cross-border cases should be expected in a few months’ time.
|
|
|
|
|
|
|
|
|
|
Professional Workshops on Data Protection
Aug - Dec 2018 workshops are now open for enrolment!
These professional workshops are tailored to the needs of those people wishing to deepen their knowledge of data protection. Key features include:
- Analysis of each data protection principle with relevant real-life scenarios
- Codes of Practice and Guidelines
- Updated guidance notes from the PCPD
- Lessons learnt from real cases
- Recommended good practices
|
|
|
|
|
|
|
|
DPOC has always been an effective platform where members can share good practices and learn from each other. We cordially invite members to share your strategies and practices in data protection by contributing articles and/or photos of your successful initiatives to us. Please click "Share with us" to let us know your good practice!
|
|
|
|
|
|
|
|
|
|
Guidance on CCTV Surveillance and Use of Drones
The Guidance provides recommendations to data users on using CCTV and drones from the perspective of protecting personal data privacy.
|
|
|
|
|
|
|
|
An employer charged an excessive fee for complying with an employee’s data access request – Section 28(3)
The Complaint
The Complainant made a data access request (the DAR) to his employer for a copy of his appraisal report. His employer imposed a flat-rate fee (HK$50 per page) on a requestor and charged the Complainant HK$200 for an appraisal report of four pages. The Complainant considered the fee to be excessive.
|
|
|
|
|
Outcome
According to the principles laid down by the Administrative Appeals Board in Administrative Appeal No. 37/2009, a data user is allowed to charge a requestor only for costs which are “directly related to and necessary for” complying with a data access request. A data user should not charge a fee on a commercial basis. Any fees that exceed the costs of compliance would be considered excessive.
As the charge of HK$200 for four pages appeared, on the face of it, to be exorbitant, the burden was on the Complainant’s employer to prove that the fee of HK$200 it had charged was not excessive. However, the Complainant’s employer failed to provide details of the basis of the flat-rate (HK$50 per page) or justify how the amount of HK$200 was cost-related to the compliance with the DAR.
After the Privacy Commissioner had explained the requirements under 28(3) of the Personal Data (Privacy) Ordinance (the Ordinance) and the principles laid down in Administrative Appeal No. 37/2009 to the Complainant’s employer, the flat-rate of HK$2 per page was charged instead and a total of HK$192 was refunded to the Complainant.
|
|
|
|
|
|
|
|
|
|
Q: Can a bank request a customer to provide his/her Hong Kong Identification Card Number for exchanging a HK$500 note for notes of smaller denominations?
A: According to the Code of Practice on the Identity Card Number and other Personal Identifiers (the Code) issued by the Privacy Commissioner, in general, a data user cannot compel an individual to provide his Hong Kong Identification (HKID) Card number except with legal authority. Moreover, HKID Card numbers should not be collected, unless such collection is permitted under the Code. In view that such transaction did not involve substantial risk of money laundering activities, collection of HKID Card numbers was unnecessary.
|
|
|
|
However, banks are permitted to collect HKID Card copies of their customers as due diligence measures before carrying out a transaction involving an amount equal to or above HK$120,000, and if that is a wire transfer, an amount equal to or above HK$8,000 so as to comply with the relevant requirement in the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance.
|
|
|
|
Q: Can an employer collect a copy of an employee's HKID Card?
|
|
|
|
A: Yes, as a copy of an employee's HKID Card is evidence of an employer having inspected it before the employment, as required under the Immigration Ordinance (Cap 115). However, employer is required by the Code to mark the word "copy" across the image of the copy to reduce the chance for misuse and abuse.
|
|
|
|
Q: Can the security staff of a building ask visitor to enter his/her HKID Card number in a visitors' log book at the entrance of a building?
|
|
|
|
A: This depends on whether the monitoring of visitor’s activities inside the building is feasible or not. If this is feasible, the security staff should not collect visitor’s HKID Card number. If such monitoring is not feasible, they are allowed to collect visitor’s HKID card number. However, the security staff should take appropriate security measures to ensure that such entries in a visitors’ log book are concealed from subsequent visitors who enter their details. If visitor is unhappy about providing his HKID Card number, visitor may wish to suggest other alternatives. Examples of such alternatives may include identification by another identification document, e.g. a staff card issued by the visitor’s company, or identification by someone known to the security staff, e.g. by a resident in the case of a residential building.
|
|
|
|
|
|
|
|
|
|
Doing Business Online
How to make sure your organisation complies with the Data Protection Principles of the Ordinance while doing business online?
|
PCPD’s Corporate Video
With public education as one of the PCPD’s priorities, this video is developed to raise public awareness of personal data protection and to highlight the work of the PCPD.
|
Resources by Topics
Look for useful guidance notes, information leaflets and other materials by topics.
|
|
|
|
|
|
For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179
You are receiving our e-Newsletters because you are a current member of the DPOC and it is one of the membership privileges that we provide. If you do not wish to receive them, please click here to unsubscribe.
|
|
|
|
