Skip to content

DPOC e-Newsletter

Facebook Youtube

Renew your membership to enjoy various privileges throughout the year! 

New membership year will commence on 1 April. Organisational members can enjoy 2 for 1 scheme upon renewal. Click below to find out more!


Renew now!

Privacy Commissioner Releases Study Report on Implementation of Privacy Management Programme by Data Users

The Privacy Commissioner for Personal Data, Hong Kong,
Mr Stephen Kai-yi WONG, released the “2018 Study Report on Implementation of Privacy Management Programme by Data Users”.

Read media statement and report


Impact Analysis: Canadian regulator sets new cyber-incident obligations for banks, insurers

The Office of the Superintendent of Financial Institutions at Canada recently introduced new cyber incident reporting obligations for financial institutions that will require firms to review and possibly revise existing incident response management protocols.

Read more

Goodbye passwords? WebAuthn is now an official web standard

WebAuthn, short for Web Authentication, is a browser and platform standard for simpler and stronger authentication processes. It lets users log in to their online accounts using their preferred device, biometrics or FIDO security keys.

Read more

The mainland of China to legislate on personal information protection, AI

The mainland of China plans to make a personal information protection law, in a bid to fight against improper collection, abuse and leaking of citizens' personal information.

Read more

Data privacy, right-to-delete rules pass Senate

In the US, the Senate has passed a broad package of data privacy protections, including rules that would give consumers the right to delete data about them held by private companies.

Read more

Professional Workshop on Data Protection in Direct Marketing Activities
(22 March 2019)

Direct marketing is widely adopted by many organisations in promoting their products and services. Since the amended direct marketing regime took effect in 2013, however, some companies were convicted for failing to comply with the requirements. This workshop provides a practical approach to the compliance of the requirements in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared during the workshop.

Enrol now!

Professional Workshop on Data Protection in Insurance
(27 March 2019)

Insurance practitioners handle a large amount of customers' personal data in their daily work. The workshop would talk about what insurance practitioners should do to protect customers' personal data when providing insurance services to them. Core concepts of data protection compliance illustrated by specific scenarios such as collection of customers’ medical data, engagement of private investigators in insurance claims and use of customers’ data for internal training, etc. will be examined.

Enrol now!

"Hong Kong Lawyer" March 2019 issue: How Internet of Things May Expose Your Privacy

Without a doubt, Internet of Things offers us convenience and effectiveness that we have not envisaged before. We are so accustomed to IoT devices that they become an indispensable part of our daily routine. Utility aside, the article by the Privacy Commissioner for Personal Data Mr Stephen Ka-yi WONG will look at the associated privacy risks.

Read the article

Q: What should a beauty company do if it wishes to collect date of birth of a customer for providing age-specific services and birthday gifts and discounts?

A: For age-specific products and services, the collection of the customer’s age or age range, as opposed to the specific date of birth, should suffice. In respect of providing birthday gifts or discounts, a customer’s month of birth, or date and month of birth should suffice, depending on the duration of discounts and nature of the gifts.

Q: Can a beauty company transfer its customers’ personal data to another company providing similar service when it discontinues its business?

A: The beauty company can do so only if before the data is collected, the customers have been informed of the purpose for collection and that the other company is within the class of persons to whom the data may be transferred; or the customers have given their express and voluntary consent to the transfer.

Q: Can a beauty company collect customers' HKID Card numbers for offering free/discounted services on a trial basis?

A: Some beauty companies offer free or discounted services on a trial basis in order to attract new customers who are required to be registered as trial members or for the issuance of trial passes. Very often, a customer is asked to provide her HKID Card number for such registration or issuance of a trial pass. The collection of a customer’s HKID Card number for such purpose is considered unnecessary on the grounds that the possible rights, interests or liabilities arising from such registration and trial pass is short-term and trivial.

Extended Reading: 
Guidance on the Proper Handling of Customers' Personal Data for the Beauty Industry

Data Protection Principle 2 – Accuracy and duration of retention of personal data

Use of inaccurate personal data

The complainant had taken out a loan with a bank. He subsequently moved to a new address and notified the bank of the change. Upon his defaulting on repayment of the loan, the bank engaged the service of a debt collection agent and passed to it personal data of the complainant, including his old and new addresses. The debt collection agent sent demand letters to both addresses, thereby making known to people who were living in the complainant's old address that the complainant was in debt.

Investigation revealed that subsequent to being notified of the complainant's new address the bank had been communicating with him there. It also had no reason to believe that the complainant could still be contacted at the old address.

Privacy Commissioner's views on the matter

In treating the complainant's old address as his correspondence address for debt collection purpose the bank had acted in breach of Data Protection Priniciple (DPP) 2(1)(b), which requires all practicable steps to be taken to ensure that inaccurate data are not used or are erased. As a result of the PCPD's investigation the bank agreed to erase the complainant's old address from all its records except the original loan application form. The bank also instructed the debt collection agent to erase all data concerning the complainant from its records. In the circumstances of the case, the retention by a bank of an applicant's old address as shown on the original loan application form was justified. However, in accordance with the requirements of DPP2 (1), inaccurate data should not be used until their accuracy is re-confirmed.


Tips on Encryption

Encryption is an effective way to prevent data from being understood when your computer is hacked or when your Portable Storage Devices are lost.


Administrative Appeals Board's Decision

The Administrative Appeals Board (AAB) hears and determines appeals lodged against PCPD’s enforcement decisions. AAB may confirm, vary or reverse PCPD’s decisions. It has given PCPD its permission to publish on PCPD website its decisions delivered after open hearings.

View the AAB case notes

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.