Skip to content

DPOC e-Newsletter

Facebook Youtube

Children's right to privacy in the digital age

For many of us, sharing photos online is more or less a daily routine. But have you ever thought of the number of photos and videos having been posted online by parents when a child turns 13?

The answer is 1,300 according to the Children's Commissioner for England. With children themselves starting to engage on social media platforms when they grow up, by age 18, children may have published nearly 70,000 posts!

Such sheer amount of data may subject children to the risk of cyber bullying, personal security, profiling as well as profound consequences on their studies and employment in the future. It may jeopardise the best interests of the child which should be well protected.

To celebrate Children's Day on 4 April, let us recall the importance of children's rights particularly online participation and privacy. Parents and educators may share the tips of online privacy and digital literacy with the children while respecting their right to be heard.

Read PCPD's Children's Online Privacy Leaflet

Renew your membership to enjoy various privileges throughout the year! 

New membership year will commence on 1 April. Organisational members can enjoy 2 for 1 scheme upon renewal. Click below to find out more!


Renew now!


This information leaflet aims to introduce some common applications of Fintech with privacy implications; explain the privacy risk and provide tips to consumers for protecting their personal data privacy when using Fintech; and at the same time recommend good practices to providers/ operators of Fintech for addressing the privacy risks.

Read Information Leaflet

GPEN and national DPAs publish Sweep results on privacy accountability

The Global Privacy Enforcement Network ("GPEN")'s recent report shows that some organisations have a good understanding of how to implement and demonstrate accountability, and many are building some of the elements of accountability. There is however a need for better implementation in the key areas of accountability.

Read more

Cybersecurity is putting customer trust at the centre of competition

With the increasing reliance on software across nearly every dimension of our lives and the inherent privacy and security vulnerabilities related to software itself, companies are now putting trust as their priority amid the risks of data privacy in the digital age.

Read more

Asian firms are better prepared than European peers to comply with data-privacy regulations, according to new EIU study

Asian firms are more confident than those in Europe to deal with potentially stricter rules around consumer-data gathering and use; the US leads both regions.

Read more

How is the GDPR doing?

It has been almost a year since the EU's data privacy regulation went into effect. Some see it as a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers' data.

Read more

UN Delegates called on to increase citizens' protection from surveillance

Delegates at the United Nations Human Rights Council 40th Session have been warned against the lack of adequate citizen privacy rules and the impact of surveillance on fundamental human rights.

Read more

Professional Workshop on Data Protection in Banking/Financial Services (11 April 2019)

This workshop is designed for practitioners in banking and finance who wish to acquire knowledge on the requirements under the Personal Data (Privacy) Ordinance in different aspects of the banking and financial services and the practical ways to deal with them effectively in their daily operation.

Highlights of Course Outline:

  • Code of Practice on Consumer Credit
  • Data Accuracy of customers' contact information
  • Outsourcing the processing of personal data
  • Fintech
Enrol now!

Professional Workshop on Data Protection in Human Resource Management (15 April 2019)

Can an employer collect a photocopy of a job applicant's Hong Kong Identity Card? How long should a company keep the personal data of former employees? Can an employee obtain all the comments in his/her appraisal report? These are some of the frequently asked questions about the application of the Personal Data (Privacy) Ordinance on human resource management.

Tailor-made for human resource practitioners, this workshop would discuss common questions and good practices in handling personal data in human resource management.

Enrol now!

Q: Your manager reported to you that several burglary cases occurred in your office building. For security sake, you should not consider ...

A. requesting the property management staff to patrol more frequently
B. installing overt CCTV cameras
C. installing pinhole cameras

The correct answer is C. Covert monitoring should not be used unless there is no other alternative and it is absolutely necessary in detecting or gathering evidence of unlawful activities, and the monitoring should be limited in its scope and duration.

Q: You informed your employee that telephone monitoring is conducted to ensure the quality and consistency of telephone service to customers. Therefore, you should not use the telephone records for ...

A. staff training
B. performance appraisal
C. improving customer service

The correct answer is B. Unless you have obtained the prescribed consent of your employee or there is an applicable exemption, the employee's personal data collected by monitoring measures can only be used for the purposes stated in the employee monitoring policy (e.g. enhancing the delivery of quality service to customer in this case), or for a directly related purpose.

Q: Your employee requested access to his personal data collected through employee monitoring. Your reply to his request is ...

A. No, because the record is the property of the organisation
B. Yes, because the record contains personal data of that employee
C. No, because the record is confidential

The correct answer is B. Your employee has the right to request your organisation as the data user to confirm whether you hold his personal data and to request a copy of any of such data. You are required to provide the employee with a copy of such data or inform the employee by writing of the reasons for refusal no later than 40 days after receiving the request.

Extended Reading: 

Privacy Guidelines: Monitoring and Personal Data Privacy at Work

Data Protection Principle 3 – A school provided students' personal data to an online tool services provider for creating service accounts for students without notifying the parents

The Complaint 
The complainant's daughter was a primary school student. Without notifying the parents, the school provided its students' names, classes and class numbers to the contractor of its online tool for creating user accounts, which were used by students for logging into services provided by the tool such as email, cloud disk and learning applications. Student number and date of birth were used as default log-in name and password respectively. The complainant was worried that the school might keep track of students’ account usage, and that the terms of conditions to be accepted upon logging in might be incomprehensible to primary students. The complainant therefore complained to the PCPD on behalf of her daughter.

Privacy Commissioner's views on the matter

The school stated that although it had control over students' accounts and might decide on the services used by students according to teaching needs, it was unable to review students' account activities. Besides, the school explained that naming service accounts by student name, class and student number could facilitate identification of users by teachers. The setting of date of birth as default password was also done on purpose for easy recall by students. The school stressed that it had required the students to change their account password upon the first log-in.

When parents provided their children's personal data to the school, they were not informed that the data would be transferred to the contractor of its online tool. In the circumstances, parents' concern about possible misuse of their children's personal data was understandable.

After the PCPD explained the relevant requirements under the Ordinance to the school, the school undertook that it would use other combinations of characters to create user account for students. For the existing accounts, parents might choose whether they would keep using them or not. Besides, the school would develop a policy on usage of the online tool, define the purposes of account creation, and publicise account safety and the school’s right to manage the accounts, to alleviate parents’ concern.

The school’s practice in question was well-intended, and was in line with the latest trend of facilitating learning with technology. However, the school had not thoroughly considered the personal data privacy expectation of parents and students, nor informed them of the relevant arrangements in advance. Parents would inevitably be surprised and worried when they learnt of such use of students’ personal data. We are glad that the school responded timely with the above improvement initiatives to regain the parents’ trust.

Tips on Search Engines

Change your SafeSearch settings to block vulgar content from being displayed in search results and protect yourself from phishing websites.


Doing Business Online

How to make sure your organisation complies with the Data Protection Principles of the Personal Data (Privacy) Ordinance while doing business online?


For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.